Re: TTLS-PAP accounting bug
Sam Schultz wrote: I was just wondering if the bug from this post has been fixed since 1.1.6: Re: EAP-TTLS outer identity accounting No. It should be fixed before 1.1.7 is released, though. I'm not sure what changed, or why it's broken. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: download latest version: link broken?
Arran Cudbard-Bell wrote: It's fine so long as you don't do a make install :) Alan D is on it, i'm sure it'll be fixed in a couple of days .. It's fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: encrypted password
Felipe Ceglia - PY1NB wrote: Running 1.1.6 now. Crypt-Local works ok now. In 1.1.6, you don't have to do that. I would like to know if it is possible to have both User-Password and Crypt-Local Auth-Types for sql users. No. Stop trying to set Auth-Type. It's not necessary. In 1.1.6, with the *default* configuration, all you need to do is to set Crypt-Password in the users file, or in SQL. Then, authentication will work. Do NOT set Auth-Type. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP and Wireless
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. You need to uncomment the tls section in eap.conf, even if yoo're not intending to use EAP-TLS. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
Hi!
By commenting the CA_file parameter in the eap-tls section:
# CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem
*and*
by setting CA_path parameter in the eap-tls section to an *empty* directory
CA_path = ${raddbdir}/certs/trustedCAs
should do the trick.
No trusted CAs mean no trusted client certificates :-)
Martin Gadbois wrote:
When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
How can I disable EAP-TLS while using EAP-PEAP?
I agree that if the client does not have a client key, EAP-TLS will not
work. But how to restrict EAP-TLS in any case?
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on conflicting packet
Milan Holub wrote: If you check the timeline we've received conclicting packet after 0.000696 sec. Which I think was a duplicate packet due to some network problem. Packet 11920 was in the middle of processing(finished writing into detail file, but not yet written to database). Segmentation fault occured when another request was received. Ok. Two issues. If the client is sending two packets within the same second, using the same (source ip, port, code, id), then he client is broken. It should either wait for a timeout (~30s), or for the reply from the first request, before sending the second request. The second issue is I've updated the code. Previously it didn't remove the old request from the hash in some cases, resulting in the crash. It now removes the request always, which should avoid the crash. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL statement expansion with alternate internal expansions ...
update request {
Supplicant-Flags = %{sql_clients:SELECT
EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master` WHERE
master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1}
}
is parsed as
SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master`
WHERE master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1}
expanded to
SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master`
WHERE master.hw_address = 'null' LIMIT 0,1}
when should be
SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master`
WHERE master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1}
expanded to
SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master`
WHERE master.hw_address = 'null' LIMIT 0,1
Tailing } breaks sql queries.
Thing that breaks it is the alternate value declaration for
Calling-Station-Id.
works fine with
update request {
Supplicant-Flags = %{sql_clients:SELECT
EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master` WHERE
master.hw_address = '%{Calling-Station-Id}' LIMIT 0,1}
}
This has been a bug for as long as I can remember using the server :)
so since 1.1.4
---
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL statement expansion with alternate internal expansions ...
Arran Cudbard-Bell wrote: ... Tailing } breaks sql queries. Thing that breaks it is the alternate value declaration for Calling-Station-Id. It's a bug in the CVS head. I've committed a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam_radius_Auth - Problem
Hi all, I have a problem with pam_radius_auth-module, maybe someone can help me. The situation: I am running freeradius 1.1.6 and installed the pam_radius_auth-Module In the file /etc/pam.d/sshd I inserted the line Auth required pam_radius_auth.so like it is described in the docu of freeradius.org And in the file /etc/raddb/server I inserted the schared secret. If I connect to the ssh-server with an username which exists in the ssh-servers system-db, the login-process works fine, but if I want to login per ssh with a user, only the radius-server knows and not the system-db of the ssh-server, the login fails with this error: Jun 18 14:32:52 kiwi15 sshd[31606]: Invalid user testuser from 146.254.188.65 Jun 18 14:32:52 kiwi15 sshd[31607]: input_userauth_request: invalid user testuser Jun 18 14:32:57 kiwi15 sshd[31606]: pam_radius_auth: Got user name testuser Jun 18 14:32:57 kiwi15 sshd[31606]: pam_radius_auth: Sending RADIUS request code 1 == /var/log/secure == Jun 18 14:32:59 kiwi15 sshd[31606]: pam_radius_auth: Got RADIUS response code 3 Jun 18 14:32:59 kiwi15 sshd[31606]: pam_radius_auth: authentication failed Jun 18 14:32:59 kiwi15 sshd[31606]: Failed password for invalid user testuser from 146.254.188.65 port 3666 ssh2 Radius-Deamon says: rad_recv: Access-Request packet from host 127.0.0.1:32631, id=218, length=99 User-Name = testuser User-Password = \010\n\rINCORRECT -- this is very strong :-/ NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 31606 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = testkiste Processing the authorize section of radiusd.conf modcall: entering group authorize for request 24 . . . modcall: leaving group authorize (returns ok) for request 24 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 24 rlm_pap: login attempt with password ? INCORRECT rlm_pap: Using clear text password testpwd. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 24 modcall: leaving group PAP (returns reject) for request 24 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 24 for 1 seconds Finished request 24 Going to the next request Shared secret is ok, I checked it twice... I think the sshd refuses users which are not in the passwd-file and sends this confusing password-Attribute to the pam_radius-module, but why Thanks for your help Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Reimer Karlsen-Masur, DFN-CERT wrote:
Hi!
By commenting the CA_file parameter in the eap-tls section:
# CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem
*and*
by setting CA_path parameter in the eap-tls section to an *empty* directory
CA_path = ${raddbdir}/certs/trustedCAs
should do the trick.
No trusted CAs mean no trusted client certificates :-)
Clever! Thanks!
- --
== +-+
Martin Gadbois | Please answer by yes or no.|
Sr. SW Designer| Uncooperative user waste precious CPU time |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGdnyD9Y3/iTTCEDkRApsHAJ4lbCBVKyd7abo3iwPax7p5o6mJmQCgtSnh
XxxNtA3ZkZ1SSz+ulLYKiyo=
=IZ66
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Read provided instructions in eap.conf. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše: Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeeradius 1.16 and Radrelay Not updating
I have Freeradius installed on two opensuse 10.2 servers Running Freeradius 1.16 I am running radrelay on the two too keep the detail files in sync (New Setup) The combined detail work file is created on the two servers and each appear to write to it ok. But they aren't transferring with one another I am at a loss at what is wrong. I have tried several radrelay command line options with all giving me the same result heres my radrelay start commands --- Primary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Secondary-Radius detail-combined --- Secondary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Primary-Radius detail-combined --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeeradius 1.16 and Radrelay Not updating
Jeff wrote: ... The combined detail work file is created on the two servers and each appear to write to it ok. But they aren't transferring with one another What *are* they doing? You can run the radrelay *and* server in debugging mode, to see what is going on. If you're not doing that, you're not reading the documentation, and you won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeeradius 1.16 and Radrelay Not updating
I tried running both in debug, and basically only thing happening is the info is going into the combined file on the server that took the request but radrelay running in the debug mode on that same server about ever 50 seconds runs through its hoop, but never processes anything like it had nothing to do I have it pointed to where the combined file lives, etc ie example below but again its like when radrelay does its thing nothing happens but it counting through the threads 0-9 I believe it was. Nothing about grabbing the info that was just placed in the combined file work, etc Heres my latest command running the radrelay the starts represent the secret I dubbed out here(I am trying the direct approach to help rules out probelms reading something, ie secret files etc. The .53 server below is the server that i want to receive the updates for accouting I also have have tried sending results from accounting to this server with the same setup, and get the same results as I stated above. I have read the heck out of the radrelay documentation. Call me stupid, I know this 50 year old dude is missing something. radrelay -a /var/log/radius/radacct/ -r 74.218.65.153 -s detail-combined _ From: Alan DeKok [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Mon, 18 Jun 2007 11:03:28 -0400 Subject: Re: Freeeradius 1.16 and Radrelay Not updating Jeff wrote: ... The combined detail work file is created on the two servers and each appear to write to it ok. But they aren't transferring with one another What *are* they doing? You can run the radrelay *and* server in debugging mode, to see what is going on. If you're not doing that, you're not reading the documentation, and you won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql.c in 2.0.0-pre2
Hi,
Is the read_groups configuration paramter reading strings
intentionally removed from rlm_sql.c? Why?
Let me suggest a patch:
*** rlm_sql.c.orig 2007-05-15 14:10:35.0 +0400
--- rlm_sql.c 2007-06-18 19:46:59.0 +0400
***
*** 57,62
--- 57,64
offsetof(SQL_CONFIG,tracefile), NULL, SQLTRACEFILE},
{readclients, PW_TYPE_BOOLEAN,
offsetof(SQL_CONFIG,do_clients), NULL, no},
+ {read_groups, PW_TYPE_BOOLEAN,
+ offsetof(SQL_CONFIG,read_groups), NULL, yes},
{deletestalesessions, PW_TYPE_BOOLEAN,
offsetof(SQL_CONFIG,deletestalesessions), NULL, yes},
{num_sql_socks, PW_TYPE_INTEGER,
read_groups is checked on line 959 of rlm_sql.c, but it's not set
anywhere before.
thanks,
--
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server dies
Alan Dekok [EMAIL PROTECTED] said Yes. For simplicity: $ script valgrind.log $ valgrind radiusd -xxx ... $ ctrl-c $ exit Okie Dokie. I was going to use --log-file witrh valgrind, but 'script' works. Done. So far the only errors I'm seeing are these: ==29820== Thread 2: ==29820== Invalid write of size 1 ==29820==at 0x4819294: strNcpy (misc.c:187) ==29820==by 0x4CC43F3: sqlippool_postauth (rlm_sqlippool.c:527) ==29820==by 0xD469: modcall (modcall.c:236) ==29820==by 0xDA73: call_one (modcall.c:269) ==29820==by 0xD701: modcall (modcall.c:324) ==29820==by 0xC8F7: indexed_modcall (modules.c:469) ==29820==by 0x5865: rad_postauth (auth.c:430) ==29820==by 0x6101: rad_authenticate (auth.c:1029) ==29820==by 0xF6D4: rad_respond (radiusd.c:1669) ==29820==by 0x13240: request_handler_thread (threads.c:570) ==29820==by 0x3B4370: start_thread (in /lib/tls/libpthread-2.3.4.so) ==29820==by 0x208FFD: clone (in /lib/tls/libc-2.3.4.so) ==29820== Address 0x4A87AA2 is 0 bytes after a block of size 10 alloc'd ==29820==at 0x4804405: malloc (vg_replace_malloc.c:149) ==29820==by 0x1AA02F: strdup (in /lib/tls/libc-2.3.4.so) ==29820==by 0x4CC42AF: sqlippool_instantiate (rlm_sqlippool.c:486) ==29820==by 0xC5DE: find_module_instance (modules.c:358) ==29820==by 0xDD9C: do_compile_modsingle (modcall.c:1005) ==29820==by 0xCD6E: setup_modules (modules.c:580) ==29820==by 0x103E1: main (radiusd.c:965) There are typically three or four similar events for each authentication, a mix of invalid writes and reads. They are always out of sqlippool_postauth. Alan DeKok. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Additionally set/provided variables... how to access them?
My telcom incumberant allows me to authenticate my clients on his
network - providing me with both ADSL and Dialup facilities - which I
then sell on to my clients. I need to be able to distinguish between
these two different service types. My telco sends
%{Telkom-Access-Type} and when I (for example) look in the environment
- I see TELKOM_ACCESS_TYPE either set to dsl or dial - just what I
need
but I am trying to accesss these values inside some MySQL.
In my useracct table - I have a table value called aces_typ (ie -
Access-Type) which contains either the word dial or dsl.
In my authorize_check_query statement - I have
AND ( aces_typ='%{Telkom-Access-Type}' OR '%{Telkom-Access-Type}'='' )
(I also do authenticate from NAS's which do not set that value (ie - My
own AS5300) - hence the check for it not being set - Hmm - how do I set
that in my Cisco?)
This gives (in radiusd -X) the debug warning message of
WARNING: Attempt to use unknown xlat function, or non-existent attribute
in string %{Telkom-Access-Type}
So how do I correctly access and use this value
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco
CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additionally set/provided variables... how to access them?
Mark J Elkins wrote:
This gives (in radiusd -X) the debug warning message of
WARNING: Attempt to use unknown xlat function, or non-existent attribute
in string %{Telkom-Access-Type}
So how do I correctly access and use this value
See doc/variables.txt, which explains how to conditionally look at the
contents of attributes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute User-Password is required for authentication
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
On Monday 18 June 2007 16:31:37 Cody Jarrett wrote: I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending. -Kevin pgpzZ32ZnVcdH.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše: Sorry, 10.1.22.10 is the ip of my 3com. rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = cjarrett Framed-MTU = 1488 Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test Calling-Station-Id = 00-0E-35-FF-2A-82 NAS-Identifier = AP11G NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = STA port # 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = cjarrett, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds... Kevin Bonner wrote: On Monday 18 June 2007 16:31:37 Cody Jarrett wrote: I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending. -Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
Oh, I had Default auth-type := pam in users. I removed that line and
get a much longer debug output when I try to connect with the xp machine
to the wireless. radtest fails with this message auth: No authenticate
method (Auth-Type) configuration found for the request: Rejecting the
user. I have a feeling something is wrong with my eap.conf, I have debug
below, any input would be appreciated.
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = testing123
private_key_file = ${dbdir}/certs/pem/server.pem
certificate_file = ${dbdir}/certs/pem/server.pem
CA_file = /etc/raddb/certs/pem/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
ttls {
default_eap_type = md5
}
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
}
mschapv2 {
}
}
users:
DEFAULT Service-Type == Framed-User
Framed-Protocol == PPP,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185
Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5
Service-Type = Framed-User
User-Name = cjarrett
Framed-MTU = 1488
Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test
Calling-Station-Id = 00-0E-35-FF-2A-82
NAS-Identifier = AP11G
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01636a617272657474
NAS-IP-Address = 10.1.22.10
NAS-Port = 2
NAS-Port-Id = STA port # 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = cjarrett, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry DEFAULT at line 176
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 10.1.22.10 port 2626
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270
Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384
Service-Type = Framed-User
User-Name = cjarrett
Framed-MTU = 1488
State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test
Calling-Station-Id = 00-0E-35-FF-2A-82
NAS-Identifier = AP11G
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x02010050198000461603010041013d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be1600040005000a000900640062000300060013001200630100
NAS-IP-Address = 10.1.22.10
NAS-Port = 2
NAS-Port-Id = STA port # 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = cjarrett, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet
Re: Attribute User-Password is required for authentication
And where is your user/pass stored? It's not in users file and I don't
see any database configured.
Ivan Kalik
Kalik Informatika ISP
Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše:
Oh, I had Default auth-type := pam in users. I removed that line and
get a much longer debug output when I try to connect with the xp machine
to the wireless. radtest fails with this message auth: No authenticate
method (Auth-Type) configuration found for the request: Rejecting the
user. I have a feeling something is wrong with my eap.conf, I have debug
below, any input would be appreciated.
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = testing123
private_key_file = ${dbdir}/certs/pem/server.pem
certificate_file = ${dbdir}/certs/pem/server.pem
CA_file = /etc/raddb/certs/pem/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
ttls {
default_eap_type = md5
}
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
}
mschapv2 {
}
}
users:
DEFAULT Service-Type == Framed-User
Framed-Protocol == PPP,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185
Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5
Service-Type = Framed-User
User-Name = cjarrett
Framed-MTU = 1488
Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test
Calling-Station-Id = 00-0E-35-FF-2A-82
NAS-Identifier = AP11G
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01636a617272657474
NAS-IP-Address = 10.1.22.10
NAS-Port = 2
NAS-Port-Id = STA port # 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = cjarrett, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry DEFAULT at line 176
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 10.1.22.10 port 2626
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270
Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384
Service-Type = Framed-User
User-Name = cjarrett
Framed-MTU = 1488
State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test
Calling-Station-Id = 00-0E-35-FF-2A-82
NAS-Identifier = AP11G
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x02010050198000461603010041013d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be1600040005000a000900640062000300060013001200630100
NAS-IP-Address = 10.1.22.10
NAS-Port = 2
NAS-Port-Id = STA port # 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
Re: Attribute User-Password is required for authentication
[EMAIL PROTECTED] wrote:
And where is your user/pass stored? It's not in users file and I don't
see any database configured.
Ivan Kalik
Kalik Informatika ISP
Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše:
Oh, I had Default auth-type := pam in users. I removed that line and
get a much longer debug output when I try to connect with the xp machine
to the wireless. radtest fails with this message auth: No authenticate
method (Auth-Type) configuration found for the request: Rejecting the
user. I have a feeling something is wrong with my eap.conf, I have debug
below, any input would be appreciated.
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = testing123
private_key_file = ${dbdir}/certs/pem/server.pem
certificate_file = ${dbdir}/certs/pem/server.pem
CA_file = /etc/raddb/certs/pem/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
ttls {
default_eap_type = md5
}
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
}
mschapv2 {
}
}
users:
DEFAULT Service-Type == Framed-User
Framed-Protocol == PPP,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=0, length=185
Message-Authenticator = 0x381988b4c12ff0f1e3fa2e7e018b8ae5
Service-Type = Framed-User
User-Name = cjarrett
Framed-MTU = 1488
Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test
Calling-Station-Id = 00-0E-35-FF-2A-82
NAS-Identifier = AP11G
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01636a617272657474
NAS-IP-Address = 10.1.22.10
NAS-Port = 2
NAS-Port-Id = STA port # 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = cjarrett, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry DEFAULT at line 176
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 10.1.22.10 port 2626
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.1.22.10:2626, id=1, length=270
Message-Authenticator = 0x43e1cd5ba6e967f5717089de44e05384
Service-Type = Framed-User
User-Name = cjarrett
Framed-MTU = 1488
State = 0x36ba98c6e90e487eb0cfe88fcb5d879a
Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test
Calling-Station-Id = 00-0E-35-FF-2A-82
NAS-Identifier = AP11G
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x02010050198000461603010041013d03014676f85e6be1d378fdbdbe6213a94362bd4453b8699af3896b955781d14034be1600040005000a000900640062000300060013001200630100
NAS-IP-Address = 10.1.22.10
NAS-Port = 2
NAS-Port-Id = STA port # 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
Re: Attribute User-Password is required for authentication
Cody Jarrett wrote: I originally had Default Auth-type := pam but I removed that. Users are stored in an ldap database and I am basically trying to get radius to use pam for auth info, is this wrong? I don't understand how radius will use pam if I don't specify it somewhere. You cannot use PAM to authenticate PEAP sessions. If users are stored in an LDAP database, then configure the server to read their cleartext passwords from the LDAP database. The server will do the rest. If the passwords aren't available in LDAP, or are encrypted, then you need to make the passwords available in LDAP. You're trying to force a particular solution, for reasons that are unclear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius w/ mikrotik - blank password issue
Newbie Warning!!!
I'm new to this community, however I am a quick study. I found some
resources online about this very issue but wasn't able to get a resolution.
Please clarify for me:
The step below: Does this go in radiusd.conf as well?
attr_rewrite blank_password {
attribute = User-Password
searchin = packet
searchfor =
replacewith = password
ignore_case = yes
new_attribute = no
max_matches = 10
append = no
}
The solution given to this issue was as follows:
And then I added something like this to the users file:
00095B23389FUser-Password := password
00095B23389F Auth-Type := Accept
Ok I'm using sql for my user database, is there a sql equivalent to this
string??
What would be a work around as I've hit the same wall, but haven't jumped it
yet.
Thanks in advance.
P.S. Take it easy on the noob, please.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
