Re: Freeeradius 1.16 and Radrelay Not updating

[Stefan Winter]

 seconds runs through its hoop, but never processes anything like it had
 nothing to do

Do you mean: the server never gets anything? Then maybe radrelay is blocked on 
an intermediate firewall? If the packets get lost en-route, you have to look 
there...

In any case, actually *sending* us the *debug output* instead of your verbal 
description of it helps a lot more.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


pgpZSDlhvKBs9.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Disabling EAP-TLS while keeping EAP-PEAP

[Eshun Benjamin]

sounds interesting can you post your tls section config
 
== 



- Message d'origine 
De : Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Lundi, 18 Juin 2007, 11h09mn 31s
Objet : Re: Disabling EAP-TLS while keeping EAP-PEAP

Hi!

By commenting the CA_file parameter in the eap-tls section:

# CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem

*and*

by setting CA_path parameter in the eap-tls section to an *empty* directory

CA_path = ${raddbdir}/certs/trustedCAs

should do the trick.

No trusted CAs mean no trusted client certificates :-)

Martin Gadbois wrote:
 When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
 
 How can I disable EAP-TLS while using EAP-PEAP?
 
 I agree that if the client does not have a client key, EAP-TLS will not
 work. But how to restrict EAP-TLS in any case?

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html










  


___ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur 
Yahoo! Questions/Réponses 
http://fr.answers.yahoo.com- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius performance , requests per second

[deepak kumar]

Hi
I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database.
My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk is 80
GB.
On this configuration how many requests , freeraradius can handle per
second.
Is there any tool which can test the performance of freeradius.
Can you please  tell  me  the average number of authentication requests
that  freeradius  can process  per second.

can it handle 1 lac requests per second.


thanks
deepak
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius performance , requests per second

[Alan DeKok]

deepak kumar wrote:
 I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database.
 My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk
 is 80 GB.
 On this configuration how many requests , freeraradius can handle per
 second.

  A lot.  If you have a million users, the exact number might matter.
If you have less than a million users, I wouldn't' worry about performance.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius performance , requests per second

[A . L . M . Buxey]

Hi,

 I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database.
 My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk is 80
 GB.
 On this configuration how many requests , freeraradius can handle per
 second.
 Is there any tool which can test the performance of freeradius.
 Can you please  tell  me  the average number of authentication requests
 that  freeradius  can process  per second.


doc/performance-testing


alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attribute User-Password is required for authentication

[Phil Mayers]

 All the passwords stored in the ldap database are md5, is that going to work 
 with peap?

No. It's cryptographically impossible, sorry.

Your only real option is TTLS+PAP, which will require installing supplicant 
software on windows machines e.g. SecureW2

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attribute User-Password is required for authentication

[Arran Cudbard-Bell]

Phil Mayers wrote:
   
 All the passwords stored in the ldap database are md5, is that going to work 
 with peap?
 
 No. It's cryptographically impossible, sorry.
 
 Your only real option is TTLS+PAP, which will require installing supplicant 
 software on windows machines e.g. SecureW2
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

What we did here was setup a transparent capture of passwords when users 
logged into one of our popular services.

We then took the captured passwords and populated a second attribute in 
the LDAP directory with them (ntPassword).

Now all operations involving a change of users passwords write the SSHA 
form of the password and the NT Hash form of the passwords, which is 
nice because it means we can hang Samba off our OpenLDAP server too :)

-- 
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: freeradius performance , requests per second

[Rascher, Markus]

I tested with wireshark a month ago. 
The service response time was from 0.3 msec to 5 msec for auth-requests
But if u are using accounting via mysql, the srt for accountig-requests can be 
up to 0.5 secs or higher, depending on how much datasets the accounting-table 
has.
I will do authenticate Via DB and Accounting via files.

Greetings
Markus
 

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
Gesendet: Dienstag, 19. Juni 2007 10:22
An: FreeRadius users mailing list
Betreff: Re: freeradius performance , requests per second

deepak kumar wrote:
 I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database.
 My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk
 is 80 GB.
 On this configuration how many requests , freeraradius can handle per
 second.

  A lot.  If you have a million users, the exact number might matter.
If you have less than a million users, I wouldn't' worry about performance.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple Databases

[Abdul Qadir]

Hi,

I am using freeradius with SER and oracle. Currently i have one domain for 
my SER. I want my SER to support another domain and separate database for 
second domain. Is it possible to configure Radius server to connect with two 
databases and perform queries based on URI or some other criteria eg. [EMAIL 
PROTECTED] should go to domainA database and [EMAIL PROTECTED] should go to 
domainB database.


Thanking you all in advance.

Best Regards,
Abdul Qadir

   
-
Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeeradius 1.16 and Radrelay Not updating

[Jeff]

I finally got it working last night.
I had to download 1.16 and complie it that way.
Then things started working.
For some reason using the version installed through yast 
something was amiss apparently.
The same fix worked on both servers using OpenSuse 10.2




From: Stefan Winter [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Tue, 19 Jun 2007 02:34:23 -0400
Subject: Re: Freeeradius 1.16 and Radrelay Not updating

 seconds runs through its hoop, but never processes anything like it had
 nothing to do

Do you mean: the server never gets anything? Then maybe radrelay is blocked on 
an intermediate firewall? If the packets get lost en-route, you have to look 
there...

In any case, actually *sending* us the *debug output* instead of your verbal 
description of it helps a lot more.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.:+352 424409-1
http://www.restena.lu   Fax:  +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Frreradius PAP and CHAP

[lisa laam]

Hi,

I configured Freeradius to use PAP method with users file.
The password is stored in clear text is stored in clear text in the user
file and it works well.

Now I want to use other mode of user storing with PAP method. (exemple MD5
with the user file locatedt in /freeradius-1.1.6/src/tests/digest-auth-MD5)

1- How to tell frreeradius that the user password  is stored in clear text,
or digest, or MD5 hashed, etc ??
I tried to copy the content of digest-auth-MD5 in the users file and I
got this errror :

Errors reading /opt/freeradius/etc/raddb/users
radiusd.conf[1067]: files: Module instantiation failed.
radiusd.conf[1852] Unknown module files.
radiusd.conf[1788] Failed to parse authorize section.


I want to test also CHAP method, how to tell radius to use this method in
stead of PAP?


thanks
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

UNSUBSCRIBE

[Florian Reinholz]

UNSUBSCRIBE


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: UNSUBSCRIBE

[Patric]

Florian Reinholz wrote:
 UNSUBSCRIBE
 

No! ;]

-- 

Q: I want to be a sysadmin.  What should I do?

A: Seek professional help.

--
Free pop3 email with a spam filter.
http://www.bluebottle.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[tnt]

Have a look at dictionary.freeradius.internal. You will find several
xxx-Password attributes where xxx are supported encryption types.

To test CHAP you don't need to tell Freeradius anything. Chap module
is enabled by default, so it will work if you havent diabled it. What
you need to do is to get the client to use CHAP - radius server will
follow.

Ivan Kalik
Kalik Informatika ISP


Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše:

Hi,

I configured Freeradius to use PAP method with users file.
The password is stored in clear text is stored in clear text in the user
file and it works well.

Now I want to use other mode of user storing with PAP method. (exemple MD5
with the user file locatedt in /freeradius-1.1.6/src/tests/digest-auth-MD5)

1- How to tell frreeradius that the user password  is stored in clear text,
or digest, or MD5 hashed, etc ??
I tried to copy the content of digest-auth-MD5 in the users file and I
got this errror :

Errors reading /opt/freeradius/etc/raddb/users
radiusd.conf[1067]: files: Module instantiation failed.
radiusd.conf[1852] Unknown module files.
radiusd.conf[1788] Failed to parse authorize section.


I want to test also CHAP method, how to tell radius to use this method in
stead of PAP?


thanks



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server dies

[Alan DeKok]

Hugh Messenger wrote:
 Alan Dekok [EMAIL PROTECTED] said
...
 So far the only errors I'm seeing are these:
 
 ==29820== Thread 2:
 ==29820== Invalid write of size 1
 ==29820==at 0x4819294: strNcpy (misc.c:187)
 ==29820==by 0x4CC43F3: sqlippool_postauth (rlm_sqlippool.c:527)

  That's... fairly broken.

  Barring severe code changes to rlm_sqlippool, I would suggest not
using it in 1.1.6.  Sorry.

  Try 2.0.0-pre, at least the rlm_sqlippool module is fixed there.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[Mark J Elkins]

Alan DeKok wrote:
 Mark J Elkins wrote:
   
 This gives (in radiusd -X) the debug warning message of

 WARNING: Attempt to use unknown xlat function, or non-existent attribute
 in string %{Telkom-Access-Type}

 So how do I correctly access and use this value
 

   See doc/variables.txt, which explains how to conditionally look at the
 contents of attributes.

   Alan DeKok.
   
I had doc/variables.txt open when I posted this question. I also tried 
sticking things like  request: and reply: into  my query - but had
no joy. I'm either not being sent the Variable (so how do I send this
myself from a NAS that I own - e.g. a Cisco router with an AUX port  -
so I can confirm I'm getting the Variable properly set)...
or I'm missing the whole plot.

My first language is English... so I should be able to understand what
is written...

In  variables.txt - you state...

  The run-time variables defined by the server are:

 %{Attribute-Name}   The value of the given Attribute-Name
  in the request packet

 %{request:Attribute-Name}   The value of value the given
 
Attribute-Name in the request packet

These almost look the same... except for an extra value - so when does
one use request: ???

Any chance of an example?

In all honesty - I'm not sure when Telkom even sends me this attribute -
ie is it sent at the same time as when the NAS gives me the
usernamerealm and password - or is it sent with the accounting record?

-- 
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   [EMAIL PROTECTED]  -  Mark J Elkins, SCO ACE, Cisco 
CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling EAP-TLS while keeping EAP-PEAP

[Reimer Karlsen-Masur, DFN-CERT]

Hi,

it's very similar to pages 20ff of

http://www.dfn.de/content/fileadmin/1Dienstleistungen/Roaming/DFNRoaming-Workshop-20070426-Handout.pdf

Eshun Benjamin wrote:


sounds interesting can you post your tls section config


--
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?

[Colleen C. Morrissey]

I spoke too soon.  This works ok for a user/password in users file, but 
not via LDAP.  Via ldap mschap works but not gtc.  Below is snippet of 
output when it is failing.  Any advice on how to fix would be appreciated:
[EMAIL PROTECTED] raddb]# more gtc_info
modcall: entering group authenticate for request 502
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/gtc
   rlm_eap: processing type gtc
   Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 502
rlm_pap: login attempt with password blah
rlm_pap: Using NT encryption.
radius_xlat: Running registered xlat function of module mschap for 
string 'NT-Hash blah'
   rlm_mschap: Unknown expansion string NT-Hash blah
radius_xlat:  ''
rlm_pap: mschap xlat failed
rlm_pap: Passwords don't match

Colleen C. Morrissey wrote:
 Thanks!  I had ldap returning Password-with-Header for GTC deployment 
 and then added NT-Password for ms-chapv2.  Commenting out the 
 password-with-header for userpassword in ldap.attrmap seems to allow 
 both to work.  Which makes my life much easier :)
 
 Alan Dekok wrote:
 Colleen C. Morrissey wrote:
 My question is can I somehow support both simultaneously with the same 
 freeradius daemon (I know I can simply run a second daemon on different 
 port supporting the other but that will require me to do lots of work on 
 infrastructure/ssids to point to different servers)?  Does anybody 
 happen to have this working and be willing to post config?  Or any other 
 ideas?
   Yes.  If you configure the server to know about the users clear-text
 password or NT-hashed password, then PEAP/GTC should just work.

   Alan DeKok.
 --
   http://deployingradius.com   - The web site of the book
   http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html

 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[tnt]

If you are introducing a new attribute it has to be defined in the
dictionary.

Ivan Kalik
Kalik Informatika ISP


Dana 19/6/2007, Mark J Elkins [EMAIL PROTECTED] piše:

Alan DeKok wrote:
 Mark J Elkins wrote:

 This gives (in radiusd -X) the debug warning message of

 WARNING: Attempt to use unknown xlat function, or non-existent attribute
 in string %{Telkom-Access-Type}

 So how do I correctly access and use this value


   See doc/variables.txt, which explains how to conditionally look at the
 contents of attributes.

   Alan DeKok.

I had doc/variables.txt open when I posted this question. I also tried
sticking things like  request: and reply: into  my query - but had
no joy. I'm either not being sent the Variable (so how do I send this
myself from a NAS that I own - e.g. a Cisco router with an AUX port  -
so I can confirm I'm getting the Variable properly set)...
or I'm missing the whole plot.

My first language is English... so I should be able to understand what
is written...

In  variables.txt - you state...

  The run-time variables defined by the server are:

 %{Attribute-Name}   The value of the given Attribute-Name
  in the request packet

 %{request:Attribute-Name}   The value of value the given

Attribute-Name in the request packet

These almost look the same... except for an extra value - so when does
one use request: ???

Any chance of an example?

In all honesty - I'm not sure when Telkom even sends me this attribute -
ie is it sent at the same time as when the NAS gives me the
usernamerealm and password - or is it sent with the accounting record?

--
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   [EMAIL PROTECTED]  -  Mark J Elkins, SCO ACE, Cisco 
 CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[Alan DeKok]

Mark J Elkins wrote:
 I had doc/variables.txt open when I posted this question. I also tried 
 sticking things like  request: and reply: into  my query - but had
 no joy.

  That only refers to attributes in a specific list.

 I'm either not being sent the Variable (so how do I send this
 myself from a NAS that I own - e.g. a Cisco router with an AUX port  -
 so I can confirm I'm getting the Variable properly set)...
 or I'm missing the whole plot.

  Look in doc/variables.txt for When attribute Foo is set.

 My first language is English... so I should be able to understand what
 is written...
 
 In  variables.txt - you state...
...
 These almost look the same... except for an extra value - so when does
 one use request: ???

  Are you sure you're reading *all* of variables.txt?  See the
conditional syntax section.

 Any chance of an example?

  See the conditional syntax section.  If it's not in
doc/variables.txt. upgrade to a recent version of the server.

 In all honesty - I'm not sure when Telkom even sends me this attribute -
 ie is it sent at the same time as when the NAS gives me the
 usernamerealm and password - or is it sent with the accounting record?

  No one knows but you, because no one else is getting the RADIUS
packets.  Look at the RADIUS packets to see what's being sent when.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[lisa laam]

thanks,

Is there  a way to test CHAP?

could we test that with radtest?




2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]:


Have a look at dictionary.freeradius.internal. You will find several
xxx-Password attributes where xxx are supported encryption types.

To test CHAP you don't need to tell Freeradius anything. Chap module
is enabled by default, so it will work if you havent diabled it. What
you need to do is to get the client to use CHAP - radius server will
follow.

Ivan Kalik
Kalik Informatika ISP


Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše:

Hi,

I configured Freeradius to use PAP method with users file.
The password is stored in clear text is stored in clear text in the user
file and it works well.

Now I want to use other mode of user storing with PAP method. (exemple
MD5
with the user file locatedt in /freeradius-1.1.6
/src/tests/digest-auth-MD5)

1- How to tell frreeradius that the user password  is stored in clear
text,
or digest, or MD5 hashed, etc ??
I tried to copy the content of digest-auth-MD5 in the users file and
I
got this errror :

Errors reading /opt/freeradius/etc/raddb/users
radiusd.conf[1067]: files: Module instantiation failed.
radiusd.conf[1852] Unknown module files.
radiusd.conf[1788] Failed to parse authorize section.


I want to test also CHAP method, how to tell radius to use this method in
stead of PAP?


thanks



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?

[Alan DeKok]

Colleen C. Morrissey wrote:
 I spoke too soon.  This works ok for a user/password in users file, but 
 not via LDAP.  Via ldap mschap works but not gtc.  Below is snippet of 
 output when it is failing.  Any advice on how to fix would be appreciated:
 [EMAIL PROTECTED] raddb]# more gtc_info
 modcall: entering group authenticate for request 502
rlm_eap: Request found, released from the list
rlm_eap: EAP/gtc
rlm_eap: processing type gtc

  ... which sends the clear-text password to the server.

Processing the authenticate section of radiusd.conf
 modcall: entering group PAP for request 502
 rlm_pap: login attempt with password blah
 rlm_pap: Using NT encryption.

  Why?  If you have the clear-text password on the server, you can just
compare the two.  There's no need to configure rlm_pap to do the NT hash.

 radius_xlat: Running registered xlat function of module mschap for 
 string 'NT-Hash blah'
rlm_mschap: Unknown expansion string NT-Hash blah
 radius_xlat:  ''

  That's a bug which will be fixed in 1.1.7, but it shouldn't affect you...

  Alan Dekok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?

[Colleen C. Morrissey]

Hi,


   Why?  If you have the clear-text password on the server, you can just
 compare the two.  There's no need to configure rlm_pap to do the NT hash.
 

I don't have the clear text password.  Your original reply said this 
would work with clear text password or nt hash.  I have the NT hash 
and/or I can get the SHA1 base 64 encoded password (which was working 
with gtc by itself).  Can I get pap/gtc to work with the NT hash password?
I don't manage the ldap service so getting the clear text password will 
not be easy and may not be possible organizationally.   Thanks.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[Jacques Marneweck]

On 19 Jun 2007, at 5:08 PM, Mark J Elkins wrote:



In all honesty - I'm not sure when Telkom even sends me this  
attribute -

ie is it sent at the same time as when the NAS gives me the
usernamerealm and password - or is it sent with the accounting  
record?




Hi Mark,

SAIX sends it with the authentication request, which is how you  
determine what type of access type

a user is using on the SAIX network.

Regards
--jm


--
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   [EMAIL PROTECTED]  -  Mark J Elkins, SCO  
ACE, Cisco CCIE

/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


--
Jacques Marneweck
http://www.powertrip.co.za/
http://www.powertrip.co.za/blog/
http://www.ataris.co.za/

#include std/disclaimer.h


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server dies

[Peter Nixon]

On Tue 19 Jun 2007, Alan DeKok wrote:
 Hugh Messenger wrote:
  Alan Dekok [EMAIL PROTECTED] said

 ...

  So far the only errors I'm seeing are these:
 
  ==29820== Thread 2:
  ==29820== Invalid write of size 1
  ==29820==at 0x4819294: strNcpy (misc.c:187)
  ==29820==by 0x4CC43F3: sqlippool_postauth (rlm_sqlippool.c:527)

   That's... fairly broken.

   Barring severe code changes to rlm_sqlippool, I would suggest not
 using it in 1.1.6.  Sorry.

   Try 2.0.0-pre, at least the rlm_sqlippool module is fixed there.

Yes. There have been numerous changes to rlm_sqlippool in 2.0. Enough so that 
I think we will probably mark it as a stable module... On the other hand 
rlm_sqlippool in 1.1.x should work but could be horribly broken. Thats why 
it's marked as experimental. It was a conscious decision on my part after 
consultation with Alan not to backport the rlm_sqlippool code changes from 
cvs HEAD to the 1.1.x branch (Because of a lack of bandwidth on my side).

If you can break rlm_sqlippool in cvs head/2.0preX in the same way it is 
breaking in 1.1.x then we will have a stab at trying to fix it, but 
otherwise.. Sorry.. Thats what experimental modules are for..

You are of course welcome to submit a patch to fix the problem or backport 
patches from cvs HEAD.. It's not a huge amount of work, but enough that I 
didnt want to do it :-)

Cheers
-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[Bryant Marsh]

Hi Ivan,

Here is the output of the RADIUSD -X

[EMAIL PROTECTED] ~]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = /usr
 main: localstatedir = /var
 main: logdir = /var/log/radius
 main: libdir = /usr/lib
 main: radacctdir = /var/log/radius/radacct
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /var/log/radius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = /var/run/radiusd/radiusd.pid
 main: user = radiusd
 main: group = radiusd
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/sbin/checkrad
 main: proxy_requests = yes
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec 
 exec: wait = yes
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = yes
 mschap: passwd = (null)
 mschap: ntlm_auth = usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = (null)
 unix: shadow = /etc/shadow
 unix: group = (null)
 unix: radwtmp = /var/log/radius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = peap
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = Password: 
 gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /etc/raddb/certs/cert-srv.pem
 tls: certificate_file = /etc/raddb/certs/cert-srv.pem
 tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
 tls: private_key_password = whatever
 tls: dh_file = /etc/raddb/certs/dh
 tls: random_file = /etc/raddb/certs/random
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = (null)
 tls: cipher_list = (null)
 tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = mschapv2
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = /etc/raddb/huntgroups
 preprocess: hints = /etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = suffix
 realm: delimiter = @
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
 realm: format = prefix
 realm: delimiter = \
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (ntdomain) 
Module: Loaded files 
 files: usersfile = /etc/raddb/users
 files: acctusersfile = /etc/raddb/acct_users
 files: preproxy_usersfile = /etc/raddb/preproxy_users
 files: compat = no
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded detail 
 detail: 

dialup_admin user password question

[Jay Banks]

I spent most of the day getting dialup_admin to work, and I did get it to
work. Not being an mysql expert, I have to say what a blessing Webmin turned
out to be on the project. It sure was nice to be able to easily use Webmin
to look at data in the database table.

Everything is working but I have one question. When I add a user through
dialup_admin, it puts the password in the table looking like this:
$1$Mi0n6YpW$MURqBnAYJLQphvEbk7pRm1. I can go into webmin and change that to
a clear text password and NtRadPing will send a Access-Accept reply. If I
leave it the way it is, it is rejected because the passwords do not match.

What do I need to do to either get freeradius to take the encrypted
password, or make dialup_admin put the password in the clear. I assume the
first one is the best way of doing things, but whatever you guys think is
best.

I would probably try to figure some of this out on my own, but its after
5:00 now and I'm going to be out of the office for the next two days, so I
thought I would just ask on here so I could be thinking about any replies
for the next two days, and maybe fix it first thing Friday morning.

The good thing is, if I keep this up, I will be able to help answer
questions on here instead of just asking them. :)


Thanks,

Jay Banks


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[tnt]

No, not with radtest. You can use radclient, which has much more ability,
but is also more complicated.

Use, for instance, XP dialup connection. In connection properties click
on Security tab, Advanced radio button and then Settings button. By
default all protocols are ticked. Leave only CHAP ticked and exit with
OK. Once you are done with testing remember to go back and add protocols
back.

WARNING: This will work only if the NAS you are connecting through also
supports CHAP authentication. If it doesn't, XP client with only CHAP
enabled won't be able to connect.

Ivan Kalik
Kalik Informatika ISP


Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše:

thanks,

Is there  a way to test CHAP?

could we test that with radtest?




2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]:

 Have a look at dictionary.freeradius.internal. You will find several
 xxx-Password attributes where xxx are supported encryption types.

 To test CHAP you don't need to tell Freeradius anything. Chap module
 is enabled by default, so it will work if you havent diabled it. What
 you need to do is to get the client to use CHAP - radius server will
 follow.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše:

 Hi,
 
 I configured Freeradius to use PAP method with users file.
 The password is stored in clear text is stored in clear text in the user
 file and it works well.
 
 Now I want to use other mode of user storing with PAP method. (exemple
 MD5
 with the user file locatedt in /freeradius-1.1.6
 /src/tests/digest-auth-MD5)
 
 1- How to tell frreeradius that the user password  is stored in clear
 text,
 or digest, or MD5 hashed, etc ??
 I tried to copy the content of digest-auth-MD5 in the users file and
 I
 got this errror :
 
 Errors reading /opt/freeradius/etc/raddb/users
 radiusd.conf[1067]: files: Module instantiation failed.
 radiusd.conf[1852] Unknown module files.
 radiusd.conf[1788] Failed to parse authorize section.
 
 
 I want to test also CHAP method, how to tell radius to use this method in
 stead of PAP?
 
 
 thanks
 
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[tnt]

rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168,
length=137
User-Name = CORP\\bugman
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-0F-34-A8-FB-0A
Calling-Station-Id = 00-14-38-A7-F4-2B
EAP-Message = 0x0202001001434f52505c6275676d616e
Message-Authenticator = 0xc99fddd5d26268a110ee68d3ccba91d0
NAS-Port = 50010
NAS-Port-Type = Ethernet
NAS-IP-Address = 10.10.2.174
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module preprocess returns ok for request 6
  modcall[authorize]: module chap returns noop for request 6
  modcall[authorize]: module mschap returns noop for request 6
rlm_realm: No '@' in User-Name = CORP\bugman, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 6
rlm_realm: Looking up realm CORP for User-Name = CORP\bugman
rlm_realm: No such realm CORP
  modcall[authorize]: module ntdomain returns noop for request 6
  rlm_eap: EAP packet type response id 2 length 16
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated for request 6
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
  modcall[authorize]: module files returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module eap returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 168 to 10.10.2.174 port 21645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x6b41a15d99600d47f03b461bf870cbb6
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168,
length=137
Sending duplicate reply to client 10.10.2.174:21645 - ID: 168
Re-sending Access-Challenge of id 168 to 10.10.2.174 port 21645
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 168 with timestamp 46782c03
Nothing to do.  Sleeping until we see a request.


OK, you send a request, server sends challenge ... and then nothing
happens. Request is repeated, so is the challenge. Have you installed
(self signed) CA certificate on your XP client?

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[Bryant Marsh]

OK, you send a request, server sends challenge ... and then nothing
happens. Request is repeated, so is the challenge. Have you installed
(self signed) CA certificate on your XP client?

Ivan Kalik
Kalik Informatika ISP

Hi Ivan,

Yes, it took me awhile to figure out the CA.all script, but I did create the
certificates finally after 4 days of trying.

The client is actually a Windows 2003 server.  The XPEXTENSIONS had an entry
for the xpserver.
I moved all the files that were created to the /etc/raddb/certs directory
along with the demoCA

Are the scripts designed to create the client certificate for Windows 2003?

Thanks,
Bryant



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-- 
View this message in context: 
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11205301
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[hao chen]

Hi,Ivan

  I want to know how to test CHAP with radclient(I have no NAS). Could
you give me a example of the radclient configure file?
   Thank you.
-chenhao








2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]:


No, not with radtest. You can use radclient, which has much more ability,
but is also more complicated.

Use, for instance, XP dialup connection. In connection properties click
on Security tab, Advanced radio button and then Settings button. By
default all protocols are ticked. Leave only CHAP ticked and exit with
OK. Once you are done with testing remember to go back and add protocols
back.

WARNING: This will work only if the NAS you are connecting through also
supports CHAP authentication. If it doesn't, XP client with only CHAP
enabled won't be able to connect.

Ivan Kalik
Kalik Informatika ISP


Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše:

thanks,

Is there  a way to test CHAP?

could we test that with radtest?




2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]:

 Have a look at dictionary.freeradius.internal. You will find several
 xxx-Password attributes where xxx are supported encryption types.

 To test CHAP you don't need to tell Freeradius anything. Chap module
 is enabled by default, so it will work if you havent diabled it. What
 you need to do is to get the client to use CHAP - radius server will
 follow.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e:

 Hi,
 
 I configured Freeradius to use PAP method with users file.
 The password is stored in clear text is stored in clear text in the
user
 file and it works well.
 
 Now I want to use other mode of user storing with PAP method. (exemple
 MD5
 with the user file locatedt in /freeradius-1.1.6
 /src/tests/digest-auth-MD5)
 
 1- How to tell frreeradius that the user password  is stored in clear
 text,
 or digest, or MD5 hashed, etc ??
 I tried to copy the content of digest-auth-MD5 in the users file
and
 I
 got this errror :
 
 Errors reading /opt/freeradius/etc/raddb/users
 radiusd.conf[1067]: files: Module instantiation failed.
 radiusd.conf[1852] Unknown module files.
 radiusd.conf[1788] Failed to parse authorize section.
 
 
 I want to test also CHAP method, how to tell radius to use this method
in
 stead of PAP?
 
 
 thanks
 
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[Ryan Kramer]

Instead of using radclient/radtest, this program BY FAR is the best way to
debug a radius box...

http://jradius.org/wiki/index.php/JRadiusSimulator




On 6/19/07, hao chen [EMAIL PROTECTED] wrote:


Hi,Ivan

   I want to know how to test CHAP with radclient(I have no NAS).
Could you give me a example of the radclient configure file?
Thank you.
-chenhao








2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]:

 No, not with radtest. You can use radclient, which has much more
 ability,
 but is also more complicated.

 Use, for instance, XP dialup connection. In connection properties click
 on Security tab, Advanced radio button and then Settings button. By
 default all protocols are ticked. Leave only CHAP ticked and exit with
 OK. Once you are done with testing remember to go back and add protocols
 back.

 WARNING: This will work only if the NAS you are connecting through also
 supports CHAP authentication. If it doesn't, XP client with only CHAP
 enabled won't be able to connect.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše:

 thanks,
 
 Is there  a way to test CHAP?
 
 could we test that with radtest?
 
 
 
 
 2007/6/19, [EMAIL PROTECTED]  [EMAIL PROTECTED]:
 
  Have a look at dictionary.freeradius.internal. You will find several
  xxx-Password attributes where xxx are supported encryption types.
 
  To test CHAP you don't need to tell Freeradius anything. Chap
 module
  is enabled by default, so it will work if you havent diabled it. What
  you need to do is to get the client to use CHAP - radius server will
  follow.
 
  Ivan Kalik
  Kalik Informatika ISP
 
 
  Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e:
 
  Hi,
  
  I configured Freeradius to use PAP method with users file.
  The password is stored in clear text is stored in clear text in the
 user
  file and it works well.
  
  Now I want to use other mode of user storing with PAP method.
 (exemple
  MD5
  with the user file locatedt in /freeradius-1.1.6
  /src/tests/digest-auth-MD5)
  
  1- How to tell frreeradius that the user password  is stored in
 clear
  text,
  or digest, or MD5 hashed, etc ??
  I tried to copy the content of digest-auth-MD5 in the users file
 and
  I
  got this errror :
  
  Errors reading /opt/freeradius/etc/raddb/users
  radiusd.conf[1067]: files: Module instantiation failed.
  radiusd.conf [1852] Unknown module files.
  radiusd.conf[1788] Failed to parse authorize section.
  
  
  I want to test also CHAP method, how to tell radius to use this
 method in
  stead of PAP?
  
  
  thanks
  
  
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[Jian Wang]

On 6/20/07, hao chen [EMAIL PROTECTED] wrote:


Hi,Ivan

   I want to know how to test CHAP with radclient(I have no NAS).
Could you give me a example of the radclient configure file?
Thank you.
-chenhao



$ cat request.txt
User-Name = foo
CHAP-Password = bar
$ radclient -sx -f request.txt radius server auth shared secret
Sending Access-Request of id 116 to 192.168.3.38:1812
   User-Name = foo
   CHAP-Password = 0x74f42a8e4b2b3f0505ad6ed22ba980a20e
rad_recv: Access-Accept packet from host 192.168.3.38:1812, id=116,
length=20

  Total approved auths:  1
Total denied auths:  0
  Total lost auths:  0
$

2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]:


 No, not with radtest. You can use radclient, which has much more
 ability,
 but is also more complicated.

 Use, for instance, XP dialup connection. In connection properties click
 on Security tab, Advanced radio button and then Settings button. By
 default all protocols are ticked. Leave only CHAP ticked and exit with
 OK. Once you are done with testing remember to go back and add protocols
 back.

 WARNING: This will work only if the NAS you are connecting through also
 supports CHAP authentication. If it doesn't, XP client with only CHAP
 enabled won't be able to connect.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše:

 thanks,
 
 Is there  a way to test CHAP?
 
 could we test that with radtest?
 
 
 
 
 2007/6/19, [EMAIL PROTECTED]  [EMAIL PROTECTED]:
 
  Have a look at dictionary.freeradius.internal. You will find several
  xxx-Password attributes where xxx are supported encryption types.
 
  To test CHAP you don't need to tell Freeradius anything. Chap
 module
  is enabled by default, so it will work if you havent diabled it. What
  you need to do is to get the client to use CHAP - radius server will
  follow.
 
  Ivan Kalik
  Kalik Informatika ISP
 
 
  Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e:
 
  Hi,
  
  I configured Freeradius to use PAP method with users file.
  The password is stored in clear text is stored in clear text in the
 user
  file and it works well.
  
  Now I want to use other mode of user storing with PAP method.
 (exemple
  MD5
  with the user file locatedt in /freeradius-1.1.6
  /src/tests/digest-auth-MD5)
  
  1- How to tell frreeradius that the user password  is stored in
 clear
  text,
  or digest, or MD5 hashed, etc ??
  I tried to copy the content of digest-auth-MD5 in the users file
 and
  I
  got this errror :
  
  Errors reading /opt/freeradius/etc/raddb/users
  radiusd.conf[1067]: files: Module instantiation failed.
  radiusd.conf [1852] Unknown module files.
  radiusd.conf[1788] Failed to parse authorize section.
  
  
  I want to test also CHAP method, how to tell radius to use this
 method in
  stead of PAP?
  
  
  thanks
  
  
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[hao chen]

Hi,

I tryed as you said. But it seems I still miss something.
$cat /usr/local/etc/raddb/users
.
JohnAuth-Type := CHAP, CHAP-Password == hello
...


$ cat request.txt
User-Name = John
CHAP-Password = hello

$radiusd -X

..

call_modsingle: chap
rlm_chap: login attempt by John with CHAP password ?谟??1?kW将芇?
rlm_chap: Could not find clear text password for user John
 modcall[authenticate]: module chap returns invalid

..

Any suggestion?Thank you.

--chenhao



















2007/6/20, Jian Wang [EMAIL PROTECTED]:


On 6/20/07, hao chen [EMAIL PROTECTED] wrote:

 Hi,Ivan

I want to know how to test CHAP with radclient(I have no NAS).
 Could you give me a example of the radclient configure file?
 Thank you.
 -chenhao


$ cat request.txt
User-Name = foo
CHAP-Password = bar
$ radclient -sx -f request.txt radius server auth shared secret
Sending Access-Request of id 116 to 192.168.3.38:1812
User-Name = foo
CHAP-Password = 0x74f42a8e4b2b3f0505ad6ed22ba980a20e
rad_recv: Access-Accept packet from host 192.168.3.38:1812, id=116,
length=20

   Total approved auths:  1
 Total denied auths:  0
   Total lost auths:  0
$


 2007/6/20, [EMAIL PROTECTED]  [EMAIL PROTECTED]:
 
  No, not with radtest. You can use radclient, which has much more
  ability,
  but is also more complicated.
 
  Use, for instance, XP dialup connection. In connection properties
  click
  on Security tab, Advanced radio button and then Settings button. By
  default all protocols are ticked. Leave only CHAP ticked and exit with
 
  OK. Once you are done with testing remember to go back and add
  protocols
  back.
 
  WARNING: This will work only if the NAS you are connecting through
  also
  supports CHAP authentication. If it doesn't, XP client with only CHAP
  enabled won't be able to connect.
 
  Ivan Kalik
  Kalik Informatika ISP
 
 
  Dana 19/6/2007, lisa laam  [EMAIL PROTECTED] piše:
 
  thanks,
  
  Is there  a way to test CHAP?
  
  could we test that with radtest?
  
  
  
  
  2007/6/19, [EMAIL PROTECTED]  [EMAIL PROTECTED]:
  
   Have a look at dictionary.freeradius.internal. You will find
  several
   xxx-Password attributes where xxx are supported encryption types.
  
   To test CHAP you don't need to tell Freeradius anything. Chap
  module
   is enabled by default, so it will work if you havent diabled it.
  What
   you need to do is to get the client to use CHAP - radius server
  will
   follow.
  
   Ivan Kalik
   Kalik Informatika ISP
  
  
   Dana 19/6/2007, lisa laam  [EMAIL PROTECTED] pi e:
  
   Hi,
   
   I configured Freeradius to use PAP method with users file.
   The password is stored in clear text is stored in clear text in
  the user
   file and it works well.
   
   Now I want to use other mode of user storing with PAP method.
  (exemple
   MD5
   with the user file locatedt in /freeradius-1.1.6
   /src/tests/digest-auth-MD5)
   
   1- How to tell frreeradius that the user password  is stored in
  clear
   text,
   or digest, or MD5 hashed, etc ??
   I tried to copy the content of digest-auth-MD5 in the users
  file and
   I
   got this errror :
   
   Errors reading /opt/freeradius/etc/raddb/users
   radiusd.conf[1067]: files: Module instantiation failed.
   radiusd.conf [1852] Unknown module files.
   radiusd.conf[1788] Failed to parse authorize section.
   
   
   I want to test also CHAP method, how to tell radius to use this
  method in
   stead of PAP?
   
   
   thanks
   
   
  
   -
   List info/subscribe/unsubscribe? See
   http://www.freeradius.org/list/users.html
  
  
  
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Frreradius PAP and CHAP

[Clark J. Wang]

On 6/20/07, hao chen [EMAIL PROTECTED] wrote:



Hi,

 I tryed as you said. But it seems I still miss something.
$cat /usr/local/etc/raddb/users
.
JohnAuth-Type := CHAP, CHAP-Password == hello
...



Here, you should use `User-Password' other than `CHAP-Password'.

$ cat request.txt

User-Name = John
CHAP-Password = hello

$radiusd -X

..

call_modsingle: chap
rlm_chap: login attempt by John with CHAP password ?谟??1?kW将芇?
rlm_chap: Could not find clear text password for user John
  modcall[authenticate]: module chap returns invalid

..

Any suggestion?Thank you.

--chenhao

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html