Non-ascii usernames
Hello, All! How do I make FreeRadius work correct with non-ascii usernames? With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Non-ascii usernames
Alexander V. Klepikov wrote: How do I make FreeRadius work correct with non-ascii usernames? You type them in as UTF-8. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL MSSQL
[EMAIL PROTECTED] wrote:
Have anybody of you manage to configure freeradius to pull authorization
iformation from MySQL and MSSQL (via ODBC/freetds) at the same time??
Have you listed two instances of the SQL module? See
doc/configurable_failover for examples.
But, is there a way to configure a failover to ask MSSQL and then MySQL and
have both modules running at the same time??
Yes.
Configure the modules as:
sql mssql {
... configuration ...
}
sql mysql {
... configuration ...
}
And then refer to them as mssql or mysql, and never sql.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MD5 with Accounting
Tan hanyin wrote: I notice that there are accounting section in some of the configuration files such as, radius.conf. If accounting is performed by my NAS, then what does the accounting in FreeRADIUS does? The NAS generates accounting records based on user activity. See your NAS documentation for details. FreeRADIUS takes the accounting records, and logs them to a DB, or where you've configured it to log them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius: mutiple bad logins hitting radius server
J S wrote: I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that authenticates to an MS AD server. I'm running into an issue where a user will fail a single login attempt (one username/password challenge with a bad password) and the ACS will record 3 attempts from the client (the Solaris 10 server). after a single attempt (or a valid login with a local password) the 3 fails bollixes up the AD login attempts and locks the user out. Am I missing a compile option to only attempt a single RADIUS login per authentication or do I possible have pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same results. Otherwise the system works well. The module will re-send the request if it doesn't get a response from the RADIUS server. Or, if the response is sent from the wrong IP (i.e. the RADIUS server has multiple IP's). Or, if the shared secret is incorrect. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius: mutiple bad logins hitting radius server
That's good to know. What seems odd, though, is that it resends the same request in quick, sub-second succession (based on the RADIUS server logs). This case has a single RADIUS server at a single IP and a single secret that works when the correct password is sent (and only 1 log entry), but a wrong entry is 3 failures. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: J S wrote: I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that authenticates to an MS AD server. I'm running into an issue where a user will fail a single login attempt (one username/password challenge with a bad password) and the ACS will record 3 attempts from the client (the Solaris 10 server). after a single attempt (or a valid login with a local password) the 3 fails bollixes up the AD login attempts and locks the user out. Am I missing a compile option to only attempt a single RADIUS login per authentication or do I possible have pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same results. Otherwise the system works well. The module will re-send the request if it doesn't get a response from the RADIUS server. Or, if the response is sent from the wrong IP (i.e. the RADIUS server has multiple IP's). Or, if the shared secret is incorrect. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Non-ascii usernames
Hello, Alan! You wrote on Wed, 25 Apr 2007 08:38:09 +0200: AD Alexander V. Klepikov wrote: How do I make FreeRadius work correct with non-ascii usernames? AD You type them in as UTF-8. This means that my NASes clients should send them in UTF-8, am I right? With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Use this:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
# Supported EAP-types
# EAP-TLS
tls {
private_key_password = x
private_key_file = ${raddbdir}/certs/freeradius_key.pem
certificate_file = ${raddbdir}/certs/freeradius_cert.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
}
#tls {
#private_key_password = x
#private_key_file = ${raddbdir}/certs/freeradius_key.pem
#certificate_file = ${raddbdir}/certs/freeradius_cert.pem
#CA_file = ${raddbdir}/certs/demoCA/cacert.pem
#dh_file = ${raddbdir}/certs/dh
#random_file = ${raddbdir}/certs/random
#fragment_size = 1024
#include_length = yes
#}
mschapv2 {
}
}
==
Benjamin K. Eshun
- Message d'origine
De : Marcelo Augusto Rodrigues Pimentel [EMAIL PROTECTED]
À : freeradius-users@lists.freeradius.org
Envoyé le : Mardi, 24 Avril 2007, 20h36mn 17s
Objet : RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote:
OK. But I?m trying to use peap to make an encrypted tunnel validating the
server certificate and then I want to authenticate the clients whith EAP-TLS
using client/server certificate. The TLS tunnel is working fine, but the
second part of EAP-TLS authentication not.
What second part of EAP-TLS? The server supports authenticating via
client certificates, and nothing else.
I said two parts, because those parts of my configuration uses TLS:
The first part is making the encrypt tunnel using PEAP -- Only validates
server certificate to create the tunnel.
The second part is the authenticathion inner the tunnel with EAP-TLS -- Mutual
validation of client and server certificate.
This configuration is like Geroge Ou said below:
...
PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes
further to encrypt client digital certificate information. Both PEAP-EAP-TLS
and EAP-TLS have the same server and client side digital certificate
requirements.
...
Reference: Wireless LAN security guide -- Level 3: Medium to large Enterprise
WLAN security http://www.lanarchitect.net/Articles/Wireless/SecurityRating/
Thank´s !
So in the peap section in the eap.conf, what I?ve to configure for
default eap type? Is tls ?
No. You can leave it alone. It's fine.
If I configure tls, I?ve to create a tls section in the peap section or the
tls section of the eap.conf is enough. I?ve attached my eap.conf file.
If you want to use just TLS, you don't need the PEAP section. If you
want to use PEAP, you need the TLS section. The comments in the
eap.conf file explain this.
Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o
infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e
informe o equívoco ao emitente.
This e-mail message and any attachment are intended exclusively for the named
addressee. They may contain confidential information which may also be
protected by professional secrecy. Unless you are the named addressee (or
authorised to receive for the addressee) you may not copy or use this message
or any attachment or disclose the contents to anyone else. If this e-mail was
sent to you by mistake please notify the sender immediately and delete this
e-mail.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
___
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur
Yahoo! Questions/Réponses
http://fr.answers.yahoo.com-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Non-ascii usernames
Alexander V. Klepikov wrote: This means that my NASes clients should send them in UTF-8, am I right? The NAS just sends whatever the user types into their computer. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius: mutiple bad logins hitting radius server
J S wrote: That's good to know. What seems odd, though, is that it resends the same request in quick, sub-second succession (based on the RADIUS server logs). Well, that's a problem. The intent of the module is to wait for the timeout before sending the next packet. Something appears to be waking the module up early, but I'm not sure what to suggest. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Non-ascii usernames
Hello, Alan! You wrote on Wed, 25 Apr 2007 09:48:28 +0200: This means that my NASes clients should send them in UTF-8, am I right? AD The NAS just sends whatever the user types into their computer. I got it. Thank you! With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MD5 with Accounting
Hi, I notice that there are accounting section in some of the configuration files such as, radius.conf. If accounting is performed by my NAS, then what does the accounting in FreeRADIUS does? Maybe you can elaborate on what do you mean? I'm new to FreeRADIUS. Any help is appreciated. Thanks! as Alan has stated, the accounting is done by the NAS, this then simply sends accounting packets to freeRADIUS which is then configured to dump them to a database (or wherever) depending on your config. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 24, Issue 100
Hi All, I run freeradius on an Ubuntu platform and have been using it to deliver both authentication and bandwidth enforcing for its client. Now I want to deliver a dedicated bandwidth to a certain client, please help me with information on how to achieve this. Thanks Tamba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
typo in raddb/Makefile
Hi Alan, due to missing `;` and typo in variable in raddb/Makefile you can't build *deb package. Here is a patch: Index: raddb/Makefile === RCS file: /source/radiusd/raddb/Makefile,v retrieving revision 1.17 diff -u -r1.17 Makefile --- raddb/Makefile 24 Apr 2007 15:35:12 - 1.17 +++ raddb/Makefile 25 Apr 2007 12:19:26 - @@ -43,8 +43,8 @@ fi chmod 640 $(R)$(raddbdir)/naspasswd $(R)$(raddbdir)/clients.conf if [ ! -d $(R)$(raddbdir)/certs ]; then \ - $(INSTALL) -d -m 750$(R)$(raddbdir)/certs \ - for x in Makefile README xpextensions ca.cnf server.cnf client.cnf; do \ + $(INSTALL) -d -m 750$(R)$(raddbdir)/certs; \ + for i in Makefile README xpextensions ca.cnf server.cnf client.cnf; do \ $(INSTALL) -m 640 certs/$$i $(R)$(raddbdir)/certs; \ done; \ fi Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libradius error
Alan DeKok wrote: Roberto Greiner wrote: When I give a 'radwho' command, I receive the following error: radwho: error while loading shared libraries: libradius-1.1.6.so: cannot open shared object file: No such file or directory Try doing: ldd radwho ibatubi:~# ldd /usr/bin/radwho libnsl.so.1 = /lib/tls/i686/cmov/libnsl.so.1 (0xb7f25000) libresolv.so.2 = /lib/tls/i686/cmov/libresolv.so.2 (0xb7f12000) libpthread.so.0 = /lib/tls/i686/cmov/libpthread.so.0 (0xb7eff000) libradius-1.1.6.so = /usr/lib/freeradius/libradius-1.1.6.so (0xb7ee8000) libc.so.6 = /lib/tls/i686/cmov/libc.so.6 (0xb7db7000) /lib/ld-linux.so.2 (0xb7f43000) libcrypt.so.1 = /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d89000) ibatubi:~# radwho radwho: error while loading shared libraries: libradius-1.1.6.so: cannot open shared object file: No such file or directory ibatubi:~# locate libradius-1.1.6.so /usr/lib/freeradius/libradius-1.1.6.so If I understood it correctly, radwho is looking at the correct place. I've tried to uninstall everything again, checking if that library was removed (it was), and then reinstalling. The error remains. Any ideas? The mentioned libradius file is in /usr/lib/freeradius Hmm... that's likely the issue. The dynamic linker doesn't know about /usr/lib/freeradius, and radwho isnt' smart enough to read the config files set up libdir appropriately. Hmmm, I suppose that I should then compile it with static libraries, right? What would be the appropriate way to do it? The wiki only has the default way, and I couldn't find info in 'man dpkg-buildpackage' about it. Thank you very much, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libradius error
Roberto Greiner wrote: The impression I get is that there was something wrong in the configs for radwho when it was compiled by dpkg-buildpackage instead of using the standard configure/make/make install. Looks like that's the case, yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add OTP validation to FreeRadius
On 4/24/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Hi all, I have to find a solution that integrates the use of OTP (One Time Password ) as a second factor authentication in addition to the first factor authentication (witch is generally username and password) to an existing authentication System. This solution should be integrated easily to the existing authentication system regardless the protocol used for authentication (Rdius, Kerberos, Http, EAP, etc) and regardless the OS. My questions are: 1- What are the possibilities and the facilities offered by FreeRadius?? 2- I though about tow solutions : a- Developing a plug-in that could be integrated to the existing authentication system. This plug-in will interact with the OTP-Server for otp validation. b- Installing a radius server in front of the existing IT system. This server will be configured in a way it will redirect first factor authentication requests (exple : username/password) to the existing authentication system and the OTP second factor authentication to the OTP services Server hosted and give access to user only when this 2 factors are valide. I have no idea about Radius. And these are general ideas and I want someone to tell me if these solutions are possible and how to proceed. Wats is best or better to do? Is there any other solution? I don't think this is really a freeradius question. You need to choose a two-factor authentication system that supports radius. Luckily, most do. hth, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accept users by NAS-IP-Address
Hi, I'm running version 1.1.6 against a Postgres database. In the radcheck table I check the password and sets Expiration for the users. In the nas table I have listed all the NAS that the users can connect through, and this seems to work fine. I also want the users to be member of a group, where the group gives access to some of the NAS. If I set 'NAS-IP-Address == ip_of_a_nas' in the radgroupcheck, the user can only connect through that NAS. The problem occurs when I want a group to contain several NAS. How can I make freeradius accept the login if the NAS-IP-Address from the user, is one of several listed in a group that a user is member of? reg Svend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: typo in raddb/Makefile
Hi Alan,
On Wed, Apr 25, 2007 at 03:08:40PM +0200, Alan DeKok wrote:
Milan Holub wrote:
due to missing `;` and typo in variable in raddb/Makefile you can't build
*deb package.
Thanks.
Try the following on a fresh checkout of the CVS head, if you're using
any of the EAP types with TLS:
$ ./configure --prefix=/opt/freeradius
i.e. somewhere you haven't installed it before
$ make
$ make install
$ /opt/freeradius/sbin/radiusd -X
Read the output. Watch for it to pause, and print a lot of '.'s on
the screen.
I'm not using EAP TLS at the moment but right now with cvs head you
can't compile freeradius:
/devel/freeradius/cvs/work/src/freeradius-devel/rad_assert.h:26: warning:
`used' attribute directive ignored
In file included from ../../eap.h:34,
from ../../libeap/eap_tls.h:68,
from rlm_eap_tls.h:30,
from rlm_eap_tls.c:35:
../../libeap/eap_types.h:30: warning: `used' attribute directive ignored
rlm_eap_tls.c:81: structure has no member named `make_cert_command'
rlm_eap_tls.c:81: initializer element is not constant
rlm_eap_tls.c:81: (near initialization for `module_config[19].offset')
rlm_eap_tls.c:81: initializer element is not constant
rlm_eap_tls.c:81: (near initialization for `module_config[19]')
rlm_eap_tls.c:83: initializer element is not constant
rlm_eap_tls.c:83: (near initialization for `module_config[20]')
rlm_eap_tls.c: In function `eaptls_attach':
rlm_eap_tls.c:530: structure has no member named `make_cert_command'
rlm_eap_tls.c:530: parse error before '{' token
rlm_eap_tls.c:533: structure has no member named `make_cert_command'
rlm_eap_tls.c:533: `buf' undeclared (first use in this function)
rlm_eap_tls.c:533: (Each undeclared identifier is reported only once
rlm_eap_tls.c:533: for each function it appears in.)
rlm_eap_tls.c:536: structure has no member named `make_cert_command'
rlm_eap_tls.c:541: warning: control reaches end of non-void function
rlm_eap_tls.c: At top level:
rlm_eap_tls.c:547: parse error before '-' token
rlm_eap_tls.c:562: warning: type defaults to `int' in declaration of `instance'
rlm_eap_tls.c:562: `inst' undeclared here (not in a function)
rlm_eap_tls.c:562: warning: data definition has no type or storage class
rlm_eap_tls.c:564: parse error before return
rlm_eap_tls.c:91: warning: `load_dh_params' defined but not used
rlm_eap_tls.c:122: warning: `generate_eph_rsa_key' defined but not used
rlm_eap_tls.c:292: warning: `init_tls_ctx' defined but not used
make[10]: *** [rlm_eap_tls.lo] Error 1
make[10]: Leaving directory
`/var/devel/freeradius/cvs/work/src/modules/rlm_eap/types/rlm_eap_tls'
make[9]: *** [common] Error 2
make[9]: Leaving directory
`/var/devel/freeradius/cvs/work/src/modules/rlm_eap/types'
make[8]: *** [all] Error 2
make[8]: Leaving directory
`/var/devel/freeradius/cvs/work/src/modules/rlm_eap/types'
make[7]: *** [common] Error 2
make[7]: Leaving directory `/var/devel/freeradius/cvs/work/src/modules/rlm_eap'
make[6]: *** [common] Error 2
make[6]: Leaving directory `/var/devel/freeradius/cvs/work/src/modules'
make[5]: *** [all] Error 2
make[5]: Leaving directory `/var/devel/freeradius/cvs/work/src/modules'
make[4]: *** [common] Error 2
make[4]: Leaving directory `/var/devel/freeradius/cvs/work/src'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/var/devel/freeradius/cvs/work/src'
make[2]: *** [common] Error 2
make[2]: Leaving directory `/var/devel/freeradius/cvs/work'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/var/devel/freeradius/cvs/work'
make: *** [stamp-build] Error 2
Milan Holub
holub (at) thenet (dot) ch
--
TheNet-Internet Services AG,
im Bernertechnopark, Morgenstr. 129
CH-3018, Bern, Switzerland
031 998 4333, Fax 031 998 4330
http://www.thenet.ch
http://wlan.thenet.ch
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accept users by NAS-IP-Address
Hi Svend,
The problem occurs when I want a group to contain several NAS. How can I
make freeradius accept the login if the NAS-IP-Address from the user, is
one of several listed in a group that a user is member of?
== read info about checkval module in radiusd.conf.
checkval {
item-name = NAS-IP-Address
check-name = NAS-IP-Address
data-type = ipaddr
}
* enable the module in section authorize
and in your radgroupcheck you have to do something like this:
mysql select * from radgroupcheck where attribute like 'NAS-IP-Address';
++---+++-+
| id | GroupName | Attribute | op | Value |
++---+++-+
| 83 | config_common | NAS-IP-Address | += | 1.2.3.4 |
| 84 | config_common | NAS-IP-Address | += | 1.2.3.5 |
++---+++-+
then if your your user will be in group called config_common(whatever
you choose) then checkval module will perform checking base on multiple
values found for NAS-IP-Address. Please mind the op field especially!
Milan Holub
holub (at) thenet (dot) ch
--
TheNet-Internet Services AG,
im Bernertechnopark, Morgenstr. 129
CH-3018, Bern, Switzerland
031 998 4333, Fax 031 998 4330
http://www.thenet.ch
http://wlan.thenet.ch
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups/preprocess issue 1.1.6
Alan DeKok wrote: Craig Huckabee wrote: That is sort of the question - what is there to port ? I don't see any documentation saying the format of the huntgroups file changed from 1.1.2 to 1.1.6. It didn't, but the parser got more careful. It used to accept (and ignore) things that the server didn't support. It now complains about them. I've narrowed it down even more - only seems to choke on NAS-Port. NAS-Port-ID or any other attribute I've tried works fine. --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest and Message-Authenticator
When I send radtest 0009 0009 brm 1812 secret xx 10.10.20.138 to a freeradiusserver, I get an access accept. Sending the same radtest command line to an IAS, that should proxy that request to a freeradiusserver, the IAS complains about a missing Message-Authenticator. What do I have to do to get a Message-Authenticator in such a radtest request? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: typo in raddb/Makefile
Milan Holub wrote: I'm not using EAP TLS at the moment but right now with cvs head you can't compile freeradius: Whoops. I thought I had committed that. It's added now, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest and Message-Authenticator
Norbert Wegener wrote: When I send radtest 0009 0009 brm 1812 secret xx 10.10.20.138 to a freeradiusserver, I get an access accept. Sending the same radtest command line to an IAS, that should proxy that request to a freeradiusserver, the IAS complains about a missing Message-Authenticator. What do I have to do to get a Message-Authenticator in such a radtest request? $ vi radtest add: Message-Authenticator = 0x00 after the username password. FreeRADIUS should probably have an option to require a Message-Authenticator. It avoids a number of attacks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Migrating from freeradius 1.0.4 to 1.1.3 - Configuration issues
Hello all, I am currently migrating two radius servers from 1.0.4 to 1.1.3. I've managed to get most of my kinks out, however I'm still having issues with the accounts already setup in the users file. My issue is this - my ISDN users were originally setup with the Framed-Protocol attribute's value set for MPP. Apparently this is no longer recognized as a valid value. It appears that only PPP, SLIP, and CSLIP are supported protocols. Is this correct? Should I just set them up for PPP, since MPP is just a fancy PPP connection? Below is the error message I receive. I've hunted for articles related to this issue, but no luck so far. Any help would be greatly appreciated. Thank you SO much! /path-to-raddb/users[1947]: Parse error (reply) for entry ISDNuser: Unknown value MPP for attribute Framed-Protocol -Ian Savoy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating from freeradius 1.0.4 to 1.1.3 - Configuration issues
Ian Savoy wrote: I am currently migrating two radius servers from 1.0.4 to 1.1.3. I've managed to get most of my kinks out, however I'm still having issues with the accounts already setup in the users file. My issue is this - my ISDN users were originally setup with the Framed-Protocol attribute's value set for MPP. Apparently this is no longer recognized as a valid value. It appears that only PPP, SLIP, and CSLIP are supported protocols. Is this correct? Yes. MPP was there for historical purposes, and wasn't a standard. i.e. it might not have worked at all... If you have Ascend equipment, try using the value Ascend-MPP rather than MPP. Ascend has defined it for their equipment. If you're not using Ascend equipment, please read the documentation for your NAS to see what value it needs for MPP. Then, tell us, so we can include it in the next release. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add OTP validation to FreeRadius
Thanks Nick for replaying. can you give me exemples of such systems? what I should do is to dveloppe compenent wich could be integrated easily to an existing authentication system. this is an exemple of a similar solution http://www.tri-dsystems.com/technology/arch.html. witch add plugin to the existng authentication system that interfaces with the OTP back-end services. 2007/4/25, Nick Owen [EMAIL PROTECTED]: On 4/24/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Hi all, I have to find a solution that integrates the use of OTP (One Time Password ) as a second factor authentication in addition to the first factor authentication (witch is generally username and password) to an existing authentication System. This solution should be integrated easily to the existing authentication system regardless the protocol used for authentication (Rdius, Kerberos, Http, EAP, etc) and regardless the OS. My questions are: 1- What are the possibilities and the facilities offered by FreeRadius?? 2- I though about tow solutions : a- Developing a plug-in that could be integrated to the existing authentication system. This plug-in will interact with the OTP-Server for otp validation. b- Installing a radius server in front of the existing IT system. This server will be configured in a way it will redirect first factor authentication requests (exple : username/password) to the existing authentication system and the OTP second factor authentication to the OTP services Server hosted and give access to user only when this 2 factors are valide. I have no idea about Radius. And these are general ideas and I want someone to tell me if these solutions are possible and how to proceed. Wats is best or better to do? Is there any other solution? I don't think this is really a freeradius question. You need to choose a two-factor authentication system that supports radius. Luckily, most do. hth, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
hi, rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select okay. so thats the main issue. were your certificates generated with the XP extensions? how have you configured the native supplicant? it doesnt need much configuring just disable fast-connect, disable user guest account, use machine auth (if you're not doing machine) and click the MSCHPv2 stuff and deselect the 'use windows username/password' if you cannot use those. then its up to you to ensure the cert is in the store and you verify or dont verify your radius cert. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Ok, that's what I thought (about the root Certificate not being pleasing to XP). FYI: I'm using a version of Linux by Novell called SLES (SUSE Linux Enterprise Server) version 9 Service Pack 3 and the FreeRADIUS is from Novell's Web site (freeradius-1.0.2-0.i586.rpm, freeradius-devel-1.0.2-0.i586.rpm). I've done my Certificate work by using SLES' YaST, Security and Users, CA Management. I simply exported the root cert using this CA Management GUI. This worked great with Cisco's ADU configuration tool. If someone could give me the quickest and easiest way to creating a root certificate that's works with Windows XP, that would be great. I have another CA running on a Windows 2003 server, can I make use of this CA somehow? Thanks for any help. Marc [EMAIL PROTECTED] 4/25/2007 1:33:00 PM hi, rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select okay. so thats the main issue. were your certificates generated with the XP extensions? how have you configured the native supplicant? it doesnt need much configuring just disable fast-connect, disable user guest account, use machine auth (if you're not doing machine) and click the MSCHPv2 stuff and deselect the 'use windows username/password' if you cannot use those. then its up to you to ensure the cert is in the store and you verify or dont verify your radius cert. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi, If someone could give me the quickest and easiest way to creating a root certificate that's works with Windows XP, that would be great. either use your current tool but include the XP extensions as required, or use the 1.1.6 FreeRADIUS source code - to simply use the script in that to generate such certs OR use the CVS version of FreeRADIUS which has a nice new certificate generation tool which will configure the eap.conf for you and create nice shiny certs for use! ;-) I have another CA running on a Windows 2003 server, can I make use of this CA somehow? yes. that will generate the right type! use the EAP-TLS HOWTO document thats widely linked on may freeradius help locations. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Vista and 802.1x ..
We have an problem here where I work. It seems like Windows Vista no longer can open 802.1x / WAP / TKIP / PEAP / MS-CHAP-V2 connections using the built in stack to our FreeRadius 1.0.4 install. It worked, mostly, in XP. It worked WELL frmo the IBM Connect software than comes with Thinkpad's (our laptop of choice here). However, that software, in Vista, is mostly a front end of the internal stack and doesn't work anymore either. Any ideas? - Yossie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista and 802.1x ..
We have an problem here where I work. It seems like Windows Vista no longer can open 802.1x / WAP / TKIP / PEAP / MS-CHAP-V2 connections it's an issue with your cert not having all the correct attributes, update to the newest version of freeradius and read the eap documentation. I've gone thru the same frustration, blame Microsoft. Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista and 802.1x ..
Hi, We have an problem here where I work. It seems like Windows Vista no longer can open 802.1x / WAP / TKIP / PEAP / MS-CHAP-V2 connections using the built in stack to our FreeRadius 1.0.4 install. It worked, you need 1.1.4 or higher - best to get 1.1.6 anyway :-) Vista supported required a few tweaks to the SSL parts of the freeradius code. we find it working fine here alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista and 802.1x ..
Hi, it's an issue with your cert not having all the correct attributes, update to the newest version of freeradius and read the eap documentation. I've gone thru the same frustration, blame Microsoft. no. if it worked with XP then the certs are fine - the server needs to be upgraded to support Vista. from the changelog: FreeRADIUS 1.1.4 ; Date: 2007/01/14 00:37:15 , urgency=medium Feature improvements * Major enhancements to rlm_pap, that make encryption_scheme a thing of the past. See man rlm_pap for details. * Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use work-arounds that enable Windows Vista clients to work. * Added preliminary code to support Firebird. (closes: #378) Use at your own risk! * Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more platforms. (closes: #402) * Add a new reply-name directive in rlm_sqlcounter to define the name of the reply attribute. (closes: #403) * Added more dictionaries and attributes (closes: #408, among others) * Print ntlm_auth failure reason in Module-Failure-Message (closes: #398) * radsqlrelay is able to get the DB password from a file instead of command line. (closes: #395) note item 2 and 4. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Dennis Skinner wrote:
Make sure you are *only* using PAP. CHAP encrypts the password over the
wire and you cannot compare crypt to crypt. One of them needs to be
cleartext (this is a limitation of encryption, not FreeRADIUS). See the
table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
I changed
pap {
encryption_scheme = clear # was crypt
}
chap {
authtype = pap# was CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
NAS-IP-Address = 10.0.0.2
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = tester
Calling-Station-Id = 10.0.0.1
User-Password = testing123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = tester, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
Finished request 0
Going to the next request
---
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and
RE: Windows Vista and 802.1x ..
no. if it worked with XP then the certs are fine - the server needs to be upgraded to support Vista. I assumed since he was using the IBM supplicant stuff in XP, that worked around the cert issues. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 24, Issue 100
Radius can't do that. Some routers and switches can have dedicated and shared bandwidth ports configured. All radius can do is allow or prevent users from connecting to them. Ivan Kalik Kalik Informatika ISP Dana 25/4/2007, Tamba Ben-Jusu [EMAIL PROTECTED] piše: Hi All, I run freeradius on an Ubuntu platform and have been using it to deliver both authentication and bandwidth enforcing for its client. Now I want to deliver a dedicated bandwidth to a certain client, please help me with information on how to achieve this. Thanks Tamba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
You have got in. But you haven't returned any radius attributes. You
need to return something like Service-Type = Administrative-User or
NAS-Prompt-User so NAS knows what to do with the user.
Ivan Kalik
Kaliik Informatika ISP
Dana 25/4/2007, Norman Zhang [EMAIL PROTECTED] piše:
Dennis Skinner wrote:
Make sure you are *only* using PAP. CHAP encrypts the password over the
wire and you cannot compare crypt to crypt. One of them needs to be
cleartext (this is a limitation of encryption, not FreeRADIUS). See the
table here:
http://deployingradius.com/documents/protocols/compatibility.html
(you are using Unix Crypt).
I changed
pap {
encryption_scheme = clear # was crypt
}
chap {
authtype = pap# was CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
but I still cannot get in.
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=27, length=79
NAS-IP-Address = 10.0.0.2
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = tester
Calling-Station-Id = 10.0.0.1
User-Password = testing123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = tester, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1)
Sending Access-Accept of id 27 to 10.0.0.2:1645
Finished request 0
Going to the next request
---
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache =
Re: User /etc/shadow for Authentication
[EMAIL PROTECTED] wrote: Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have got in. But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL MSSQL
Thanks a lot, my erroe was thay I was still using sql for mysql as soon as
I define mysql and mssql separetely it worked, now I have
mssql + mysql + userfiles + password + NIS
all 5 methods working at the same time
Thanks a lot!
-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En
nombre de Alan DeKok
Enviado el: Miércoles, 25 de Abril de 2007 02:40 a.m.
Para: FreeRadius users mailing list
Asunto: Re: MySQL MSSQL
[EMAIL PROTECTED] wrote:
Have anybody of you manage to configure freeradius to pull authorization
iformation from MySQL and MSSQL (via ODBC/freetds) at the same time??
Have you listed two instances of the SQL module? See
doc/configurable_failover for examples.
But, is there a way to configure a failover to ask MSSQL and then MySQL
and
have both modules running at the same time??
Yes.
Configure the modules as:
sql mssql {
... configuration ...
}
sql mysql {
... configuration ...
}
And then refer to them as mssql or mysql, and never sql.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error
radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User /etc/shadow for Authentication [unclas]
Put your users into groups and add extra entries: DEFAULT Group == numpties cisco-avpair := shell:priv-lvl=1 DEFAULT Group == supernumpties cisco-avpair := shell:priv-lvl=10 Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership. You'll need to read up on the available mechanisms for grouping users. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:[EMAIL PROTECTED] ists.freeradius.org] On Behalf Of Norman Zhang Sent: Thursday, 26 April 2007 10:50 To: freeradius-users@lists.freeradius.org Subject: Re: User /etc/shadow for Authentication [EMAIL PROTECTED] wrote: Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645 You have got in. But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user. Thanks for the hint. I added the last two lines to users, now I can login. DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
