Re: How to add OTP validation to FreeRadius
Thanks very much Nick, i will look for all these. 2007/4/26, Nick Owen [EMAIL PROTECTED]: On 4/25/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Thanks Nick for replaying. can you give me exemples of such systems? If you are looking for a software-based two-factor authentication system: http://www.wikidsystems.com - our commercial server supports radius and will work with freeradius, out of the box. If you want open source - you would need to develop a plug-in connecting WiKID to freeradius. I think the way to that would be to use jradius (http://jradius.org/) and our java network client ( https://sourceforge.net/project/showfiles.php?group_id=144774package_id=181280 ). We would really appreciate the help. You can also google up OPIE as well. For hardware: http://www.rsasecurity.com - Securid http://www.vasco.com and many others. Google two-factor authentication and you will get plenty. It is a very competitive space. or you can run WiKID on a USB drive, if you're ok with that sort of thing. HTH, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mssql to mysql migration
it is not opening http://www.navicat.com/ [EMAIL PROTECTED] wrote: http://www.navicat.com/ Ivan Kalik Kalik Informatika ISP Dana 26/4/2007, satish patel pi¹e: Dear I have running freeradius + mssql but now i wann put all databases in mysql so i am gonn use mysql with freeradius so is there any tool which convert MSSQL databases in MYSQL database so i just pull data from mssql and put it in mysql so it is possible ??? or which tool is there which help me $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - SHOUT IT OUT! Tell everyone, from anywhere, that you're online on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - SHOUT IT OUT! Tell everyone, from anywhere, that you're online on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : FreeRadius + Freetds + unixodbc
Freeradius + mssql more help project :- http://linux.tulipit.com RPM installation [EMAIL PROTECTED] ha.d]# rpm -qa | grep freetds freetds-0.62.1-1 freetds-devel-0.62.1-1 freetds-unixodbc-0.62.1-1 [EMAIL PROTECTED] ha.d]# rpm -qa | grep unixODBC freeradius-unixODBC-1.0.1-2.RHEL4 unixODBC-kde-2.2.9-1 unixODBC-devel-2.2.9-1 unixODBC-2.2.9-1 Software: Using FreeRADIUS with MSSQL requires three components: * FreeRADIUS - the radius server software * FreeTDS - this is a set of libraries that know how to talk to a MSSQL server. * unixODBC - this is a conduit between FreeRADIUS and FreeTDS. At one time, I think FreeRADIUS supported FreeTDS directly, but for some reason the FreeRADIUS folks removed that capability in recent versions. So we have to use unixODBC now. No biggie really. It's still pretty simple. I used the following versions on my box: * FreeRADIUS 1.1.0 * FreeTDS 0.63 * unixODBC 2.2.11 If your distro has these as RPMs, debs, etc, you might be able to get it going with what the distro provides. If so, you can skip the install instructions and focus on the configuration (but do be careful as your files won't likely be in the same place that my files are). However, since I may want to use eDirectory later, and since there is a special configure switch for FreeRADIUS to turn on eDirectory support, I'm starting from scratch with all of them. Compiling and installing: untar freeradius-1.1.4.tar.gz and compilation option is ./configure --localstatedir=/var --sysconfdir=/etc make make install The general order to compile these three components is: 1. unixODBC 2. FreeTDS 3. FreeRADIUS Part I - compiling/installing unixODBC and FreeTDS unixODBC: pretty straightforward. Just do a standard ./configure make make install However, if your Linux box doesn't have X Windows (mine doesn't), do a ./configure --enable-gui=no so that it won't try to compile any GUI components. The only components of unixODBC that you have to deal with are the configuration file odbc.ini and the isql testing program. The install routine puts odbc.ini in /usr/local/etc, and puts isql in /usr/local/bin/ . You can't really tweak the ini file until after you've installed FreeTDS, so we'll skip that part for now. What you need from unixODBC: you need the odbc.ini file in /usr/local/etc and the isql program in /usr/local/bin. FreeTDS: again, pretty straightforward. ./configure make make install I didn't need any options for ./configure. I think at one time you had to tell it where unixODBC was, but versions since ~0.62 can find it by themselves (which is why you have to compile/install unixODBC first... ) what you need from FreeTDS: the freetds.conf file in /usr/local/etc, the libtdsodbc.so file in /usr/local/lib, and the tsql testing program in /usr/local/bin After you've got unixODBC and freeTDS installed, you almost ready to start configuring files and testing your database connectivity. Initial Test of FreeTDS: Before you jump into the configuring part, do a quick test to make sure your box can actually connect to your SQL server and that FreeTDS compiled and installed cleanly. (Note that at this point, we aren't really using the unixODBC stuff yet). Use the tsql program to do this. My SQL server name is blackboard, and I'll use a SQL username of tester and a password of letmein to get in. tsql -H blackboard -p 1433 -U tester -P letmein If it works, you should see this: locale is en_US locale charset is ISO-8859-1 1 If you see that, you know that you can at least talk to your SQL server. That is a Good Thing (tm). If the test fails, try using the IP instead of the hostname (or edit your resolv.conf/update your DNS records/etc). If it still fails, make sure you've, umm, you know, really GOT a SQL user on your database server named tester. If it still still fails, you've got mondo problems that I won't get into here... BTW - type quit to end the connection to the sql server. Configuration file example:- ___/etc/odbc.ini [EMAIL PROTECTED] etc]# cat odbc.ini [ODBC Data Sources] FILEMANAGER = Radius on Blackboard [FILEMANAGER] Driver = /usr/lib/libtdsodbc.so Description = Radius on Blackboard Trace = No Servername = FILEMANAGER Database = radius [Default] Driver = /usr/lib/libtdsodbc.so ___/etc/freetds.conf [EMAIL PROTECTED] etc]# cat freetds.conf [global] tds version = 8.0 initial block size = 512 text size = 64512 [FILEMANAGER] host = filemanager port = 1433 tds version = 8.0 dump file = /tmp/freetds.log dump file append = yes __/etc/odbcinst.ini___ [EMAIL PROTECTED] etc]# cat odbcinst.ini [ODBC] Trace = Yes TraceFile = /tmp/sql.log ForceTrace = Yes Pooling = No
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Well I have another angle I will be attacking the problem from on the weekend. I will be installing and configuring OpenLDAP on my linux server making it replicate the ADS 2003 server then following the gentoo-wiki's Freeradius and OpenLDAP implementation howto. So the modified layout plan: client - cisco wap - linux + fr - linux + openldap - windows 2003 ADS At least this way I will have two LDAP implementations to test against, which ever works 1st becomes the default solution :). I Do understand that the novel eDirectory works very nicely (novells LDAP implementation) but due to pricing issues it will be left until the last option. I would like to say though Novell generally has excellent support. On 4/27/07, Jacob Jarick [EMAIL PROTECTED] wrote: I have been at this for awhile now, so I thought I would share a summary of what I have figured out so far for anyone else that decides to try this. 1 - Documentation for this particular configuration is either out of date / incomplete / both. There are no howtos that will get from start to end (if you do know of one or wrote one yourself please share - I will myself when I figure it all out). 2 - Most the trouble is due to the fact we are making a linux service talk to a windows service (AD LDAP). Freeradius talking to the linux passwd file is a breeze by comprassion. 3 - Windows 2003 LDAP implementation will not provide a password when a user/ service preforms a ldap search, the proper way If I understand correctly is to supply plain text username / password then freeradius preforms a bind with the provided credentials against your ADS server, success means the password was correct. 4 - Installing Services For Unix on 2003 will make AD LDAP provide a password hash attribute among other unix LDAP attributes. The user has have posix enabled. 5 - Anonymous searchs can be preformed on 2003 AD LDAP if you set dSHeuristics to 002 using adsiedit.msc. 6 - Microsofts LDAP is different to Novells (big surprise) and so unfortunately their documentation isnt to helpfull as a reference for people trying to use ADS in the same fashion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi Marc, are you aware of PEAP authentication is not successful when you connect to a third-party RADIUS server http://support.microsoft.com/kb/885453 Maybe it is somehow related? Other updates I installed on XP SP2 for WLAN 802.1x and PEAP/EAP-TLS are Hotfix 917021 (Wireless Client Update) http://support.microsoft.com/kb/917021 Hotfix 893357 (WPA2 Update) http://support.microsoft.com/kb/893357 Marc Charbonneau wrote: Ok, I minted the Certificates/Keys with a CA running on a Windows 2003 server and was able to get them into the PEM format. The EAP.CONF was modified accordingly and RADIUSD is happy. I am still able to authenticate with no problems with 802.1x PEAP (EAP-MSCHAP V2) when using Cisco's ADU configuration tool. Still have problems when using the Windows XP supplicant. In trying to authenticate with the Windows XP supplicant, I can see from the logs that it's changing the password's 1st character to an a. If you look at the log data below, you'll see that the user account UOHI-40615 being used to authenticate is failing because the password sent is aassword2 instead of password2. Are you typing your username/password on demand or has XP earlier stored it magically and is reusing this? If the latter, have you once typed the wrong password and XP is remembering the wrong password? Does anyone know how to fix this problem? I'm so close, please help me find the needle in the haystack. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : freeradius eap error.
You have to look up for 1. In the eap.conf under tls it is clear; # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # # include_length = yes 2. tls: private_key_file = /etc/raddb/certs/cert-srv.pem rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file figure out what is wrong with your private key == Benjamin K. Eshun - Message d'origine De : member alsuki [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Vendredi, 27 Avril 2007, 0h06mn 19s Objet : freeradius eap error. Hello, list. I'm having some problems implementing freeradius on opensuse box. I've followed the toturial at novell and as a test i've used the default CA and certs that camed with the freeradius rpm. This worked very good the server started and every thing seamed nice. Then i made my own CA and certs, 1st a 4096 and then a 1024 bits, but no luck in either cases. Is there a limit to the length of the certs and CA keys? I've google to find if there was some info on this but no luck. Can anyone help me on this? This is a radiusd -X -A output. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 10.10.0.1 IP address [10.10.0.1] main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi. [EMAIL PROTECTED] wrote: either use your current tool but include the XP extensions as required, Just to be precise. The named extensions are PKIX extensions for serverAuth (OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID 1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant). Also if a client certificate is used on Windows with EAP-TLS the extendedKeyUsage Microsoft SmartCard Logon (OID 1.3.6.1.4.1.311.20.2.2) *must not* be present because Windows won't be able to use/choose such a client certificate to authenticate at the RADIUS server. It is only Windows that is looking at these extededKeyUsages in the certificate and expecting the correct extensions here. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded exec exec: wait = no exec: program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (ntlm_auth) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = cistron [/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ... [/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ... ?Changing 'Auth-Type =' to 'Auth-Type +=' [/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ... Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp:
Re: Compiling 1.1.6 on OSX 10.4.9 Server
Joseph Sullivan wrote: When I run Make, it errors with *** Warning: Linking the shared library rlm_perl.la against the *** static library If you're not going to use the Perl module, just delete the entire rlm_perl directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Groups
Yes. Use NAS-IP-Address as check item. If you need a list of groups and/or users/callerIDs/etc. that are allowed then use a huntgroup. Ivan Kalik Kalik Informatika ISP Dana 26/4/2007, Norman Zhang [EMAIL PROTECTED] piše: Is there a way to set FreeRADIUS to authenticate against specific group of users for certain devices. For example, DEFAULTAuth-Type = System Fall-Through = Yes, cisco-avpair = shell:priv-lvl=1, Service-Type = NAS-Prompt-User DEFAULT Group == router-rw cisco-avpair := shell:priv-lvl=15 DEFAULT Group == fw-admin cisco-avpair := shell:priv-lvl=15 Can I have the PIX to authenticate only against group fw-admin? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded exec exec: wait = no exec: program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (ntlm_auth) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = cistron [/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ... [/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ... ?Changing 'Auth-Type =' to 'Auth-Type +=' [/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ... Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username =
Re: FreeRadius+AD integration
Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon.
Performance with Freeradius-1.1.4
Hi All, I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting from Access-Request till Access-Accept it takes more than 250ms to complete. Is it the normal performance of freeradius-1.1.4 or anything suspicious in this regard? When i try to send many Request simultaneously then there is no response from the server for the latest requests as the server is busy processing first request. Only the first request gets response after 250ms. When i tried with some other RADIUS Server i could connect each mobile unit in some 150ms. Please let me know if anybody faced this problem with performance. Thanks, Nikitha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
On Line 154 I have default Auth-Type = ntlm_auth. If I comment this out I get the Access-reject packet. thanks, SB On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user
Re: FreeRadius+AD integration
Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pie: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0
Re: Performance with Freeradius-1.1.4
I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting from Access-Request till Access-Accept it takes more than 250ms to complete. Is are you doing it against an LDAP server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA for3com5500
Hi, Does anyone know if freeradius has VSA's for 3com5500, and if not, Where I can get them and how I should import them. Thanks, Gerard. ( mailto:freeradius-users@lists.freeradius.org ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay causing duplicates
I'm trying to set up a system with 3 radius servers and want to store all accounting data on all 3 systems. This worked well in a 2 server system with radrelay running on both systems. rad1 --- rad2 It this situation radrelay uses the Client-IP-Address attr to decide if something is a duplicate. Now in a 3 server config, I want to send the accounting packets to all 3 servers. So I set up 2 radrelay instances on each server pointing to the 2 other servers. i.e. rad1 relay- rad2, rad1 relay- rad3 rad1 /\ / \ /\ rad2---rad3 The problem is that when rad2 gets the packet from rad1, it then sends that packet to rad3 but now the client ip is that of rad2 not rad1 so when rad3 also sees the accounting packet from rad1 it adds the entry. I've thought about filtering this in the detail-combined files but I haven't figured out how to filter out records at that level. Suggestions welcomed -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling 1.1.6 on OSX 10.4.9 Server
On 4/27/07 2:32 AM, Alan DeKok wrote: If you're not going to use the Perl module, just delete the entire rlm_perl directory. Alan DeKok. Thanks, that worked. Free Radius 1.1.6 is now running on my OSX Tiger Server. YEA!!! Thanks a Million Alan Joseph Sullivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA for3com5500
Gerard Mansvelder wrote: Does anyone know if freeradius has VSA's for 3com5500 Look in the distribution: $ ls share/dictionary* and if not, Where I can get them 3com would be a good place to start. and how I should import them. $ man dictionary Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance with Freeradius-1.1.4
nikitha george wrote: I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting from Access-Request till Access-Accept it takes more than 250ms to complete. Is it the normal performance of freeradius-1.1.4 or anything suspicious in this regard? It depends on your CPU speed, etc. But it's not out of line. Almost all of that time is spent in OpenSSL, doing cryptography. When i try to send many Request simultaneously then there is no response from the server for the latest requests as the server is busy processing first request. Only the first request gets response after 250ms. Are you sure you're not running the server in single threaded mode? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
Hi, it looks like I used a certificate with the wrong OID. I used a cert minted with their SubCA template which doesn't have the (OID 1.3.6.1.5.5.7.3.1). In playing with the Microsoft CA on Windows 2003 server, I've found that the Certificate made using the Web Server template is the one required. Unfortunately, this particular template doesn't allow the Certificate's keys to be exported. I tried creating a new Certificate template by copying from the one called Web Server and now, I have a new Web Server template with the ability to export it's keys. The problem is I can't seem to make use of this new template within their CA. I know this is a Microsoft issue but I've looked high and low in their docs and when you go to their CA and try to select Certificate Template to Issue, the new template created are not available. I'm a little obsessed with making this work so I'm hoping someone here a quick answer to making Microsoft's CA allow me to mint a Web Server certificate with exportable keys. Thanks for any future and previous help, Marc [EMAIL PROTECTED] 4/27/2007 4:11:58 AM Hi. [EMAIL PROTECTED] wrote: either use your current tool but include the XP extensions as required, Just to be precise. The named extensions are PKIX extensions for serverAuth (OID 1.3.6.1.5.5.7.3.1) (at the RADIUS server) and clientAuth (OID 1.3.6.1.5.5.7.3.2) (for EAP-TLS on the supplicant). Also if a client certificate is used on Windows with EAP-TLS the extendedKeyUsage Microsoft SmartCard Logon (OID 1.3.6.1.4.1.311.20.2.2) *must not* be present because Windows won't be able to use/choose such a client certificate to authenticate at the RADIUS server. It is only Windows that is looking at these extededKeyUsages in the certificate and expecting the correct extensions here. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL for return attributes only?
ObDisclaimer: I have googled my best google, and read all the docs I can find, so please be gentle if this is a dumb question. Is it possible with freeradius to use SQL to retrieve certain return attributes (in this case rate limiting values for PPPOE sessions), whilst still handling authentication through PAM? In other words, I don't want to authenticate using SQL, I simply want to grab an attribute or two from a MySQL database, indexed by username, if the PAM authentication succeeds. I'm using the Winbind PAM module to authenticate against a Windows AD (a legacy requirement), so storing passwords in MySQL is a non-starter. -- hugh -- Hugh Messenger [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.16 segfaulting on LDAP search
Trying to upgrade from 1.14 to 1.16 for stability gains (hopefully). Unfortunately, it's segfaulting on the first request that comes in. The LDAP libraries haven't changed and to ensure that there aren't any collisions with 1.14 installation, everything (conf, libs, binaries) are in a new location. I'd appreciate any help here. Some info when run from gdb (I have dump files, too): rad_recv: Access-Request packet from host 208.76.47.238:1083, id=14, length=203 Framed-MTU = 1480 NAS-IP-Address = 208.76.47.238 NAS-Identifier = h2848-1 User-Name = richard Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = 3 Called-Station-Id = 00-18-71-e1-08-80 Calling-Station-Id = 00-17-f2-ce-78-b8 Connect-Info = CONNECT Ethernet 1000Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 666 EAP-Message = 0x02ed000c0172696368617264 Message-Authenticator = 0xce044840910a831cb30359cd7a249b08 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: No '@' in User-Name = richard, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_realm: No '\' in User-Name = richard, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: '(uid=richard)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to fds1.hq.domain.com fds2.hq.domain.com:389, authentication 0 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 46912536543248 (LWP 29012)] 0x2d57a4a0 in ldap_set_option () from /usr/lib64/libldap_r-2.3.so.0 (gdb) bt #0 0x2d57a4a0 in ldap_set_option () from /usr/lib64/libldap_r-2.3.so.0 #1 0x2d346308 in ldap_connect (instance=0x5589ec90, dn=0x5589e360 , password=0x5589ee70 , auth=0, result=0x7a457b04, err=0x0) at rlm_ldap.c:1975 #2 0x2d346cc3 in perform_search (instance=0x5589ec90, conn=0x5589f220, search_basedn=0x7a457ba0 dc=domain,dc=com, scope=2, filter=0x7a4583a0 (uid=richard), attrs=0x7a4587b0, result=0x7a4587c8) at rlm_ldap.c:774 #3 0x2d347e69 in ldap_groupcmp (instance=0x5589ec90, req=0x558c8d70, request=value optimized out, check=value optimized out, check_pairs=value optimized out, reply_pairs=value optimized out) at rlm_ldap.c:943 #4 0x55569f31 in paircmp () from /p/sbin/radiusd #5 0x2eff043f in hints_setup (hints=0x558bfcc0, request=0x558c8d70) at rlm_preprocess.c:331 #6 0x2eff05c2 in preprocess_authorize (instance=0x558bb640, request=0x558c8d70) at rlm_preprocess.c:560 #7 0x555635d2 in modcall () from /p/sbin/radiusd #8 0x55563b91 in modcall () from /p/sbin/radiusd #9 0x555637a6 in modcall () from /p/sbin/radiusd #10 0xbafb in rad_authenticate () from /p/sbin/radiusd #11 0x55564af5 in rad_respond () from /p/sbin/radiusd #12 0x555660c3 in main () from /p/sbin/radiusd __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html