Re: problem in autehtication with EAP-MD5
hello, this is my client side output: Authentication with 00:03:7f:09:60:a0 timed out. Added BSSID 00:03:7f:09:60:a0 into blacklist State: ASSOCIATED -> DISCONNECTED wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT) WEXT: Operstate: linkmode=-1, operstate=5 wpa_driver_wext_disassociate No keys have been configured - skip key clearing EAPOL: External notification - portEnabled=0 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 Setting scan request: 0 sec 0 usec State: DISCONNECTED -> SCANNING Starting AP scan (specific SSID) Scan SSID - hexdump_ascii(len=6): 41 54 48 31 38 32 ATH182 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b15 len=20 Wireless event: new AP: 00:00:00:00:00:00 BSSID 00:03:7f:09:60:a0 blacklist count incremented to 2 CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0 State: SCANNING -> DISCONNECTED wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT) WEXT: Operstate: linkmode=-1, operstate=5 EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b19 len=8 Received 1844 bytes of scan results (7 BSSes) Scan results: 7 Selecting BSS from priority group 0 0: 00:03:7f:09:60:7e ssid='ATH183' wpa_ie_len=0 rsn_ie_len=22 caps=0x11 skip - SSID mismatch 1: 00:03:7f:09:60:a0 ssid='ATH182' wpa_ie_len=0 rsn_ie_len=26 caps=0x11 skip - blacklisted 2: 00:18:0a:01:0f:31 ssid='AUKBC_MESH' wpa_ie_len=0 rsn_ie_len=0 caps=0x1 skip - no WPA/RSN IE 3: 00:a0:f8:ce:7d:18 ssid='symbol3' wpa_ie_len=0 rsn_ie_len=0 caps=0x1 skip - no WPA/RSN IE 4: 00:03:7f:09:60:15 ssid='AUKBC4' wpa_ie_len=0 rsn_ie_len=0 caps=0x1 skip - no WPA/RSN IE 5: 00:18:0a:01:03:fe ssid='AUKBC_MESH' wpa_ie_len=0 rsn_ie_len=0 caps=0x1 skip - no WPA/RSN IE 6: 00:18:0a:01:07:34 ssid='AUKBC_MESH' wpa_ie_len=0 rsn_ie_len=0 caps=0x1 skip - no WPA/RSN IE No APs found - clear blacklist and try again Removed BSSID 00:03:7f:09:60:a0 from blacklist (clear) Selecting BSS from priority group 0 0: 00:03:7f:09:60:7e ssid='ATH183' wpa_ie_len=0 rsn_ie_len=22 caps=0x11 skip - SSID mismatch 1: 00:03:7f:09:60:a0 ssid='ATH182' wpa_ie_len=0 rsn_ie_len=26 caps=0x11 selected based on RSN IE Trying to associate with 00:03:7f:09:60:a0 (SSID='ATH182' freq=2437 MHz) Cancelling scan request WPA: clearing own WPA/RSN IE Automatic auth_alg selection: 0x1 RSN: using IEEE 802.11i/D9.0 WPA: Selected cipher suites: group 8 pairwise 24 key_mgmt 1 proto 2 WPA: clearing AP WPA IE WPA: set AP RSN IE - hexdump(len=26): 30 18 01 00 00 0f ac 02 02 00 00 0f ac 02 00 0f ac 04 01 00 00 0f ac 01 01 00 WPA: using GTK TKIP WPA: using PTK CCMP WPA: using KEY_MGMT 802.1X WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00 No keys have been configured - skip key clearing wpa_driver_wext_set_drop_unencrypted State: DISCONNECTED -> ASSOCIATING wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT) WEXT: Operstate: linkmode=-1, operstate=5 wpa_driver_wext_associate Setting authentication timeout: 10 sec 0 usec EAPOL: External notification - portControl=Auto RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b06 len=8 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b04 len=12 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b1a len=14 RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP]) Wireless event: cmd=0x8b15 len=20 Wireless event: new AP: 00:03:7f:09:60:a0 State: ASSOCIATING -> ASSOCIATED wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT) WEXT: Operstate: linkmode=-1, operstate=5 Associated to a new BSS: BSSID=00:03:7f:09:60:a0 No keys have been configured - skip key clearing Associated with 00:03:7f:09:60:a0 WPA: Association event - clear replay counter EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: deinitialize previously used EAP method (4, MD5) at INITIALIZE EAP: EAP entering state IDLE Setting authentication timeout: 10 sec 0 usec Cancelling scan request RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP]) RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added RX EAPOL from 00:03:7f:09:60:a0 R
Re: I will be out of the office
(sorry for $pollution, but this really begs the question:) Sorry, I'm in the office reading an autoresponder out-of-office message - I can't respond to the meaningful and useful messages in my inbox. Kind regards, Jan On 30/05/07, Thor Spruyt <[EMAIL PROTECTED]> wrote: Hugh Messenger wrote: >> I will be out of the office from Wednesday May 30 until Monday >> June 4. > > What a coincidence! I'll be out of the office during those dates as > well ... hunting down and killing everyone who writes broken > autoresponders. > > Sorry, I know I shouldn't increase list pollution by letting myself > respond to this, but I just can't help myself. > Sorry, I'm in the office so I can't answer mail to my private mail address now. Kind Regards, Thor ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I will be out of the office
Hugh Messenger wrote: >> I will be out of the office from Wednesday May 30 until Monday >> June 4. > > What a coincidence! I'll be out of the office during those dates as > well ... hunting down and killing everyone who writes broken > autoresponders. > > Sorry, I know I shouldn't increase list pollution by letting myself > respond to this, but I just can't help myself. > Sorry, I'm in the office so I can't answer mail to my private mail address now. Kind Regards, Thor ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I will be out of the office
> I will be out of the office from Wednesday May 30 until Monday > June 4. What a coincidence! I'll be out of the office during those dates as well ... hunting down and killing everyone who writes broken autoresponders. Sorry, I know I shouldn't increase list pollution by letting myself respond to this, but I just can't help myself. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Apologies for the Vacation Message
I'm working on it... my email is not cooperating right now. Regards, Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: v2 pre1 style regexp modifiers
Arran Cudbard-Bell wrote:
> Hi,
>
> I was wondering if it's possible to use the modifiers with regexp
> like /regexp/i with the v2 config files.
>
> In nearly every case where I want to use regular expressions It'd be
> better for them to be case insensitive..
>
> And I think the ones in the users file used to be
>
> At least don't remember any case sensitivity issues with them .
>
> Thanks,
> Arran
>
The inequality operator (!=) doesn't appear to work either
if("%{Pre-Proxy-Realm}" != "sussex.ac.uk"){
Unexpected trailing text at: != "sussex.ac.uk"
Or is that one of the features yet to be implemented :) ?
and can someone remove Andrew Long from the mailing list, people who
can't write decent "out of office" scripts don't deserve support *sigh* :/
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apologies for the Vacation Message
I am sorry to have bothered everyone with the message; I had forgotten I was subbed from this address when I left the office. Regards, Andrew Long IT Manager - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
v2 pre1 style regexp modifiers
Hi, I was wondering if it's possible to use the modifiers with regexp like /regexp/i with the v2 config files. In nearly every case where I want to use regular expressions It'd be better for them to be case insensitive.. And I think the ones in the users file used to be At least don't remember any case sensitivity issues with them . Thanks, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using encrypted passwords in users file or sql-radcheck table
Rascher, Markus wrote: > I'm using version 1.1.3 on redhat fc6. > Yum says, 1.1.3 is the newest version, it can install. > To get 1.1.6 I have to compile the sources? Yes. Or find a better repository. Or find someone who has created rpm's that you can download and install outside of yum. Or yell at Fedora until they update their repository. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: using encrypted passwords in users file or sql-radcheck table
I'm using version 1.1.3 on redhat fc6.
Yum says, 1.1.3 is the newest version, it can install.
To get 1.1.6 I have to compile the sources?
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan Dekok
Gesendet: Mittwoch, 30. Mai 2007 14:47
An: FreeRadius users mailing list
Betreff: Re: AW: using encrypted passwords in users file or sql-radcheck table
Rascher, Markus wrote:
> With pap I'm running into problems...
> Can u give me an example config?
>
> In users-File I have: (Password is 'testpwd')
> testuserAuth-Type = PAP, MD5-Password ==
> "$1$agSvn0WL$6GaCc0qz.5RHu8PySNauf0"
Don't set Auth-Type. I have NO idea why so many people are fascinated
with setting it.
Use ":=" for the MD5-Password, not "==". See "man users" for why.
> modules {
> pap {
> encryption_scheme = MD5
Why? If you're using the most recent version, the documentation in
"man rlm_pap", and the comments in radiusd.conf make it clear that the
"encryption_scheme" configuration option shouldn't be used.
> authorize {
> # preprocess
> files
> }
Why? You've gone to a lot of trouble to remove everything from the
"authorize" section. The documentation in "radiusd.conf" at the end of
the "authorize" section says you should list "pap". The documentation
in "man rlm_pap" says the same thing.
...
> modcall: entering group authorize for request 0
> users: Matched entry DEFAULT at line 184
i.e. it didn't match the entry you posted above. It didn't match
because the format of the entry was wrong.
> Problem: the entry in the users-File for testuser doesn't match..
> Whats my mistake?
You haven't read the documentation. You haven't read the comments in
the config files you're editing. You've done a LOT of work to break the
default configuration.
FreeRADIUS ships with a default configuration that works in the widest
possible set of circumstances. If you don't understand the
configuration, CHANGE AS LITTLE AS POSSIBLE.
I will also not you're either running an older version, which is not
recommended, or you didn't follow my previous recommendation to read
"man rlm_pap"
Read the documentation. Don't destroy the default configuration.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The EAP-TLS packet will contain more data than we can process
Jan Schermer / ET NETERA wrote: > Supplicant - do you mean Mikrotik AP or wpa_supplicant on the client? wpa_supplicant. > I'm not sure what exactly Mikrotik does with EAP-TLS (and there are > several options - EAP-TLS or passthrough, and verify cert. x don't > verify cert x no certificate) AP's just pass EAP packets back and forth. They don't do much more. > - I thought the AP doesn't care about > certificates, only forwards it to the RADIUS service (I already set this > up once on a different AP and it had no such options) Yes. The problem is on the supplicant side, not on the AP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigaword support
Hi, Glad to know Gigawords support has been added in the CVS. The method with extra field is quick and easy for most of us but I agree it's always better not to change the backend structure... That's pretty much what I had to do to append accounting values at regular intervals: compute the values first. See http://www.netexpertise.eu/en/FreeRadius/DailyAcct.html Thanks for your input David http://www.netexpertise.eu Hi, > Thank you! It would be nice if FreeRadius could have more support for > Gigawords built in! FYI: CVS just got a commit that includes Gigawords support for the mySQL backend. It behaves pretty much like the one in postgresql, which, for the record, has had Gigawords support included since long time ago. The behaviour is different from that in the quick-n-dirty HOWTO that was referenced in this thread: the correct octet value is computed out of the two attributes Acct-*-Gigawords and Acct-*-Octets and the result is saved in the Acct*Octets column in radacct. No seperate column to catch the Gigawords is necessary. IOW: it just works now. If the client sends Gigawords, your accounting table will contain the 64-bit value. For FreeRADIUS 2.0, this obsoletes the steps "Mysql Table Modification" and "Freeradius Update" in http://www.netexpertise.eu/en/FreeRadius/GigaWords.html I.e.: just configure your NAS, the server side will handle it just fine. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 25, Issue 140
If you make a very secure and long shared secret and plan to change it
from time to time you should get away with it.
Ivan Kalik
Kalik Informatika ISP
Dana 30/5/2007, "Mati Katz" <[EMAIL PROTECTED]> piše:
>>
>>
>>
>> >The simple answer is don't use dynamic hosts.
>>
>> >FreeRADIUS reads the clients file once at startup, resolves the IP's and
>> >then stores those. It won't know about the new IP until the daemon is
>> >restarted (or in theory HUP'ed when that is fixed).
>>
>> >If you must use dynamic hosts, then you will need to specify an IP range
>> >like this:
>>
>> >client 192.168.0.0/24 {
>> > secret = testing123-1
>> > shortname = private-network-1
>> >}
>>
>> >That would allow a NAS to have any of 254 different IP's and still be
>> >able to talk to FreeRADIUS. It would also allow anyone else on those
>> >IP's who wants to talk to you NAS and can figure out the secret to
>> >potentially do naughty things.
>
>
> Thanks Dennis, i understand what you say but i thought that there is a
>way to use dynamic Dns because not all people have static IP , here in
>Israel at least.
>I understand that using a range of Ip is not secure , isn't it ?
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: using encrypted passwords in users file or sql-radcheck table
There is a DEFAULT entry in users file forcing Auth-Type System. Comment
it out. And you don't need that Auth-Type PAP in user config.
Ivan Kalik
Kalik Informatika ISP
Dana 30/5/2007, "Rascher, Markus" <[EMAIL PROTECTED]> piše:
>With pap I'm running into problems...
>Can u give me an example config?
>
>In users-File I have: (Password is 'testpwd')
>testuserAuth-Type = PAP, MD5-Password ==
>"$1$agSvn0WL$6GaCc0qz5RHu8PySNauf0"
>Service-Type = Login-User
>
>
>In radiusd.conf I have:
>
>modules {
>pap {
> encryption_scheme = MD5
>}
>
>
>authorize {
># preprocess
>files
>}
>
>authenticate {
>Auth-Type PAP {
>pap
>}
>}
>
>-
>Radiusd says:
>-
>rad_recv: Access-Request packet from host 10.1.1.1:1645, id=239, length=82
>NAS-IP-Address = 10.1.1.1
>NAS-Port = 1
>NAS-Port-Type = Virtual
>User-Name = "testuser"
>Calling-Station-Id = "1.2.3.4"
>User-Password = "testpwd"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>users: Matched entry DEFAULT at line 184
> modcall[authorize]: module "files" returns ok for request 0
>modcall: leaving group authorize (returns ok) for request 0
> rad_check_password: Found Auth-Type System
>auth: type "System"
> ERROR: Unknown value specified for Auth-Type. Cannot perform requested
> action.
>auth: Failed to validate the user.
>Login incorrect: [testuser/testpwd] (from client Testclient port 1 cli 1.2.34)
>Delaying request 0 for 1 seconds
>Finished request 0
>
>
>Problem: the entry in the users-File for testuser doesn't match..
>Whats my mistake?
>
>
>
>
>-Ursprüngliche Nachricht-
>Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan Dekok
>Gesendet: Mittwoch, 30. Mai 2007 11:42
>An: FreeRadius users mailing list
>Betreff: Re: using encrypted passwords in users file or sql-radcheck table
>
>Rascher, Markus wrote:
>> Hi all,
>>
>> cleartext, unix crypt and MD5 - Passwords work fine in both, users file
>> and db.
>> does sha1-hashed pwds work?
>
> Yes. See "man rlm_pap".
>
>> another question:
>> can i use symmetric password encryption in users-File or radcheck table?
>
> No. They're useless.
>
> Alan DeKok.
>--
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: using encrypted passwords in users file or sql-radcheck table
Rascher, Markus wrote:
> With pap I'm running into problems...
> Can u give me an example config?
>
> In users-File I have: (Password is 'testpwd')
> testuserAuth-Type = PAP, MD5-Password ==
> "$1$agSvn0WL$6GaCc0qz.5RHu8PySNauf0"
Don't set Auth-Type. I have NO idea why so many people are fascinated
with setting it.
Use ":=" for the MD5-Password, not "==". See "man users" for why.
> modules {
> pap {
> encryption_scheme = MD5
Why? If you're using the most recent version, the documentation in
"man rlm_pap", and the comments in radiusd.conf make it clear that the
"encryption_scheme" configuration option shouldn't be used.
> authorize {
> # preprocess
> files
> }
Why? You've gone to a lot of trouble to remove everything from the
"authorize" section. The documentation in "radiusd.conf" at the end of
the "authorize" section says you should list "pap". The documentation
in "man rlm_pap" says the same thing.
...
> modcall: entering group authorize for request 0
> users: Matched entry DEFAULT at line 184
i.e. it didn't match the entry you posted above. It didn't match
because the format of the entry was wrong.
> Problem: the entry in the users-File for testuser doesn't match..
> Whats my mistake?
You haven't read the documentation. You haven't read the comments in
the config files you're editing. You've done a LOT of work to break the
default configuration.
FreeRADIUS ships with a default configuration that works in the widest
possible set of circumstances. If you don't understand the
configuration, CHANGE AS LITTLE AS POSSIBLE.
I will also not you're either running an older version, which is not
recommended, or you didn't follow my previous recommendation to read
"man rlm_pap"
Read the documentation. Don't destroy the default configuration.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN-id setting on wireless AP
Restricts as much as the static VLAN can. No, our wireless clients have to use VPN(PPTP) if they want Internet mail etc. Local traffic (game servers etc.) is left wild with only bandwidth restrictions. Ivan Kalik Kalik Informatika ISP Dana 30/5/2007, "Jan Schermer / ET NETERA" <[EMAIL PROTECTED]> piše: >Do you use this scenario? Does Mikrotik really restrict each user to the given >VLAN? > >Thanks > >Jan Schermer >Linux Administrator >ET NETERA | smart e-business solutions >[EMAIL PROTECTED] >+420 60805 >~ >[ www.ahold.cz | www.annonce.cz | www.datart.cz ] >[ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] > >Created by ET NETERA | Powered by jNetPublish > > >[EMAIL PROTECTED] wrote: >> /interface vlan > crete VLAN names, IDs and bind to phisical interface >> /ip address > assign IP subnets to VLAN interfaces (names) >> >> VLANS can only enhance security. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 30/5/2007, "Jan Schermer / ET NETERA" <[EMAIL PROTECTED]> >> piše: >> >>> Hi, >>> I want to tag VLANs on the wireless AP (Mikrotik OS) according to radius >>> criteria (type of autentization, DN in certificate etc.). >>> Does someone here have experience with that? >>> It seems easy enough to do on the freeradius side, but how is this supposed >>> to work on the wireless AP side? (I know, this is not >>> a Mikrotik mailing list, sorry in advance :). Does the AP really have to be >>> smart enough to tag packets per-client? Should it work >>> out of the box? Is it secure to mix clients from different security domains? >>> >>> Any experience appreciated, thanks >>> >>> >>> -- >>> Jan Schermer >>> Linux Administrator >>> ET NETERA | smart e-business solutions >>> [EMAIL PROTECTED] >>> +420 60805 >>> ~ >>> [ www.ahold.cz | www.annonce.cz | www.datart.cz ] >>> [ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] >>> >>> Created by ET NETERA | Powered by jNetPublish >>> >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: using encrypted passwords in users file or sql-radcheck table
With pap I'm running into problems...
Can u give me an example config?
In users-File I have: (Password is 'testpwd')
testuserAuth-Type = PAP, MD5-Password ==
"$1$agSvn0WL$6GaCc0qz.5RHu8PySNauf0"
Service-Type = Login-User
In radiusd.conf I have:
modules {
pap {
encryption_scheme = MD5
}
...
authorize {
# preprocess
files
}
authenticate {
Auth-Type PAP {
pap
}
}
-
Radiusd says:
-
rad_recv: Access-Request packet from host 10.1.1.1:1645, id=239, length=82
NAS-IP-Address = 10.1.1.1
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "testuser"
Calling-Station-Id = "1.2.3.4"
User-Password = "testpwd"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
Login incorrect: [testuser/testpwd] (from client Testclient port 1 cli 1.2.3.4)
Delaying request 0 for 1 seconds
Finished request 0
Problem: the entry in the users-File for testuser doesn't match..
Whats my mistake?
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan Dekok
Gesendet: Mittwoch, 30. Mai 2007 11:42
An: FreeRadius users mailing list
Betreff: Re: using encrypted passwords in users file or sql-radcheck table
Rascher, Markus wrote:
> Hi all,
>
> cleartext, unix crypt and MD5 - Passwords work fine in both, users file
> and db.
> does sha1-hashed pwds work?
Yes. See "man rlm_pap".
> another question:
> can i use symmetric password encryption in users-File or radcheck table?
No. They're useless.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be out of the office from Wednesday May 30 until Monday
I will be out of the office from Wednesday May 30 until Monday June 4. Please use my cell number if you require immediate assistance. You may also call the main office number (716) 893-4984 to speak with someone else. I will receive your e-mail during this period and will try to get back to you as soon as possible. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
automated response
I will be out of the office from Wednesday May 30 until Monday June 4. Although I will receive your message, I may be a bit slow in responding. If you require immediate assistance, please call my cell phone or the main office number (716) 893-4984. Thank You. Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error make rlm_tls
Pilar Sanchez wrote: > I put as option of "compile" > -with-openssl-libraries=/usr/local/ssl/lib > --with-openssl-includes=/usr/local/ssl/include Maybe that should be with --with-openssl-libraries. You have -with-openssl-libraries. > But this was not enough, I've had to add the variable > OPENSS_LIBS=/usr/local/ssl/lib OPENSSL_LIBS is defined directly by the argument to --with-openssl-libraries. See configure.in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
ntering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 users: Matched entry testuser at line 216 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 1 modcall: leaving group authenticate (returns ok) for request 1 Sending Access-Accept of id 1 to 192.168.2.183 port 1079 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x03010004 Message-Authenticator = 0x User-Name = "testuser" Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 1 with timestamp 465abee0 Nothing to do. Sleeping until we see a request. >> can any one help me out it is really important and urgent. if u need i will also tell u my radius.conf, eap.conf and users file!! thank you regards shantanu - Download prohibited? No problem! CHAT from any browser, without download. -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070530 /32517eff/attachment.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 25, Issue 141 * ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail & notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 25, Issue 140
>The simple answer is don't use dynamic hosts.
>FreeRADIUS reads the clients file once at startup, resolves the IP's and
>then stores those. It won't know about the new IP until the daemon is
>restarted (or in theory HUP'ed when that is fixed).
>If you must use dynamic hosts, then you will need to specify an IP range
>like this:
>client 192.168.0.0/24 {
> secret = testing123-1
> shortname = private-network-1
>}
>That would allow a NAS to have any of 254 different IP's and still be
>able to talk to FreeRADIUS. It would also allow anyone else on those
>IP's who wants to talk to you NAS and can figure out the secret to
>potentially do naughty things.
Thanks Dennis, i understand what you say but i thought that there is a
way to use dynamic Dns because not all people have static IP , here in
Israel at least.
I understand that using a range of Ip is not secure , isn't it ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: error make rlm_tls
Hello I think I've found the solution to my problem. I put as option of "compile" -with-openssl-libraries=/usr/local/ssl/lib --with-openssl-includes=/usr/local/ssl/include But this was not enough, I've had to add the variable OPENSS_LIBS=/usr/local/ssl/lib After compiling, and before to do the "make", I've had to modify the Makefile of rlm_eap_peap, rlm_eap_tls and rlm_eap_tls and put the path to SSL library and include, instead of variables, in RLM_CFLAGS and RLM_LIBS: ORIGINAL MAKEFILE TARGET = rlm_eap_peap SRCS= rlm_eap_peap.c peap.c HEADERS = eap_peap.h ../../eap.h ../../rlm_eap.h RLM_CFLAGS = -I../.. -I../../libeap $(INCLTDL) $(OPENSSL_INCLUDE) RLM_LIBS= ../../libeap/libeap.la $(OPENSSL_LIBS) .. .. MODIFIED MAKEFILE TARGET = rlm_eap_peap SRCS= rlm_eap_peap.c peap.c HEADERS = eap_peap.h ../../eap.h ../../rlm_eap.h RLM_CFLAGS = -I../.. -I../../libeap -I/usr/local/ssl/include $(INCLTDL) RLM_LIBS= ../../libeap/libeap.la /usr/local/ssl/lib .. .. With these options and changes the "make" has worked and I can finish the installation of FR with eap-peap, eap_tls and eap_ttls modules Maybe this can help other people Regards > -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] En nombre de Pilar > Sanchez > Enviado el: martes, 29 de mayo de 2007 15:21 > Para: Freeradius-Users@lists.freeradius.org > Asunto: error make rlm_tls > > Hello > > I'm trying to install FR 1.1.6 (from .tar file) on Solaris 8, with openssl > 0.9.8e (also installed from .tar file), and when I do the "make", the > types > rlm_eap_peap and rlm_eap_tls fail. When I do the "compile" they find the > OpenSSL libs > > The error is: > > In file included from eap_peap.h:25, > from rlm_eap_peap.c:24: > ../../libeap/eap_tls.h:138: error: parse error before "SSL" > > > I know this is an "old" problem but, I thougth that was related with a bug > in 1.1.1 version > > Does someone give me some indications on how to solve this problem? > Thanks in advance > > > > *** > Pilar Sánchez Fernández > Comunicaciones CEDEX > C/ Alfonso XII nº 3 y 5 > Tel: 91 335 72 81 > Mail: [EMAIL PROTECTED] > http://www.cedex.es > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN-id setting on wireless AP
Do you use this scenario? Does Mikrotik really restrict each user to the given VLAN? Thanks Jan Schermer Linux Administrator ET NETERA | smart e-business solutions [EMAIL PROTECTED] +420 60805 ~ [ www.ahold.cz | www.annonce.cz | www.datart.cz ] [ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] Created by ET NETERA | Powered by jNetPublish [EMAIL PROTECTED] wrote: /interface vlan > crete VLAN names, IDs and bind to phisical interface /ip address > assign IP subnets to VLAN interfaces (names) VLANS can only enhance security. Ivan Kalik Kalik Informatika ISP Dana 30/5/2007, "Jan Schermer / ET NETERA" <[EMAIL PROTECTED]> piše: Hi, I want to tag VLANs on the wireless AP (Mikrotik OS) according to radius criteria (type of autentization, DN in certificate etc.). Does someone here have experience with that? It seems easy enough to do on the freeradius side, but how is this supposed to work on the wireless AP side? (I know, this is not a Mikrotik mailing list, sorry in advance :). Does the AP really have to be smart enough to tag packets per-client? Should it work out of the box? Is it secure to mix clients from different security domains? Any experience appreciated, thanks -- Jan Schermer Linux Administrator ET NETERA | smart e-business solutions [EMAIL PROTECTED] +420 60805 ~ [ www.ahold.cz | www.annonce.cz | www.datart.cz ] [ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] Created by ET NETERA | Powered by jNetPublish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:Jan Schermer / ET NETERA n:Schermer;Jan org:Et netera a.s.;Deployment and Operations adr:;;Milady Horakove 108;Praha 6;;16000;Czech Republic email;internet:[EMAIL PROTECTED] title:Linux Administrator tel;work:+420 233326810 tel;cell:+420 60805 x-mozilla-html:FALSE url:http://www.etnetera.cz version:2.1 end:vcard smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN-id setting on wireless AP
Jan Schermer / ET NETERA wrote: > Hi, > I want to tag VLANs on the wireless AP (Mikrotik OS) according to radius > criteria (type of autentization, DN in certificate etc.). Does someone > here have experience with that? > It seems easy enough to do on the freeradius side, but how is this > supposed to work on the wireless AP side? (I know, this is not a > Mikrotik mailing list, sorry in advance :). Does the AP really have to > be smart enough to tag packets per-client? Should it work out of the > box? Is it secure to mix clients from different security domains? > > Any experience appreciated, thanks > > I'm pretty sure the RouterOS stuff isn't smart enough to do Dynamic VLAN assignment... If it is, it will want Tunnel-Type → Type of tunnel, switch expects VLAN or integer 13. Tunnel-Medium-Type → Medium, Switch expects IEEE-802 or integer 6. Tunnel-Private-Group-ID → Vlan ID, switch any tagged VLAN. in the access accept packet. If you get this working, please post back. I've got one sitting on my desk and it would be nice to do something with it other than use it as a pretty black paper weight. I quite like the routerOS stuff , it's a pitty they concentrated on all that hotspot bollocks instead of building in proper 802.1x support. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN-id setting on wireless AP
/interface vlan > crete VLAN names, IDs and bind to phisical interface /ip address > assign IP subnets to VLAN interfaces (names) VLANS can only enhance security. Ivan Kalik Kalik Informatika ISP Dana 30/5/2007, "Jan Schermer / ET NETERA" <[EMAIL PROTECTED]> piše: >Hi, >I want to tag VLANs on the wireless AP (Mikrotik OS) according to radius >criteria (type of autentization, DN in certificate etc.). >Does someone here have experience with that? >It seems easy enough to do on the freeradius side, but how is this supposed to >work on the wireless AP side? (I know, this is not >a Mikrotik mailing list, sorry in advance :). Does the AP really have to be >smart enough to tag packets per-client? Should it work >out of the box? Is it secure to mix clients from different security domains? > >Any experience appreciated, thanks > > >-- >Jan Schermer >Linux Administrator >ET NETERA | smart e-business solutions >[EMAIL PROTECTED] >+420 60805 >~ >[ www.ahold.cz | www.annonce.cz | www.datart.cz ] >[ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] > >Created by ET NETERA | Powered by jNetPublish > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in autehtication with EAP-MD5
Well, now you dont have any IP address in your accept packet. Not a problem if you are doing DHCP. Otherwise you need to return IP address, netmask, MTU, Service-Type, DNS servers etc. Leave that Framed-User DEFAULT entry alone - it should be there. You need to add stuff to your user config: testuser Cleartext-Password:=yourpassword Framed-IP-Address=1.2.3.4 Framed-MTU=yourMTU Framed-IP-Netmask=255.255.255.255 etc. Ivan Kalik Kalik Informatika ISP Dana 30/5/2007, "shantanu choudhary" <[EMAIL PROTECTED]> piše: --- snip --- >Sending Access-Accept of id 2 to 192.168.2.182 port 1028 >EAP-Message = 0x03020004 >Message-Authenticator = 0x >User-Name = "testuser" >Finished request 1 >Going to the next request >Waking up in 6 seconds... >--- Walking the entire request list --- >Cleaning up request 0 ID 1 with timestamp 465d506e >Cleaning up request 1 ID 2 with timestamp 465d506e >Nothing to do. Sleeping until we see a request. > >it is sending ACCESS ACCEPT but no access reject or failure >and when i try to check AP statistics from server it is showing an entry for >AUTHENTICATION FAILURE!!! > >sorry for disturbing u again n again but can u help me out >please!! >shantanu > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN-id setting on wireless AP
Hi, I want to tag VLANs on the wireless AP (Mikrotik OS) according to radius criteria (type of autentization, DN in certificate etc.). Does someone here have experience with that? It seems easy enough to do on the freeradius side, but how is this supposed to work on the wireless AP side? (I know, this is not a Mikrotik mailing list, sorry in advance :). Does the AP really have to be smart enough to tag packets per-client? Should it work out of the box? Is it secure to mix clients from different security domains? Any experience appreciated, thanks -- Jan Schermer Linux Administrator ET NETERA | smart e-business solutions [EMAIL PROTECTED] +420 60805 ~ [ www.ahold.cz | www.annonce.cz | www.datart.cz ] [ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] Created by ET NETERA | Powered by jNetPublish smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in autehtication with EAP-MD5
i changed user file and now what i am getting is: on client or supplicant side EAP FAILURE :-( response: No keys have been configured - skip key clearing wpa_driver_wext_set_drop_unencrypted State: DISCONNECTED -> ASSOCIATING wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT) WEXT: Operstate: linkmode=-1, operstate=5 wpa_driver_wext_associate Setting authentication timeout: 10 sec 0 usec EAPOL: External notification - portControl=Auto RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b06 len=8 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b04 len=12 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) Wireless event: cmd=0x8b1a len=14 RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP]) Wireless event: cmd=0x8b15 len=20 Wireless event: new AP: 00:03:7f:09:60:a0 State: ASSOCIATING -> ASSOCIATED wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT) WEXT: Operstate: linkmode=-1, operstate=5 Associated to a new BSS: BSSID=00:03:7f:09:60:a0 No keys have been configured - skip key clearing Associated with 00:03:7f:09:60:a0 WPA: Association event - clear replay counter EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: deinitialize previously used EAP method (4, MD5) at INITIALIZE EAP: EAP entering state IDLE Setting authentication timeout: 10 sec 0 usec Cancelling scan request RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP]) RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added RX EAPOL from 00:03:7f:09:60:a0 RX EAPOL - hexdump(len=9): 01 00 00 05 01 00 00 05 01 Setting authentication timeout: 70 sec 0 usec EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=8): 74 65 73 74 75 73 65 72 testuser EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=17): 01 00 00 0d 02 00 00 0d 01 74 65 73 74 75 73 65 72 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:03:7f:09:60:a0 RX EAPOL - hexdump(len=26): 01 00 00 16 01 01 00 16 04 10 12 e6 77 bb e2 c5 16 59 16 f3 d7 ed 57 79 14 9d EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: Initialize selected EAP method: vendor 0 method 4 (MD5) CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): 12 e6 77 bb e2 c5 16 59 16 f3 d7 ed 57 79 14 9d EAP-MD5: Generating Challenge Response EAP-MD5: Response - hexdump(len=16): 8c 3f 26 07 9d 3a ad b5 37 fb 5a 61 8e a9 c9 04 EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 8c 3f 26 07 9d 3a ad b5 37 fb 5a 61 8e a9 c9 04 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:03:7f:09:60:a0 RX EAPOL - hexdump(len=8): 01 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen --> 0 EAPOL: authWhile --> 0 EAPOL: SUPP_BE entering state TIMEOUT EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE RX EAPOL from 00:03:7f:09:60:a0 RX EAPOL - hexdump(len=9): 01 00 00 05 01 02 00 05 01 EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: deinitialize previously used EAP method (4, MD5) at INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=8): 74 65 73 74 75 73 65 72 testuser EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE en
Re: using encrypted passwords in users file or sql-radcheck table
Rascher, Markus wrote: > Hi all, > > cleartext, unix crypt and MD5 - Passwords work fine in both, users file > and db. > does sha1-hashed pwds work? Yes. See "man rlm_pap". > another question: > can i use symmetric password encryption in users-File or radcheck table? No. They're useless. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in autehtication with EAP-MD5
Your request is accepted but you are picking up an IP adress of 255.255.255.254 from the DEFAULT entry in users file for Service-Type Framed-User. Assign a proper IP address or address pool in your user configuration. And put the user before DEFAULT entries. Ivan Kalik Kalik Informatika ISP ---snip --- >users: Matched entry DEFAULT at line 153 >users: Matched entry DEFAULT at line 172 >users: Matched entry testuser at line 216 --- snip --- >Sending Access-Accept of id 1 to 192.168.2.183 port 1079 >Framed-IP-Address = 255.255.255.254 >Framed-MTU = 576 >Service-Type = Framed-User >EAP-Message = 0x03010004 >Message-Authenticator = 0x >User-Name = "testuser" >Finished request 1 >Going to the next request >--- Walking the entire request list --- >Waking up in 6 seconds... >--- Walking the entire request list --- >Cleaning up request 1 ID 1 with timestamp 465abee0 >Nothing to do. Sleeping until we see a request. >>> >can any one help me out it is really important and urgent. >if u need i will also tell u my radius.conf, eap.conf and users file!! >thank you >regards >shantanu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigaword support
Hi, > Thank you! It would be nice if FreeRadius could have more support for > Gigawords built in! FYI: CVS just got a commit that includes Gigawords support for the mySQL backend. It behaves pretty much like the one in postgresql, which, for the record, has had Gigawords support included since long time ago. The behaviour is different from that in the quick-n-dirty HOWTO that was referenced in this thread: the correct octet value is computed out of the two attributes Acct-*-Gigawords and Acct-*-Octets and the result is saved in the Acct*Octets column in radacct. No seperate column to catch the Gigawords is necessary. IOW: it just works now. If the client sends Gigawords, your accounting table will contain the 64-bit value. For FreeRADIUS 2.0, this obsoletes the steps "Mysql Table Modification" and "Freeradius Update" in http://www.netexpertise.eu/en/FreeRadius/GigaWords.html I.e.: just configure your NAS, the server side will handle it just fine. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpdV82X5Tuih.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Hi I am getting the following message in log first it satatrts (radiud -X) [EMAIL PROTECTED] radius]# cat radius.log Wed May 30 11:24:14 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 30 11:24:14 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 30 11:24:14 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed May 30 11:24:14 2007 : Info: Ready to process requests. But if again start the server no logs and nothing other than this is coming in the log. regarding users file in navisradius i uesd to do that in EAP_TLS thats why i asked. Regards Anoop -- > > Message: 5 > Date: Tue, 29 May 2007 09:42:52 +0100 > From: <[EMAIL PROTECTED]> > Subject: Re: log file for free radius 1.1.6 eap-tls authentication > To: \"FreeRadius users mailing list\" > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-2 > > 1. That\'s not how certificates work. You add those that you want to > PREVENT from connecting (for whatever reason) to Certificate Revocation > List (CRL). You suposedly do have control over who are certificates > issued to. If you have no control over CA then you shouldn\'t be using > them. > > 2. Is anything (reading config files etc.) written to the log when you > restart the server? > > Ivan Kalik > Kalik Informatika ISP > > > Dana 29/5/2007, \"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> pi?e: > > >Hi > > 1 I know its eap-tls and certificate based. > >Earlier i was using Navis radius .In that for eap-tls we have to add > certificate name to a specific user file. > > Like that here also user file is there can i make use of the user > file so that only that user get authenticated, > > > > 2 Logs are not happening.In config changes required to get the same? > >Regards > >Anoop > > > >> > >> > >> Message: 2 > >> Date: Mon, 28 May 2007 15:07:06 +0100 > >> From: <[EMAIL PROTECTED]> > >> Subject: Re: log file for free radius 1.1.6 eap-tls authentication > >> To: \"FreeRadius users mailing list\" > >> > >> Message-ID: <[EMAIL PROTECTED]> > >> Content-Type: text/plain; charset=ISO-8859-2 > >> > >> This is EAP-TLS. This user has a valid user certificate and is > >> accepted. > >> If you don\'t want to go via certificates but use user/password, use > >> EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). > >> > >> Ivan Kalik > >> Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
