Re: Freeeradius 1.16 and Radrelay Not updating
seconds runs through its hoop, but never processes anything like it had nothing to do Do you mean: the server never gets anything? Then maybe radrelay is blocked on an intermediate firewall? If the packets get lost en-route, you have to look there... In any case, actually *sending* us the *debug output* instead of your verbal description of it helps a lot more. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpZSDlhvKBs9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Disabling EAP-TLS while keeping EAP-PEAP
sounds interesting can you post your tls section config == - Message d'origine De : Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Lundi, 18 Juin 2007, 11h09mn 31s Objet : Re: Disabling EAP-TLS while keeping EAP-PEAP Hi! By commenting the CA_file parameter in the eap-tls section: # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem *and* by setting CA_path parameter in the eap-tls section to an *empty* directory CA_path = ${raddbdir}/certs/trustedCAs should do the trick. No trusted CAs mean no trusted client certificates :-) Martin Gadbois wrote: When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required. How can I disable EAP-TLS while using EAP-PEAP? I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius performance , requests per second
Hi I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database. My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk is 80 GB. On this configuration how many requests , freeraradius can handle per second. Is there any tool which can test the performance of freeradius. Can you please tell me the average number of authentication requests that freeradius can process per second. can it handle 1 lac requests per second. thanks deepak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance , requests per second
deepak kumar wrote: I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database. My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk is 80 GB. On this configuration how many requests , freeraradius can handle per second. A lot. If you have a million users, the exact number might matter. If you have less than a million users, I wouldn't' worry about performance. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance , requests per second
Hi, I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database. My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk is 80 GB. On this configuration how many requests , freeraradius can handle per second. Is there any tool which can test the performance of freeradius. Can you please tell me the average number of authentication requests that freeradius can process per second. doc/performance-testing alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
All the passwords stored in the ldap database are md5, is that going to work with peap? No. It's cryptographically impossible, sorry. Your only real option is TTLS+PAP, which will require installing supplicant software on windows machines e.g. SecureW2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
Phil Mayers wrote: All the passwords stored in the ldap database are md5, is that going to work with peap? No. It's cryptographically impossible, sorry. Your only real option is TTLS+PAP, which will require installing supplicant software on windows machines e.g. SecureW2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What we did here was setup a transparent capture of passwords when users logged into one of our popular services. We then took the captured passwords and populated a second attribute in the LDAP directory with them (ntPassword). Now all operations involving a change of users passwords write the SSHA form of the password and the NT Hash form of the passwords, which is nice because it means we can hang Samba off our OpenLDAP server too :) -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius performance , requests per second
I tested with wireshark a month ago. The service response time was from 0.3 msec to 5 msec for auth-requests But if u are using accounting via mysql, the srt for accountig-requests can be up to 0.5 secs or higher, depending on how much datasets the accounting-table has. I will do authenticate Via DB and Accounting via files. Greetings Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Dienstag, 19. Juni 2007 10:22 An: FreeRadius users mailing list Betreff: Re: freeradius performance , requests per second deepak kumar wrote: I am using freeradius 1.1.6 on Suse Linux 10 , and mysql for database. My processor is Intel Pentium 4, 3.40 Ghz, RAM is 512 MB and hard disk is 80 GB. On this configuration how many requests , freeraradius can handle per second. A lot. If you have a million users, the exact number might matter. If you have less than a million users, I wouldn't' worry about performance. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Databases
Hi, I am using freeradius with SER and oracle. Currently i have one domain for my SER. I want my SER to support another domain and separate database for second domain. Is it possible to configure Radius server to connect with two databases and perform queries based on URI or some other criteria eg. [EMAIL PROTECTED] should go to domainA database and [EMAIL PROTECTED] should go to domainB database. Thanking you all in advance. Best Regards, Abdul Qadir - Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeeradius 1.16 and Radrelay Not updating
I finally got it working last night. I had to download 1.16 and complie it that way. Then things started working. For some reason using the version installed through yast something was amiss apparently. The same fix worked on both servers using OpenSuse 10.2 From: Stefan Winter [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Tue, 19 Jun 2007 02:34:23 -0400 Subject: Re: Freeeradius 1.16 and Radrelay Not updating seconds runs through its hoop, but never processes anything like it had nothing to do Do you mean: the server never gets anything? Then maybe radrelay is blocked on an intermediate firewall? If the packets get lost en-route, you have to look there... In any case, actually *sending* us the *debug output* instead of your verbal description of it helps a lot more. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.:+352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Frreradius PAP and CHAP
Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6/src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf[1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UNSUBSCRIBE
UNSUBSCRIBE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UNSUBSCRIBE
Florian Reinholz wrote: UNSUBSCRIBE No! ;] -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Free pop3 email with a spam filter. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6/src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf[1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server dies
Hugh Messenger wrote: Alan Dekok [EMAIL PROTECTED] said ... So far the only errors I'm seeing are these: ==29820== Thread 2: ==29820== Invalid write of size 1 ==29820==at 0x4819294: strNcpy (misc.c:187) ==29820==by 0x4CC43F3: sqlippool_postauth (rlm_sqlippool.c:527) That's... fairly broken. Barring severe code changes to rlm_sqlippool, I would suggest not using it in 1.1.6. Sorry. Try 2.0.0-pre, at least the rlm_sqlippool module is fixed there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additionally set/provided variables... how to access them?
Alan DeKok wrote: Mark J Elkins wrote: This gives (in radiusd -X) the debug warning message of WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{Telkom-Access-Type} So how do I correctly access and use this value See doc/variables.txt, which explains how to conditionally look at the contents of attributes. Alan DeKok. I had doc/variables.txt open when I posted this question. I also tried sticking things like request: and reply: into my query - but had no joy. I'm either not being sent the Variable (so how do I send this myself from a NAS that I own - e.g. a Cisco router with an AUX port - so I can confirm I'm getting the Variable properly set)... or I'm missing the whole plot. My first language is English... so I should be able to understand what is written... In variables.txt - you state... The run-time variables defined by the server are: %{Attribute-Name} The value of the given Attribute-Name in the request packet %{request:Attribute-Name} The value of value the given Attribute-Name in the request packet These almost look the same... except for an extra value - so when does one use request: ??? Any chance of an example? In all honesty - I'm not sure when Telkom even sends me this attribute - ie is it sent at the same time as when the NAS gives me the usernamerealm and password - or is it sent with the accounting record? -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
Hi, it's very similar to pages 20ff of http://www.dfn.de/content/fileadmin/1Dienstleistungen/Roaming/DFNRoaming-Workshop-20070426-Handout.pdf Eshun Benjamin wrote: sounds interesting can you post your tls section config -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
I spoke too soon. This works ok for a user/password in users file, but not via LDAP. Via ldap mschap works but not gtc. Below is snippet of output when it is failing. Any advice on how to fix would be appreciated: [EMAIL PROTECTED] raddb]# more gtc_info modcall: entering group authenticate for request 502 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 502 rlm_pap: login attempt with password blah rlm_pap: Using NT encryption. radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash blah' rlm_mschap: Unknown expansion string NT-Hash blah radius_xlat: '' rlm_pap: mschap xlat failed rlm_pap: Passwords don't match Colleen C. Morrissey wrote: Thanks! I had ldap returning Password-with-Header for GTC deployment and then added NT-Password for ms-chapv2. Commenting out the password-with-header for userpassword in ldap.attrmap seems to allow both to work. Which makes my life much easier :) Alan Dekok wrote: Colleen C. Morrissey wrote: My question is can I somehow support both simultaneously with the same freeradius daemon (I know I can simply run a second daemon on different port supporting the other but that will require me to do lots of work on infrastructure/ssids to point to different servers)? Does anybody happen to have this working and be willing to post config? Or any other ideas? Yes. If you configure the server to know about the users clear-text password or NT-hashed password, then PEAP/GTC should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additionally set/provided variables... how to access them?
If you are introducing a new attribute it has to be defined in the dictionary. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, Mark J Elkins [EMAIL PROTECTED] piše: Alan DeKok wrote: Mark J Elkins wrote: This gives (in radiusd -X) the debug warning message of WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{Telkom-Access-Type} So how do I correctly access and use this value See doc/variables.txt, which explains how to conditionally look at the contents of attributes. Alan DeKok. I had doc/variables.txt open when I posted this question. I also tried sticking things like request: and reply: into my query - but had no joy. I'm either not being sent the Variable (so how do I send this myself from a NAS that I own - e.g. a Cisco router with an AUX port - so I can confirm I'm getting the Variable properly set)... or I'm missing the whole plot. My first language is English... so I should be able to understand what is written... In variables.txt - you state... The run-time variables defined by the server are: %{Attribute-Name} The value of the given Attribute-Name in the request packet %{request:Attribute-Name} The value of value the given Attribute-Name in the request packet These almost look the same... except for an extra value - so when does one use request: ??? Any chance of an example? In all honesty - I'm not sure when Telkom even sends me this attribute - ie is it sent at the same time as when the NAS gives me the usernamerealm and password - or is it sent with the accounting record? -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additionally set/provided variables... how to access them?
Mark J Elkins wrote: I had doc/variables.txt open when I posted this question. I also tried sticking things like request: and reply: into my query - but had no joy. That only refers to attributes in a specific list. I'm either not being sent the Variable (so how do I send this myself from a NAS that I own - e.g. a Cisco router with an AUX port - so I can confirm I'm getting the Variable properly set)... or I'm missing the whole plot. Look in doc/variables.txt for When attribute Foo is set. My first language is English... so I should be able to understand what is written... In variables.txt - you state... ... These almost look the same... except for an extra value - so when does one use request: ??? Are you sure you're reading *all* of variables.txt? See the conditional syntax section. Any chance of an example? See the conditional syntax section. If it's not in doc/variables.txt. upgrade to a recent version of the server. In all honesty - I'm not sure when Telkom even sends me this attribute - ie is it sent at the same time as when the NAS gives me the usernamerealm and password - or is it sent with the accounting record? No one knows but you, because no one else is getting the RADIUS packets. Look at the RADIUS packets to see what's being sent when. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf[1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: I spoke too soon. This works ok for a user/password in users file, but not via LDAP. Via ldap mschap works but not gtc. Below is snippet of output when it is failing. Any advice on how to fix would be appreciated: [EMAIL PROTECTED] raddb]# more gtc_info modcall: entering group authenticate for request 502 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc ... which sends the clear-text password to the server. Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 502 rlm_pap: login attempt with password blah rlm_pap: Using NT encryption. Why? If you have the clear-text password on the server, you can just compare the two. There's no need to configure rlm_pap to do the NT hash. radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash blah' rlm_mschap: Unknown expansion string NT-Hash blah radius_xlat: '' That's a bug which will be fixed in 1.1.7, but it shouldn't affect you... Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Hi, Why? If you have the clear-text password on the server, you can just compare the two. There's no need to configure rlm_pap to do the NT hash. I don't have the clear text password. Your original reply said this would work with clear text password or nt hash. I have the NT hash and/or I can get the SHA1 base 64 encoded password (which was working with gtc by itself). Can I get pap/gtc to work with the NT hash password? I don't manage the ldap service so getting the clear text password will not be easy and may not be possible organizationally. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additionally set/provided variables... how to access them?
On 19 Jun 2007, at 5:08 PM, Mark J Elkins wrote: In all honesty - I'm not sure when Telkom even sends me this attribute - ie is it sent at the same time as when the NAS gives me the usernamerealm and password - or is it sent with the accounting record? Hi Mark, SAIX sends it with the authentication request, which is how you determine what type of access type a user is using on the SAIX network. Regards --jm -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -- Jacques Marneweck http://www.powertrip.co.za/ http://www.powertrip.co.za/blog/ http://www.ataris.co.za/ #include std/disclaimer.h - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server dies
On Tue 19 Jun 2007, Alan DeKok wrote: Hugh Messenger wrote: Alan Dekok [EMAIL PROTECTED] said ... So far the only errors I'm seeing are these: ==29820== Thread 2: ==29820== Invalid write of size 1 ==29820==at 0x4819294: strNcpy (misc.c:187) ==29820==by 0x4CC43F3: sqlippool_postauth (rlm_sqlippool.c:527) That's... fairly broken. Barring severe code changes to rlm_sqlippool, I would suggest not using it in 1.1.6. Sorry. Try 2.0.0-pre, at least the rlm_sqlippool module is fixed there. Yes. There have been numerous changes to rlm_sqlippool in 2.0. Enough so that I think we will probably mark it as a stable module... On the other hand rlm_sqlippool in 1.1.x should work but could be horribly broken. Thats why it's marked as experimental. It was a conscious decision on my part after consultation with Alan not to backport the rlm_sqlippool code changes from cvs HEAD to the 1.1.x branch (Because of a lack of bandwidth on my side). If you can break rlm_sqlippool in cvs head/2.0preX in the same way it is breaking in 1.1.x then we will have a stab at trying to fix it, but otherwise.. Sorry.. Thats what experimental modules are for.. You are of course welcome to submit a patch to fix the problem or backport patches from cvs HEAD.. It's not a huge amount of work, but enough that I didnt want to do it :-) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
Hi Ivan, Here is the output of the RADIUSD -X [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = prefix realm: delimiter = \ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail:
dialup_admin user password question
I spent most of the day getting dialup_admin to work, and I did get it to work. Not being an mysql expert, I have to say what a blessing Webmin turned out to be on the project. It sure was nice to be able to easily use Webmin to look at data in the database table. Everything is working but I have one question. When I add a user through dialup_admin, it puts the password in the table looking like this: $1$Mi0n6YpW$MURqBnAYJLQphvEbk7pRm1. I can go into webmin and change that to a clear text password and NtRadPing will send a Access-Accept reply. If I leave it the way it is, it is rejected because the passwords do not match. What do I need to do to either get freeradius to take the encrypted password, or make dialup_admin put the password in the clear. I assume the first one is the best way of doing things, but whatever you guys think is best. I would probably try to figure some of this out on my own, but its after 5:00 now and I'm going to be out of the office for the next two days, so I thought I would just ask on here so I could be thinking about any replies for the next two days, and maybe fix it first thing Friday morning. The good thing is, if I keep this up, I will be able to help answer questions on here instead of just asking them. :) Thanks, Jay Banks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
No, not with radtest. You can use radclient, which has much more ability, but is also more complicated. Use, for instance, XP dialup connection. In connection properties click on Security tab, Advanced radio button and then Settings button. By default all protocols are ticked. Leave only CHAP ticked and exit with OK. Once you are done with testing remember to go back and add protocols back. WARNING: This will work only if the NAS you are connecting through also supports CHAP authentication. If it doesn't, XP client with only CHAP enabled won't be able to connect. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pie: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf[1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 User-Name = CORP\\bugman Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-0F-34-A8-FB-0A Calling-Station-Id = 00-14-38-A7-F4-2B EAP-Message = 0x0202001001434f52505c6275676d616e Message-Authenticator = 0xc99fddd5d26268a110ee68d3ccba91d0 NAS-Port = 50010 NAS-Port-Type = Ethernet NAS-IP-Address = 10.10.2.174 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = CORP\bugman, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_realm: Looking up realm CORP for User-Name = CORP\bugman rlm_realm: No such realm CORP modcall[authorize]: module ntdomain returns noop for request 6 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module files returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 168 to 10.10.2.174 port 21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x6b41a15d99600d47f03b461bf870cbb6 Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.2.174:21645, id=168, length=137 Sending duplicate reply to client 10.10.2.174:21645 - ID: 168 Re-sending Access-Challenge of id 168 to 10.10.2.174 port 21645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 168 with timestamp 46782c03 Nothing to do. Sleeping until we see a request. OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with 802.1X authentication to Active Directory
OK, you send a request, server sends challenge ... and then nothing happens. Request is repeated, so is the challenge. Have you installed (self signed) CA certificate on your XP client? Ivan Kalik Kalik Informatika ISP Hi Ivan, Yes, it took me awhile to figure out the CA.all script, but I did create the certificates finally after 4 days of trying. The client is actually a Windows 2003 server. The XPEXTENSIONS had an entry for the xpserver. I moved all the files that were created to the /etc/raddb/certs directory along with the demoCA Are the scripts designed to create the client certificate for Windows 2003? Thanks, Bryant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11205301 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me a example of the radclient configure file? Thank you. -chenhao 2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]: No, not with radtest. You can use radclient, which has much more ability, but is also more complicated. Use, for instance, XP dialup connection. In connection properties click on Security tab, Advanced radio button and then Settings button. By default all protocols are ticked. Leave only CHAP ticked and exit with OK. Once you are done with testing remember to go back and add protocols back. WARNING: This will work only if the NAS you are connecting through also supports CHAP authentication. If it doesn't, XP client with only CHAP enabled won't be able to connect. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf[1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
Instead of using radclient/radtest, this program BY FAR is the best way to debug a radius box... http://jradius.org/wiki/index.php/JRadiusSimulator On 6/19/07, hao chen [EMAIL PROTECTED] wrote: Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me a example of the radclient configure file? Thank you. -chenhao 2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]: No, not with radtest. You can use radclient, which has much more ability, but is also more complicated. Use, for instance, XP dialup connection. In connection properties click on Security tab, Advanced radio button and then Settings button. By default all protocols are ticked. Leave only CHAP ticked and exit with OK. Once you are done with testing remember to go back and add protocols back. WARNING: This will work only if the NAS you are connecting through also supports CHAP authentication. If it doesn't, XP client with only CHAP enabled won't be able to connect. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf [1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
On 6/20/07, hao chen [EMAIL PROTECTED] wrote: Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me a example of the radclient configure file? Thank you. -chenhao $ cat request.txt User-Name = foo CHAP-Password = bar $ radclient -sx -f request.txt radius server auth shared secret Sending Access-Request of id 116 to 192.168.3.38:1812 User-Name = foo CHAP-Password = 0x74f42a8e4b2b3f0505ad6ed22ba980a20e rad_recv: Access-Accept packet from host 192.168.3.38:1812, id=116, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 $ 2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]: No, not with radtest. You can use radclient, which has much more ability, but is also more complicated. Use, for instance, XP dialup connection. In connection properties click on Security tab, Advanced radio button and then Settings button. By default all protocols are ticked. Leave only CHAP ticked and exit with OK. Once you are done with testing remember to go back and add protocols back. WARNING: This will work only if the NAS you are connecting through also supports CHAP authentication. If it doesn't, XP client with only CHAP enabled won't be able to connect. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf [1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
Hi, I tryed as you said. But it seems I still miss something. $cat /usr/local/etc/raddb/users . JohnAuth-Type := CHAP, CHAP-Password == hello ... $ cat request.txt User-Name = John CHAP-Password = hello $radiusd -X .. call_modsingle: chap rlm_chap: login attempt by John with CHAP password ?谟??1?kW将芇? rlm_chap: Could not find clear text password for user John modcall[authenticate]: module chap returns invalid .. Any suggestion?Thank you. --chenhao 2007/6/20, Jian Wang [EMAIL PROTECTED]: On 6/20/07, hao chen [EMAIL PROTECTED] wrote: Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me a example of the radclient configure file? Thank you. -chenhao $ cat request.txt User-Name = foo CHAP-Password = bar $ radclient -sx -f request.txt radius server auth shared secret Sending Access-Request of id 116 to 192.168.3.38:1812 User-Name = foo CHAP-Password = 0x74f42a8e4b2b3f0505ad6ed22ba980a20e rad_recv: Access-Accept packet from host 192.168.3.38:1812, id=116, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 $ 2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]: No, not with radtest. You can use radclient, which has much more ability, but is also more complicated. Use, for instance, XP dialup connection. In connection properties click on Security tab, Advanced radio button and then Settings button. By default all protocols are ticked. Leave only CHAP ticked and exit with OK. Once you are done with testing remember to go back and add protocols back. WARNING: This will work only if the NAS you are connecting through also supports CHAP authentication. If it doesn't, XP client with only CHAP enabled won't be able to connect. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf [1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
On 6/20/07, hao chen [EMAIL PROTECTED] wrote: Hi, I tryed as you said. But it seems I still miss something. $cat /usr/local/etc/raddb/users . JohnAuth-Type := CHAP, CHAP-Password == hello ... Here, you should use `User-Password' other than `CHAP-Password'. $ cat request.txt User-Name = John CHAP-Password = hello $radiusd -X .. call_modsingle: chap rlm_chap: login attempt by John with CHAP password ?谟??1?kW将芇? rlm_chap: Could not find clear text password for user John modcall[authenticate]: module chap returns invalid .. Any suggestion?Thank you. --chenhao - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html