Re: Exec-Program-Wait
Michael Alexeev wrote: I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html Which is the manual for the GNU radius server. There was never a 0.95 release of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication and authorization
radiusd.conf-
authenticate{
Auth-Type customer1{
ldap1
}
Auth-Type customer2{
ldap2
}
}
authorize{
preprocess
suffix
Autz-Type customer1{
ldap1
}
Autz-Type customer2{
ldap2
}
files
}
-
users file---
DEFAULT Realm == customer1, Autz-Type := customer1, Auth-Type := customer1
if we specify as above, can anyone say wats the difference between
authentication and authorization functions.
thanks.
-
Download prohibited? No problem. CHAT from any browser, without download.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication and authorization
Diana Robert wrote: ... if we specify as above, can anyone say wats the difference between authentication and authorization functions. What do you mean by that? Authentication and authorization are two different words with different meanings. The doc/ directory has files explaining how the server works, and what happens in the various sections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cvs.freeradius.org failure?
Hi Alan, is it possible that something is wrong with freeradius cvs? I can't log in as anoncvs nor I can do diffs or whatever. Client just hangs - eg.: `cvs -d:pserver:[EMAIL PROTECTED]:/source login` Logging in to :pserver:[EMAIL PROTECTED]:2401/source CVS password: == nothing happens for a long time cvs [login aborted]: received interrupt signal == killed by ctrl-c Please advise. With regards. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cvs.freeradius.org failure?
Milan Holub wrote: is it possible that something is wrong with freeradius cvs? Yes. I think the machine's disk is full again. I'll ping the admin. In any case, I think the conflicting packet problem you were seeing is solved. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cvs.freeradius.org failure?
Hi Alan, On Mon, Jun 25, 2007 at 11:08:31AM +0200, Alan DeKok wrote: Milan Holub wrote: is it possible that something is wrong with freeradius cvs? Yes. I think the machine's disk is full again. I'll ping the admin. == thanks. In any case, I think the conflicting packet problem you were seeing is solved. == thanks for reply, I did not find time myself to test and reply yet, but thanks again:) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Can you clear something up for me with inner/outer identity. The outer identity is in the User-Name attribute , it's a standard RADIUS yep attribute... Inner identity is encoded in the EAP message, and is pulled yep out by the EAP module prior to internal proxying and set as the User-Name attribute (which should overwrite the User-Name attribute in the request) ? yep And it's standard practice to leave the outer identity as anonymous, as varies. some supplicants just set outer==inner e.g. winXP. the only communication between the NAS and the Supplicant is EAP based when using EAPOL, and so the NAS would have to understand EAP to be able to extract the User-Name string and write it into the Access-Request packet ? In fact, since the inner identity is normally sent in an encrypted EAP flow, the NAS would have to break the encryption to access it. Basically the NAS can't see the inner User-Name So although the NAS must send an EAP-Identity-Request when the client connects it's not required to understand the EAP-Identity-Response ? Correct. One final thing to add - the EAP standard specifies that in the final Access-Accept, the radius server (which DOES know the inner User-Name) should copy it to a User-Name attribute in the Access-Accept - so, the radius server tells the NAS what the user is. This is *slightly* complicated because by default, FreeRadius proxies the inner EAP to itself, so when it sends that Access-Accept it sends it to itself; and you need to use_tunneled_reply to actually get that back to the NAS. That is: NAS: Access-Request [EMAIL PROTECTED] SRV: Access-Challenge NAS: Access-Request [EMAIL PROTECTED] SRV: Access-Challenge NAS: Access-Request SRV: ok, I've got all the EAP - proxy to myself SRV(outer): Access-Request [EMAIL PROTECTED] SRV(inner): Access-Accept [EMAIL PROTECTED] SRV: ok, copy tunneled reply to outer and... SRV: Access-Accept [EMAIL PROTECTED] Hope that helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd stop responding. deadlock?
[EMAIL PROTECTED] wrote: ... I think that stopping responding in our site is similar following reports. 2007-February/060174.html 2006-March/051900.html Are these problem resolved ? No idea. I'm not going to troll through the list archives looking for those messages. Is not Port OpenSSL locking fixes from CVS head (in ChangeLog for 1.1.5) related ? No idea. In any case, it's fixed in 1.1.6. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell wrote: ... It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP, and proxy the inner EAP-MSCHAPv2 session as plain MS-CHAPv2. Ah cool, thats actually really useful . Does only one packet need to be proxied per EAP authentication ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem on freeradius+openldap+tls
hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 openldap error: TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=902, written=902 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 2a .* TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052 connection_read(11): TLS accept failure error=-1 id=5, closing connection_closing: readying conn=5 sd=11 for close connection_close: conn=5 sd=11 daemon: removing 11 When I use freeradius in the same host with openldap, There are other errors: connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(10): unable to get TLS client DN, error=49 id=11 connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify partly configuration in slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem TLSVerifyClient try Can anyone tell me why it is? Anything wrong with my configure file. Thanks! John - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
terminater the server
how to terminate the server process. is kill method a correct way of terminating. thanks - The DELETE button on Yahoo! Mail is unhappy. Know why?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Gah, my message bounced owing to change of email address... Arran wrote: Can you clear something up for me with inner/outer identity. The outer identity is in the User-Name attribute , it's a standard RADIUS attribute... Inner identity is encoded in the EAP message, and is pulled out by the EAP module prior to internal proxying and set as the User-Name attribute (which should overwrite the User-Name attribute in the request) ? Correct. And it's standard practice to leave the outer identity as anonymous, as the only communication between the NAS and the Supplicant is EAP based when using EAPOL, and so the NAS would have to understand EAP to be able to extract the User-Name string and write it into the Access-Request packet ? Nope; see RFC 3579 for the gory details: the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute The use of anonymous is simply to preserve privacy; it's not a technical requirement of any EAP method (that I know of). An interesting tangent: note that end-user identity hiding is simply a requirement of RFC 4017 (EAP Method Requirements for Wireless LANs), which I think is a shame. So although the NAS must send an EAP-Identity-Request when the client connects it's not required to understand the EAP-Identity-Response ? For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reference guide...
Hi all, I am new to freeradius. I want to understand the over all code flow and design of freeradius. Can anyone suggest any reference guide for understanding the design of freeradius please??? I went thro some manuals of freeradius. But they r theoritical, explaining about radius configurations and packet formats. But i want to understand the design of that... Please help me if u know some guide. Thanks a lot. - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Josh Howlett wrote: Gah, my message bounced owing to change of email address... Arran wrote: Can you clear something up for me with inner/outer identity. The outer identity is in the User-Name attribute , it's a standard RADIUS attribute... Inner identity is encoded in the EAP message, and is pulled out by the EAP module prior to internal proxying and set as the User-Name attribute (which should overwrite the User-Name attribute in the request) ? Correct. And it's standard practice to leave the outer identity as anonymous, as the only communication between the NAS and the Supplicant is EAP based when using EAPOL, and so the NAS would have to understand EAP to be able to extract the User-Name string and write it into the Access-Request packet ? Nope; see RFC 3579 for the gory details: the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute See thats what I suspected, else how could the User-Name attribute be populated in the access requests... And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone. Unless I missed something ? The use of anonymous is simply to preserve privacy; it's not a technical requirement of any EAP method (that I know of). An interesting tangent: note that end-user identity hiding is simply a requirement of RFC 4017 (EAP Method Requirements for Wireless LANs), which I think is a shame. So although the NAS must send an EAP-Identity-Request when the client connects it's not required to understand the EAP-Identity-Response ? For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device. josh. Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity. So FreeRADIUS will copy all the attributes from the last attribute request into the internally proxied request, and base the reply to the NAS, on the attributes coming back as the result of the internal proxy. I have to do it like this else I get lots of duplicate reply attributes and things overwriting other things when they shouldn't. PEAP seems to work ok, but all the other TTLS tests break. Trying to track down what the issue is... I'll post some debug traces when i've moved the latest CVS to our production server. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference guide...
suganthi V wrote: I am new to freeradius. I want to understand the over all code flow and design of freeradius. Can anyone suggest any reference guide for understanding the design of freeradius please??? There is none. Reading the source code is your best bet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Problem on freeradius+openldap+tls
freeradius version 1.1.6 openldap version 2.3.23 opensll verson 0.9.7g Hangjun He [EMAIL PROTECTED] 写道: hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 openldap error: TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=902, written=902 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 2a .* TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052 connection_read(11): TLS accept failure error=-1 id=5, closing connection_closing: readying conn=5 sd=11 for close connection_close: conn=5 sd=11 daemon: removing 11 When I use freeradius in the same host with openldap, There are other errors: connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(10): unable to get TLS client DN, error=49 id=11 connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify partly configuration in slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem TLSVerifyClient try Can anyone tell me why it is? Anything wrong with my configure file. Thanks! John - 抢注雅虎免费邮箱3.5G容量,20M附件! - 抢注雅虎免费邮箱-3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell wrote: And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone. I'm not sure why that matters. the *NAS* sets User-Name in the Access-Request. The proxying server doesn't have to do anything. Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity. The post-auth section is run in the outer identity, so you can re-write the reply to be whatever you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminating EAP tunnels, proxy and realms
Nope; see RFC 3579 for the gory details: the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute See thats what I suspected, else how could the User-Name attribute be populated in the access requests... And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone. Unless I missed something ? No, that's correct. For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device. Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity. I'm surprised at that, IIRC (and I did write the code originally :-) the tests use the same name for inner and outer. Still, it would probably be best if you raised a ticket with JANET Customer Services as this is a bit OT for this list. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference guide...
Hi, i tried to understand the code... But i didnt get a clear idea. Actually i dont know how and where to start reading the coding... i want the order in which i have to go thro the coding so that i will get a clear idea of the design... Alan DeKok [EMAIL PROTECTED] wrote: suganthi V wrote: I am new to freeradius. I want to understand the over all code flow and design of freeradius. Can anyone suggest any reference guide for understanding the design of freeradius please??? There is none. Reading the source code is your best bet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Download prohibited? No problem. CHAT from any browser, without download.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference guide...
suganthi V wrote: i tried to understand the code... But i didnt get a clear idea. Actually i dont know how and where to start reading the coding... Coding what? And if you're asking coding questions, please subscribe to freeradius-devel... that list is for development questions. i want the order in which i have to go thro the coding so that i will get a clear idea of the design... Start at main(). The source code also has a lot of comments. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Problem on freeradius+openldap+tls
when I use ldapsearch -H ldaps://localhost/..I can get correct record.
debug info:
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=12
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 45 contents:
ber_get_next
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
dnPrettyNormal: cn=admin,dc=aehve,dc=com
dnPrettyNormal: cn=admin,dc=aehve,dc=com,
cn=admin,dc=aehve,dc=comdo_bind: version=3 dn=cn=admin,dc=aehve,dc=com
method=128
do_bind: v3 bind: cn=admin,dc=aehve,dc=com to
cn=admin,dc=aehve,dc=comsend_ldap_result: conn=12 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 73 contents:
ber_get_next
do_search
ber_scanf fmt ({mb) ber:
dnPrettyNormal: cn=hlin,ou=People,dc=aehve,dc=com
dnPrettyNormal: cn=hlin,ou=People,dc=aehve,dc=com,
cn=hlin,ou=people,dc=aehve,dc=com
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
= bdb_search
bdb_dn2entry(cn=hlin,ou=people,dc=aehve,dc=com)
search_candidates: base=cn=hlin,ou=people,dc=aehve,dc=com (0x000b) scope=2
= bdb_dn2idl(cn=hlin,ou=people,dc=aehve,dc=com)
= bdb_dn2idl: id=1 first=11 last=11
= bdb_presence_candidates (objectClass)
bdb_search_candidates: id=1 first=11 last=11
= send_search_entry: conn 12 dn=cn=hlin,ou=People,dc=aehve,dc=com
ber_flush: 188 bytes to sd 11
= send_search_entry: conn 12 exit.
send_ldap_result: conn=12 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
connection_closing: readying conn=12 sd=11 for close
connection_resched: attempting closing conn=12 sd=11
connection_close: conn=12 sd=11
TLS trace: SSL3 alert write:warning:close notify
when I use freeradius in the same host:
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=11
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 11 failed errno=0 (Success)
connection_closing: readying conn=11 sd=11 for close
connection_close: deferring conn=11 sd=11
do_unbind
connection_resched: attempting closing conn=11 sd=11
connection_close: conn=11 sd=11
TLS trace: SSL3 alert write:warning:close notify
Hangjun He [EMAIL PROTECTED] 写道:
freeradius version 1.1.6
openldap version 2.3.23
opensll verson 0.9.7g
Hangjun He [EMAIL PROTECTED] 写道:
hi,
freeradis with openldap is OK when use cleartext communication.
Now I want to use tls.
openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile
/usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct.
But when I use freeradis with tls, errors pup up:
freeradius error:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for hwang
radius_xlat: '(uid=hwang)'
radius_xlat: 'ou=People,dc=aerohive,dc=com'
Re: users authentication failed
Carl aniams wrote: ... please any suggestion ... WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! What part of that message is unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authentication failed
hi i am using freeradius 1.1.6 with mysql 4 on a fedora core 4 with a DD-WRT v23 with enabled chilli. i have the users created through the dialupadmin page. users are successfully created but while trying to log through chilli i have the following when i do radiusd -X please any suggestion welcome Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.3:2051, id=0, length=197 User-Name = akim User-Password = \332%\300D\310\373h\345]\237\036\216\242\373\362\001 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = 00-90-4B-A4-D0-E8 Called-Station-Id = 00-18-F8-68-09-F5 NAS-Identifier = hotspot Acct-Session-Id = 467fca8f NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x23a39f4c2fabd6436787a53362759cf8 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = akim, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'akim' rlm_sql (sql): sql_set_user escaped user -- 'akim' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'akim' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'akim' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [akim]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 467fb396 Nothing to do. Sleeping until we see a request. -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication failed
1. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! 2. You have a DEFAULT entry in users file setting Auth-Type System. Comment it out. I assume your password is in the database. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, Carl aniams [EMAIL PROTECTED] piše: hi i am using freeradius 1.1.6 with mysql 4 on a fedora core 4 with a DD-WRT v23 with enabled chilli. i have the users created through the dialupadmin page. users are successfully created but while trying to log through chilli i have the following when i do radiusd -X please any suggestion welcome Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.3:2051, id=0, length=197 User-Name = akim User-Password = \332%\300D\310\373h\345]\237\036\216\242\373\362\001 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = 00-90-4B-A4-D0-E8 Called-Station-Id = 00-18-F8-68-09-F5 NAS-Identifier = hotspot Acct-Session-Id = 467fca8f NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x23a39f4c2fabd6436787a53362759cf8 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = akim, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'akim' rlm_sql (sql): sql_set_user escaped user -- 'akim' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'akim' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'akim' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'akim' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [akim]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 467fb396 Nothing to do. Sleeping until we see a request. -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Alan, I do not want to terminate the EAP tunnels for the foreign realms, but I have to terminate the local one (@tu-darmstadt.de and NULL) as I have to forward the requests to a set of internal radius servers not capable of speaking EAP. Set Proxy-To-Realm := LOCAL for the realms you want to terminate locally. Make sure that this is done before the eap module is run in the authorise section. Then, put the following in the users file to proxy the inner request to another realm: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm = oldservers I've already had these rules in user. The final hint was to set authhost = LOCAL in proxy.conf. Now it works as expected. Thanks a lot to all who helped, especially to Alan of course! -Andreas -- Andreas Liebe/Darmstadt University of Technology/+49 6151 16-3150/3050(FAX) signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reŁş Problem on freeradius+openldap+tls
You are looking in the wrong place. Your problem is not with the server
but client (certificate).
Ivan Kalik
Kalik Informatika ISP
Dana 25/6/2007, Hangjun He [EMAIL PROTECTED] piše:
when I use ldapsearch -H ldaps://localhost/..I can get correct record.
debug info:
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=12
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 45 contents:
ber_get_next
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
dnPrettyNormal: cn=admin,dc=aehve,dc=com
dnPrettyNormal: cn=admin,dc=aehve,dc=com,
cn=admin,dc=aehve,dc=comdo_bind: version=3 dn=cn=admin,dc=aehve,dc=com
method=128
do_bind: v3 bind: cn=admin,dc=aehve,dc=com to
cn=admin,dc=aehve,dc=comsend_ldap_result: conn=12 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 73 contents:
ber_get_next
do_search
ber_scanf fmt ({mb) ber:
dnPrettyNormal: cn=hlin,ou=People,dc=aehve,dc=com
dnPrettyNormal: cn=hlin,ou=People,dc=aehve,dc=com,
cn=hlin,ou=people,dc=aehve,dc=com
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
= bdb_search
bdb_dn2entry(cn=hlin,ou=people,dc=aehve,dc=com)
search_candidates: base=cn=hlin,ou=people,dc=aehve,dc=com (0x000b)
scope=2
= bdb_dn2idl(cn=hlin,ou=people,dc=aehve,dc=com)
= bdb_dn2idl: id=1 first=11 last=11
= bdb_presence_candidates (objectClass)
bdb_search_candidates: id=1 first=11 last=11
= send_search_entry: conn 12 dn=cn=hlin,ou=People,dc=aehve,dc=com
ber_flush: 188 bytes to sd 11
= send_search_entry: conn 12 exit.
send_ldap_result: conn=12 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
connection_closing: readying conn=12 sd=11 for close
connection_resched: attempting closing conn=12 sd=11
connection_close: conn=12 sd=11
TLS trace: SSL3 alert write:warning:close notify
when I use freeradius in the same host:
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=11
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 11 failed errno=0 (Success)
connection_closing: readying conn=11 sd=11 for close
connection_close: deferring conn=11 sd=11
do_unbind
connection_resched: attempting closing conn=11 sd=11
connection_close: conn=11 sd=11
TLS trace: SSL3 alert write:warning:close notify
Hangjun He [EMAIL PROTECTED] Đ´ľŔŁş
freeradius version 1.1.6
openldap version 2.3.23
opensll verson 0.9.7g
Hangjun He [EMAIL PROTECTED] Đ´ľŔŁş
hi,
freeradis with openldap is OK when use cleartext communication.
Now I want to use tls.
openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile
/usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is
correct.
But when I use freeradis with tls, errors pup
Clear text password not available
Hello list, For me it's the first time with freeradius; i try to find a solution or a way to solve my problem but i have not found anything. I have this message on the log of the freeradius server when a wireless client try to estabilish a pppoe session. Auth: Login incorrect (rlm_chap: Clear text password not available): [flavio/CHAP-Password] (from client Erri port 1511 cli 00:35:00:04:60:99) The message is clear but i don't know where to solve. The configuration is: - two wireless client with pppoe profile - one wireless Access Point - one freeradius server If i enable the same pppoe profile (user: flavio, password: flavio) on the Access Point all work fine; When i disable the profile on the Access Point and i configure the radius client on the Access Point i have the problem This is the configuration on the file /etc/raddb/users for the user flavio : Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Any idea to find out the prob ? Than's a lot Flavio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
This is the configuration on the file /etc/raddb/users for the user flavio : Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Any idea to find out the prob ? There is no password here or the name of the user. Post the whole entry for user flavio. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
Carl aniams wrote: ... please any suggestion ... WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! What part of that message is unclear? Be sure that i crossed check the shared secret on my server and on the nas (the AP) yet nothing i even changed them yet nothing Alan DeKok. -- -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
I'm sorry, here the entry: flavio Auth-Type := Local, User-Password == flavio Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP thank's 2007/6/25, [EMAIL PROTECTED] [EMAIL PROTECTED]: This is the configuration on the file /etc/raddb/users for the user flavio : Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Any idea to find out the prob ? There is no password here or the name of the user. Post the whole entry for user flavio. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Alan DeKok wrote: Arran Cudbard-Bell wrote: And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone. I'm not sure why that matters. the *NAS* sets User-Name in the Access-Request. The proxying server doesn't have to do anything. Well it needs to be able to read an identity of *some* kind, else how would it know where to proxy the packets to . Just saying it's not technically EAP aware in proxying mode, it doesn't matter, just academic discussion :) Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity. The post-auth section is run in the outer identity, so you can re-write the reply to be whatever you want. Yes but it still needs to grab various attributes from the SQL database, and I thought a different query was run for post-auth ... as in the one that logs reply packets ;) ? Maybe i'll move the defaults stuff to post-auth, as defaults set attributes using = , so can't overwrite anything set ealier in Authorize just fill in the blanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication failed
Carl aniams wrote: Be sure that i crossed check the shared secret on my server and on the nas (the AP) yet nothing i even changed them yet nothing Then either the MD5 libraries are broken, or the shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
Flavio Silvestrone wrote: I'm sorry, here the entry: flavio Auth-Type := Local, User-Password == flavio Why? See the FAQ. DO NOT SET Auth-Type. Use Cleartext-Password := flavio. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell wrote: I'm not sure why that matters. the *NAS* sets User-Name in the Access-Request. The proxying server doesn't have to do anything. Well it needs to be able to read an identity of *some* kind, else how would it know where to proxy the packets to . The NAS doesn't proxy the packets by user name. It just sends them to the locally configured RADIUS server. The NAS doesn't really set the user name, either. It just copies it from the EAP packet sent by the supplicant. Yes but it still needs to grab various attributes from the SQL database, and I thought a different query was run for post-auth ... as in the one that logs reply packets ;) ? Hmm... that may need fixing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
Remove Auth-Type, change password attribute to Cleartext-Password and operator to := and post the output of radiusd -X. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, Flavio Silvestrone [EMAIL PROTECTED] piše: I'm sorry, here the entry: flavio Auth-Type := Local, User-Password == flavio Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP thank's 2007/6/25, [EMAIL PROTECTED] [EMAIL PROTECTED]: This is the configuration on the file /etc/raddb/users for the user flavio : Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Any idea to find out the prob ? There is no password here or the name of the user. Post the whole entry for user flavio. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem.
I have a feeling that the answer is blindingly obvious, but I can't
figure it out...
The 'users' file consists of:
DEFAULT Auth-Type = Accept
Simultaneous-Use := 1
In radiusd.conf I also have:
session {
sql
}
authorize {
radius-user-auth
}
'radius-user-auth' is an rlm_exec instance that invokes a script used to
authenticate users. It works fine, but the 'session' section never gets
processed. Why?
josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual servers
Yes but it still needs to grab various attributes from the SQL database, and I thought a different query was run for post-auth ... as in the one that logs reply packets ;) ? Hmm... that may need fixing. Alan DeKok. Yes, would be nice, though then you would have to be able to pass arguments to modules... Or create a new section called post-auth-logging .. Which reminds me, return codes :P ? Listening on authentication address 139.184.14.180 port 1812 as server primary Listening on accounting address 139.184.14.180 port 1813 as server primary Ok first bug, Global clients aren't being copied across to virtual servers, even when no clients are specified in the virtual server. With SQL based and static declarations. This is with one virtual server, no default server. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
here de complite debug with radiusd -X thanks:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.36:1024, id=96,
length=152
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2920
NAS-Port-Type = Ethernet
User-Name = flavio
Calling-Station-Id = 00:15:D6:04:60:82
Called-Station-Id = internet-test-2.4GH
NAS-Port-Id = wlan1
CHAP-Challenge = 0xc690abfe086a6ece658731151fc97728
CHAP-Password = 0x01e407ca5d5840551e1d6bbf9737f734b9
NAS-Identifier = FlyBoost
NAS-IP-Address = 192.168.10.36
Processing
XLAT Parsing error.
Hi,
Another small xlat parsing error,
alternate values arnt being parsed correctly in xlat strings involving
modules.
update request {
Supplicant-Flags = %{sql_clients:SELECT
EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master` WHERE
master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1:-null}
}
expands to
SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master`
WHERE master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1:-null
when should expand to
SELECT EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master`
WHERE master.hw_address = '%{Calling-Station-Id:-null}' LIMIT 0,1
What would be really cool is if one query returned a null string a
second query could be executed as an alternate, but i'm not sure how
hard that would be to do.
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use problem.
On Monday 25 June 2007 11:42:08 Josh Howlett wrote:
I have a feeling that the answer is blindingly obvious, but I can't
figure it out...
The 'users' file consists of:
DEFAULT Auth-Type = Accept
Simultaneous-Use := 1
Simultaneous-Use is a check item, not a reply item.
In radiusd.conf I also have:
session {
sql
}
authorize {
radius-user-auth
}
'radius-user-auth' is an rlm_exec instance that invokes a script used to
authenticate users. It works fine, but the 'session' section never gets
processed. Why?
josh.
Because Simultaneous-Use is in the wrong place. Make it a check item and the
session section should be processed.
Kevin Bonner
pgpvI8CdFN5pf.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
On Monday 25 June 2007 10:14:07 Flavio Silvestrone wrote: If i enable the same pppoe profile (user: flavio, password: flavio) on the Access Point all work fine; When i disable the profile on the Access Point and i configure the radius client on the Access Point i have the problem This is the configuration on the file /etc/raddb/users for the user flavio Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Any idea to find out the prob ? Than's a lot Flavio Can you post the FULL entry that you have in the users file? What you posted lists only reply items, which give us no information related to the problem you are having. What check items do you have? If you are using a recent version of freeradius, you should have the Cleartext-Password as a check item. Have you run the server in debug mode? If so, there are probably error messages in the output which may assist you in resolving your problem. Kevin Bonner pgpuOvqj7Bku9.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
I used numbers (123456) and it seems to work.seems?? when i use user:akim passwd:willy everything is allwright (redirection authentication on radius and message response ok.) using browsing the net but when i try to use another user (carl passwd:aniam or all the several users i created ) i have an access-reject message with following result: modcall[authorize]: module pap returns noop for request 24 modcall: leaving group authorize (returns ok) for request 24 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 24 modcall[authenticate]: module unix returns notfound for request 24 modcall: leaving group authenticate (returns notfound) for request 24 auth: Failed to validate the user. Delaying request 24 for 1 seconds Finished request 24 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 24 ID 0 with timestamp 467fea7b what might be the fault -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
Can you post the FULL entry that you have in the users file? What you posted lists only reply items, which give us no information related to the problem you are having. What check items do you have? If you are using a recent version of freeradius, you should have the Cleartext-Password as a check item. Have you run the server in debug mode? If so, there are probably error messages in the output which may assist you in resolving your problem. Kevin Bonner - Hi Kevin I can't find what you say as Cleartext-Password as a check item . The version of radius is freeradius-1.0.1-3. Here my users file, thank's a lot : # #Please read the documentation file ../doc/processing_users_file, #or 'man 5 users' (after installing the server) for more information. # #This file contains authentication security and configuration #information for each user. Accounting requests are NOT processed #through this file. Instead, see 'acct_users', in this directory. # #The first field is the user's name and can be up to #253 characters in length. This is followed (on the same line) with #the list of authentication requirements for that user. This can #include password, comm server name, comm server port number, protocol #type (perhaps set by the hints file), and huntgroup name (set by #the huntgroups file). # #If you are not sure why a particular reply is being sent by the #server, then run the server in debugging mode (radiusd -X), and #you will see which entries in this file are matched. # #When an authentication request is received from the comm server, #these values are tested. Only the first match is used unless the #Fall-Through variable is set to Yes. # #A special user named DEFAULT matches on all usernames. #You can have several DEFAULT entries. All entries are processed #in the order they appear in this file. The first entry that #matches the login-request will stop processing unless you use #the Fall-Through variable. # #If you use the database support to turn this file into a .db or .dbm #file, the DEFAULT entries _have_ to be at the end of this file and #you can't have multiple entries for one username. # #You don't need to specify a password if you set Auth-Type += System #on the list of authentication requirements. The RADIUS server #will then check the system password file. # #Indented (with the tab character) lines following the first #line indicate the configuration values to be passed back to #the comm server to allow the initiation of a user session. #This can include things like the PPP configuration values #or the host to log the user onto. # #You can include another `users' file with `$INCLUDE users.other' # # #For a list of RADIUS attributes, and links to their definitions, #see: # #http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuserAuth-Type := Reject #Reply-Message = Your account has been disabled. # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULTGroup == disabled, Auth-Type := Reject #Reply-Message = Your account has been disabled. # # # This is a complete entry for steve. Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steveAuth-Type := Local, User-Password == testing #Service-Type = Framed-User, #Framed-Protocol = PPP, #Framed-IP-Address = 172.16.3.33, #Framed-IP-Netmask = 255.255.255.0, #Framed-Routing = Broadcast-Listen, #Framed-Filter-Id = std.ppp, #Framed-MTU = 1500, #Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #John DoeAuth-Type := Local, User-Password == hello #Reply-Message = Hello, %u # # Dial user back and telnet to the default host for that port # #DegAuth-Type := Local, User-Password == ge55ged #Service-Type = Callback-Login-User, #Login-IP-Host = 0.0.0.0, #Callback-Number = 9,5551212, #Login-Service = Telnet, #Login-TCP-Port = Telnet # # Another complete entry. After the user dialbk has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host timeshare1. # #dialbkAuth-Type := Local, User-Password == callme #Service-Type = Callback-Login-User, #Login-IP-Host = timeshare1, #Login-Service = PortMaster, #Callback-Number = 9,1-800-555-1212 # # user
RE: Simultaneous-Use problem.
On Monday 25 June 2007 11:42:08 Josh Howlett wrote: I have a feeling that the answer is blindingly obvious, but I can't figure it out... The 'users' file consists of: DEFAULT Auth-Type = Accept Simultaneous-Use := 1 Because Simultaneous-Use is in the wrong place. Make it a check item and the session section should be processed. That fixed it. As I thought, blindingly obvious; a case of needing another pair of eyes... Thanks, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 26, Issue 120
Flavio Silvestrone [EMAIL PROTECTED] said: Subject: Re: Clear text password not available The version of radius is freeradius-1.0.1-3. All together now: Upgrade to 1.1.6 I've kind of lost track of exactly what you are trying to do, but what the users file is seems to be set up to do is to authenticate 'massi' locally in the users file, and flavio against the UNIX passwd file. And UNIX is telling you it doesn't know anything about 'flavio'. I think. But definitely upgrade to 1.1.6, regardless!! -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 26, Issue 120
Hugh Messenger wrote:
Flavio Silvestrone [EMAIL PROTECTED] said:
Subject: Re: Clear text password not available
The version of radius is freeradius-1.0.1-3.
All together now:
Upgrade to 1.1.6
I've kind of lost track of exactly what you are trying to do, but what the
users file is seems to be set up to do is to authenticate 'massi' locally in
the users file, and flavio against the UNIX passwd file. And UNIX is
telling you it doesn't know anything about 'flavio'.
I think. But definitely upgrade to 1.1.6, regardless!!
Soon it'll be upgrade to 2.0.0 :)
Ah debugging peoples unlang configurations, what fun that'll be
I have trouble enough debugging my own ...
++? if (%{Called-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i)
expand: %{Called-Station-Id} - 00-14-C2-B6-7D-32:eduroam
? Evaluating (%{Called-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i)
- TRUE
++? if (%{Called-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i)
- TRUE
++- entering if (%{Called-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i)
expand: %{1}%{2}%{3}%{4}%{5}%{6} - 0014C2B67D32
expand: %{7} - eduroam
+++[request] returns updated
++- if (%{Called-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([[:alnum:]]*)?/i)
returns updated
++? if (%{Calling-Station-Id} =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
expand: %{Calling-Station-Id} - 00-19-E3-0C-CD-58
? Evaluating (%{Calling-Station-Id} =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
- TRUE
++? if (%{Calling-Station-Id} =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
- TRUE
++- entering if (%{Calling-Station-Id} =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
expand: %{1}%{2}%{3}%{4}%{5}%{6} - 0019E30CCD58
+++[request] returns updated
++- if (%{Calling-Station-Id} =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
returns updated
++? if (!%{NAS-Port-Type}||(%{NAS-Port-Id} =~ /wl[0-9]*/))
expand: %{NAS-Port-Type} - Wireless-802.11
? Evaluating Wireless-802.11 - FALSE
expand: %{NAS-Port-Id} -
? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if (!%{NAS-Port-Type}||(%{NAS-Port-Id} =~ /wl[0-9]*/)) - FALSE
++? if (%{NAS-IP-Address} == 127.0.0.1)
expand: %{NAS-IP-Address} - 139.184.6.42
? Evaluating (%{NAS-IP-Address} == 127.0.0.1) - FALSE
++? if (%{NAS-IP-Address} == 127.0.0.1) - FALSE
Muahaha
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
On Monday 25 June 2007 12:45:15 Flavio Silvestrone wrote: If you are using a recent version of freeradius, you should have the ... The version of radius is freeradius-1.0.1-3. 1.0.1 is not recent. Use 1.1.6. flavio Cleartext-Password := flavio Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Since you're using such an old version of freeradius, you cannot use Cleartext-Password here as it was available in 1.1.5 (I think) and later versions. You can use User-Password, but you should upgrade to a newer version. Kevin Bonner pgpwSTaVHg9Y8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password not available
Kevin Bonner wrote: On Monday 25 June 2007 12:45:15 Flavio Silvestrone wrote: If you are using a recent version of freeradius, you should have the ... The version of radius is freeradius-1.0.1-3. 1.0.1 is not recent. Use 1.1.6. flavio Cleartext-Password := flavio Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.8, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP Since you're using such an old version of freeradius, you cannot use Cleartext-Password here as it was available in 1.1.5 (I think) and later versions. You can use User-Password, but you should upgrade to a newer version. Probably should also get rid of: DEFAULTAuth-Type = System Fall-Through = 1 Futher up in the users file. It doesn't look like you are trying to use the /etc/passwd file, which I think is what System is for. In general, never set Auth-Type. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assertion failed in conffile.c, line 109,Abort
Including separate configuration files in major stanza subsections
results in.
Assertion failed in conffile.c, line 109
Abort
Post-Auth-Type REJECT {
# * Uniform called station ID + SSID extraction
# * Uniform calling station ID
# * Correct NAS Port Type
# * Rewrite loopback ips
$INCLUDE ${confdir}/attrrewrite.conf
# Log rejected attempts to help with debugging
sql
attr_filter.access_reject
}
Does the config parser not check in sub sections for files to be included ?
Adding the relevant configuration lines contained in attrrewrite.conf
does not result in the error.
It's definitely the include statement.
This happens in authorize, post-auth etc ...
Sorry, last bug for today :)
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 26, Issue 120
On Mon 25 Jun 2007, Arran Cudbard-Bell wrote: Hugh Messenger wrote: Flavio Silvestrone [EMAIL PROTECTED] said: Subject: Re: Clear text password not available The version of radius is freeradius-1.0.1-3. All together now: Upgrade to 1.1.6 I've kind of lost track of exactly what you are trying to do, but what the users file is seems to be set up to do is to authenticate 'massi' locally in the users file, and flavio against the UNIX passwd file. And UNIX is telling you it doesn't know anything about 'flavio'. I think. But definitely upgrade to 1.1.6, regardless!! Soon it'll be upgrade to 2.0.0 :) Ah debugging peoples unlang configurations, what fun that'll be *shudder* -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:users authentication failed
There is a DEFAULT entry in your users file setting Auth-Type System (and you are trying to use something else). Uncomment or delete that entry and try again. This is a blind guess. It would help if you would post debug from the request. Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, Carl aniams [EMAIL PROTECTED] piše: I used numbers (123456) and it seems to work.seems?? when i use user:akim passwd:willy everything is allwright (redirection authentication on radius and message response ok.) using browsing the net but when i try to use another user (carl passwd:aniam or all the several users i created ) i have an access-reject message with following result: modcall[authorize]: module pap returns noop for request 24 modcall: leaving group authorize (returns ok) for request 24 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 24 modcall[authenticate]: module unix returns notfound for request 24 modcall: leaving group authenticate (returns notfound) for request 24 auth: Failed to validate the user. Delaying request 24 for 1 seconds Finished request 24 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.3 port 2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 24 ID 0 with timestamp 467fea7b what might be the fault -- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ANIAMBOSSOU Carl NIAMS TECHNOLOGIES tel: +229 90 04 08 58 +229 97 48 01 33 COTONOU REPUBLIC OF BENIN WEST AFRICA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.1.6 Segmentation Fault with LDAP
I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.1.6 Segmentation Fault with LDAP
You need to compile with ldap depricated option. Joe -Original Message- From: Robert E. Toense [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: 6/25/2007 6:03 PM Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.1.6 Segmentation Fault with LDAP
Joe, This may sound silly, but could you elaborate? Is this a configure option to FreeRadius? If so, I don't see it. Thanks, Robert Joe Vieira wrote: You need to compile with ldap depricated option. Joe -Original Message- From: Robert E. Toense [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: 6/25/2007 6:03 PM Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.1.6 Segmentation Fault with LDAP
it's a compile time option. add -DLDAP_DEPRECATED to your CFLAGS. so when you compile it ( if you're using a spec file to build an RPM which i am assuming cause you're running FC5 ) just add that to your CFLAGS -- it should be one of the first few lines in the spec file under the %build section. you can also set it thru the configure script before you compile (if you're not using an RPM) i hope that makes it a little more clear. and i hope it helps you, let me know good luck! i had the EXACT same symptoms, and this solved it for me, so i would try it before worrying about extensive debugging stuff. Joe -Original Message- From: [EMAIL PROTECTED] on behalf of Robert E. Toense Sent: Mon 6/25/2007 7:47 PM To: FreeRadius users mailing list Subject: Re: FreeRadius 1.1.6 Segmentation Fault with LDAP Joe, This may sound silly, but could you elaborate? Is this a configure option to FreeRadius? If so, I don't see it. Thanks, Robert Joe Vieira wrote: You need to compile with ldap depricated option. Joe -Original Message- From: Robert E. Toense [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: 6/25/2007 6:03 PM Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
