Re: Dictionary for Huawei
I have this : # # dictionary.erx # # Unisphere's broadband RAS # From Terje Krogdahl [EMAIL PROTECTED] # # Version: $Id: dictionary.erx,v 1.1 2001/04/27 15:16:35 aland Exp $ # VENDOR HUAWEI 2011 ATTRIBUTE hw_Input_Peak_Rate 1 integer HUAWEI ATTRIBUTE hw_Input_Average_Rate 2 integer HUAWEI ATTRIBUTE hw_Input_Basic_Rate3 integer HUAWEI ATTRIBUTE hw_Output_Peak_Rate4 integer HUAWEI ATTRIBUTE hw_Output_Average_Rate 5 integer HUAWEI ATTRIBUTE hw_Output_Basic_Rate 6 integer HUAWEI ATTRIBUTE hw_In_KB_Before_T_Switch 7 integer HUAWEI ATTRIBUTE hw_Out_KB_Before_T_Switch 8 integer HUAWEI ATTRIBUTE hw_In_Pkt_Before_T_Switch 9 integer HUAWEI ATTRIBUTE hw_Out_Pkt_Before_T_Switch 10 integer HUAWEI ATTRIBUTE hw_In_KB_After_T_Switch11 integer HUAWEI ATTRIBUTE hw_Out_KB_After_T_Switch 12 integer HUAWEI ATTRIBUTE hw_In_Pkt_After_T_Switch 13 integer HUAWEI ATTRIBUTE hw_Out_Pkt_After_T_Switch 14 integer HUAWEI ATTRIBUTE hw_Remanent_Volume 15 integer HUAWEI ATTRIBUTE hw_Tariff_Switch_Interval 16 integer HUAWEI ATTRIBUTE hw_ISP_ID 17 stringHUAWEI ATTRIBUTE hw_Max_Users_Per_Logic_port19 integer HUAWEI ATTRIBUTE hw_Command 20 integer HUAWEI ATTRIBUTE hw_Priority22 integer HUAWEI ATTRIBUTE hw_Control_Identifier 24 integer HUAWEI ATTRIBUTE hw_Connect_ID 26 integer HUAWEI ATTRIBUTE hw_PortalURL 27 stringHUAWEI ATTRIBUTE hw_Ftp_Directory 28 stringHUAWEI ATTRIBUTE hw_Exec_Privilege 29 integer HUAWEI ATTRIBUTE hw_Group_IP_Address30 integer HUAWEI ATTRIBUTE hw_Group_IP_Mask 31 integer HUAWEI ATTRIBUTE hw_Acct_Destnation_IP_Addr 39 stringHUAWEI ATTRIBUTE hw_Destnation_Volume 40 stringHUAWEI ATTRIBUTE hw_Nas_Startup_Timetamp59 integer HUAWEI ATTRIBUTE hw_IP_Host_Addr60 stringHUAWEI ATTRIBUTE hw_User_Notify 61 stringHUAWEI ATTRIBUTE hw_Multicast_Source_Group 97 stringHUAWEI ATTRIBUTE hw_Multicast_Recieve_Group 98 integer HUAWEI ATTRIBUTE hw_User_Multicast_Type 99 integer HUAWEI ATTRIBUTE HW_SEVICE_CHG_CMD 105 integer HUAWEI ATTRIBUTE HW_ACCT_PACKET_TYPE106 integer HUAWEI ATTRIBUTE HW_CALL_REFERENCE 107 integer HUAWEI ATTRIBUTE HW_PSTN_PORT 108 integer HUAWEI ATTRIBUTE HW_VOIP_SERVICE_TYPE 109 integer HUAWEI ATTRIBUTE HW_ACCT_CONNECTION_TIME110 integer HUAWEI ATTRIBUTE HW_ERROR_REASON112 integer HUAWEI ATTRIBUTE HW_REMAIN_MONEY113 integer HUAWEI ATTRIBUTE HW_REMAIN_TIME 128 integer HUAWEI ATTRIBUTE HW_ORG_GK_ADDRESS 123 integer HUAWEI ATTRIBUTE HW_ORG_GW_ADDRESS 124 integer HUAWEI ATTRIBUTE HW_DST_GK_ADDRESS 125 integer HUAWEI ATTRIBUTE HW_DST_GW_ADDRESS 126 integer HUAWEI ATTRIBUTE HW_ACCESS_NUM 127 stringHUAWEI ATTRIBUTE HW_CODEC_TYPE 131 integer HUAWEI ATTRIBUTE HW_TRANSFER_NUM132 stringHUAWEI ATTRIBUTE HW_NEW_USER_NAME 133 stringHUAWEI ATTRIBUTE HW_ONLY_ACCOUNT_TYPE 137 integer HUAWEI ATTRIBUTE HW_DOMAIN_NAME 138 stringHUAWEI ATTRIBUTE hw_Version 254 stringHUAWEI ATTRIBUTE hw_Product_ID 255 stringHUAWEI it reveals some differences. Selon Pshem Kowalczyk [EMAIL PROTECTED]: Hi, I've noticed that there is no dictionary for Huawei in the source. Can you please add this one: # # dictionary.huawei # VENDOR Huawei2011 # # Huawei Attributes ATTRIBUTE Huawei-Input-ATTRIB_UNUSED 1 integer Huawei ATTRIBUTE Huawei-Input-Average-Rate 2 integer Huawei ATTRIBUTE Huawei-Input-Peak-Rate 3 integer Huawei ATTRIBUTE Huawei-Output-ATTRIB_UNUSED 4 integer Huawei ATTRIBUTE Huawei-Output-Average-Rate 5 integer Huawei ATTRIBUTE Huawei-Output-Peak-Rate 6 integer Huawei ATTRIBUTE Huawei-In-Kb-Before-T-Switch7 integer Huawei ATTRIBUTE Huawei-Out-Kb-Before-T-Switch 8 integer Huawei ATTRIBUTE Huawei-In-Pkt-Before-T-Switch 9 integer Huawei ATTRIBUTE
Re: Dictionary for Huawei
I have this : # # dictionary.erx # # Unisphere's broadband RAS # From Terje Krogdahl [EMAIL PROTECTED] # # Version: $Id: dictionary.erx,v 1.1 2001/04/27 15:16:35 aland Exp $ # VENDOR HUAWEI 2011 ATTRIBUTE hw_Input_Peak_Rate 1 integer HUAWEI ATTRIBUTE hw_Input_Average_Rate 2 integer HUAWEI ATTRIBUTE hw_Input_Basic_Rate3 integer HUAWEI ATTRIBUTE hw_Output_Peak_Rate4 integer HUAWEI ATTRIBUTE hw_Output_Average_Rate 5 integer HUAWEI ATTRIBUTE hw_Output_Basic_Rate 6 integer HUAWEI ATTRIBUTE hw_In_KB_Before_T_Switch 7 integer HUAWEI ATTRIBUTE hw_Out_KB_Before_T_Switch 8 integer HUAWEI ATTRIBUTE hw_In_Pkt_Before_T_Switch 9 integer HUAWEI ATTRIBUTE hw_Out_Pkt_Before_T_Switch 10 integer HUAWEI ATTRIBUTE hw_In_KB_After_T_Switch11 integer HUAWEI ATTRIBUTE hw_Out_KB_After_T_Switch 12 integer HUAWEI ATTRIBUTE hw_In_Pkt_After_T_Switch 13 integer HUAWEI ATTRIBUTE hw_Out_Pkt_After_T_Switch 14 integer HUAWEI ATTRIBUTE hw_Remanent_Volume 15 integer HUAWEI ATTRIBUTE hw_Tariff_Switch_Interval 16 integer HUAWEI ATTRIBUTE hw_ISP_ID 17 stringHUAWEI ATTRIBUTE hw_Max_Users_Per_Logic_port19 integer HUAWEI ATTRIBUTE hw_Command 20 integer HUAWEI ATTRIBUTE hw_Priority22 integer HUAWEI ATTRIBUTE hw_Control_Identifier 24 integer HUAWEI ATTRIBUTE hw_Connect_ID 26 integer HUAWEI ATTRIBUTE hw_PortalURL 27 stringHUAWEI ATTRIBUTE hw_Ftp_Directory 28 stringHUAWEI ATTRIBUTE hw_Exec_Privilege 29 integer HUAWEI ATTRIBUTE hw_Group_IP_Address30 integer HUAWEI ATTRIBUTE hw_Group_IP_Mask 31 integer HUAWEI ATTRIBUTE hw_Acct_Destnation_IP_Addr 39 stringHUAWEI ATTRIBUTE hw_Destnation_Volume 40 stringHUAWEI ATTRIBUTE hw_Nas_Startup_Timetamp59 integer HUAWEI ATTRIBUTE hw_IP_Host_Addr60 stringHUAWEI ATTRIBUTE hw_User_Notify 61 stringHUAWEI ATTRIBUTE hw_Multicast_Source_Group 97 stringHUAWEI ATTRIBUTE hw_Multicast_Recieve_Group 98 integer HUAWEI ATTRIBUTE hw_User_Multicast_Type 99 integer HUAWEI ATTRIBUTE HW_SEVICE_CHG_CMD 105 integer HUAWEI ATTRIBUTE HW_ACCT_PACKET_TYPE106 integer HUAWEI ATTRIBUTE HW_CALL_REFERENCE 107 integer HUAWEI ATTRIBUTE HW_PSTN_PORT 108 integer HUAWEI ATTRIBUTE HW_VOIP_SERVICE_TYPE 109 integer HUAWEI ATTRIBUTE HW_ACCT_CONNECTION_TIME110 integer HUAWEI ATTRIBUTE HW_ERROR_REASON112 integer HUAWEI ATTRIBUTE HW_REMAIN_MONEY113 integer HUAWEI ATTRIBUTE HW_REMAIN_TIME 128 integer HUAWEI ATTRIBUTE HW_ORG_GK_ADDRESS 123 integer HUAWEI ATTRIBUTE HW_ORG_GW_ADDRESS 124 integer HUAWEI ATTRIBUTE HW_DST_GK_ADDRESS 125 integer HUAWEI ATTRIBUTE HW_DST_GW_ADDRESS 126 integer HUAWEI ATTRIBUTE HW_ACCESS_NUM 127 stringHUAWEI ATTRIBUTE HW_CODEC_TYPE 131 integer HUAWEI ATTRIBUTE HW_TRANSFER_NUM132 stringHUAWEI ATTRIBUTE HW_NEW_USER_NAME 133 stringHUAWEI ATTRIBUTE HW_ONLY_ACCOUNT_TYPE 137 integer HUAWEI ATTRIBUTE HW_DOMAIN_NAME 138 stringHUAWEI ATTRIBUTE hw_Version 254 stringHUAWEI ATTRIBUTE hw_Product_ID 255 stringHUAWEI It reveals some differences.. Selon Pshem Kowalczyk [EMAIL PROTECTED]: Hi, I've noticed that there is no dictionary for Huawei in the source. Can you please add this one: # # dictionary.huawei # VENDOR Huawei2011 # # Huawei Attributes ATTRIBUTE Huawei-Input-ATTRIB_UNUSED 1 integer Huawei ATTRIBUTE Huawei-Input-Average-Rate 2 integer Huawei ATTRIBUTE Huawei-Input-Peak-Rate 3 integer Huawei ATTRIBUTE Huawei-Output-ATTRIB_UNUSED 4 integer Huawei ATTRIBUTE Huawei-Output-Average-Rate 5 integer Huawei ATTRIBUTE Huawei-Output-Peak-Rate 6 integer Huawei ATTRIBUTE Huawei-In-Kb-Before-T-Switch7 integer Huawei ATTRIBUTE Huawei-Out-Kb-Before-T-Switch 8 integer Huawei ATTRIBUTE Huawei-In-Pkt-Before-T-Switch 9 integer Huawei ATTRIBUTE
RE: Ipsec EAP_TLS
Does the current implementation of free radius provides capability that these keys can be securely transfererred to the VPN gateway ? No. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary for Huawei
It looks like it might be device (or even worse os version) dependant. We use it with ME60E. In most of the caseses it looks like just a different naming convention. I got ours from rewriting the merit radius one. kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strange crash with freeradius 1.1.2 on startup
Hello. I'm a mandriva package maintainer, and I'm trying to solve a strange issue with our freeradius package. On mandriva 2007.1, the server crashes immediatly after forking (SIGPIPE error), whereas it works OK with -x debug flag. The same package, built on mandriva 2007.0, works OK also. You have a bug report available at http://qa.mandriva.com/show_bug.cgi?id=32597, with traces of both cases. I initially thought of some kind of bogus autoconf detection of build environment, due to the lack of commands such as setsid in wrong trace, and tghe use of conditional builds directives in the code. However, comparating autoconf.h in both build tree doesn't show any sensible hint (in particular, HAVE_SETSID is set even for the non-working case, whereas it doesn't appear in the trace). Comparing build commandes neither (only difference being -mpentiumpro versus -mgeneric gcc flag). Using ldd on radiusd binary doesn't show any sensible difference neither. Freeradius 1.1.6 and 1.1.7 work perfectly on current mandriva development version, however, I'd prefer to fix the issue on stable release without changing version if possible. Any hint welcome. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what is use of LDAP option!!!!
well i want to use database in place of user file. now as i see one option is using mysql or using LDAP. Unfortunately i am biased towards LDAP as i have already created my database in it. Now as radiusd file says However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # this is changed configuration!!! right now in authentication block i cant run this server if i remove this Auth-Type, and your authentication block says Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the apropriate module from the list below. and my problem starts here this radius server will come into picture only when i enable WPA in my AP and when i enable this i cant send user-password in clear text to server, but my sever which is configured for LDAP wont understand that THEN WHY WE HAVE THIS OPTION??? again even on client side if you use wpa you have to mention eap type, for windows we dont have more then two options available PEAP and TTLS not even md5 and all so if they are configured for wpa they wont send password in clear text then also how will my server authenticate it using LDAP... i am really confused from all this thing, it is not working out for me. Should i take mysql for this thing.. my username and password has a big list and i just want to use database for this connection now can anyone help me out!!! thanks for taking pain regards shantanu - Once upon a time there was 1 GB storage in your inbox. Click here for happy ending.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange crash with freeradius 1.1.2 on startup
Hi, Hello. I'm a mandriva package maintainer, and I'm trying to solve a strange 1.1.7 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: healthcheck?
Kevin J wrote: We want to reject slb health checks immediately. What is the best way to do that? tried to add healthcheck Auth := Reject but it still go through all authorization/authentication modules. Is there anyway that we can immediately reject it so we can make it lighter? Please no HTML to the list. You might set Autz-Type in the users files to run different modules. See http://freeradius.org/radiusd/doc/Autz-Type -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with freeradius 2.0 pre1 and realms
Hi Guys,
I'm trying to use freeradius with peap+mschapv2+ldap+realms.
If i don't use realms, everything works fine.
But the problem is that i need to stripp of the domain part of the username,
cause windows sends TEST\cfra .
But i have only cfra in my ldap .
So i di the follwing:
radius.conf:
realm ntdomain {
format = prefix
delimiter = \\
}
and enabled ntdomain under authorisation .
My proxy.conf:
realm test {
type= radius
authhost= LOCAL
accthost= LOCAL
}
But when i want to login, it does not work.
Seems like the domain is stripped of correctly for authorisation, but not for
authentication.
But what could be wrong ?
Here is the output of radius:
Config: including file: ../etc/raddb//radiusd.conf
Config: including file: /usr/local/freeradius2/etc/raddb/proxy.conf
Config: including file: /usr/local/freeradius2/etc/raddb/clients.conf
Config: including file: /usr/local/freeradius2/etc/raddb/snmp.conf
Config: including file: /usr/local/freeradius2/etc/raddb/eap.conf
Config: including file: /usr/local/freeradius2/etc/raddb/sql.conf
Config: including file: /usr/local/freeradius2/etc/raddb/sql/mysql-dialup.conf
FreeRADIUS Version 2.0.0-pre1, for host i686-pc-linux-gnu, built on Aug 16 2007
at 13:45:55
Starting - reading configuration files ...
read_config_files: reading dictionary
main {
prefix = /usr/local/freeradius2
localstatedir = /usr/local/freeradius2/var
logdir = /usr/local/freeradius2/var/log/radius
libdir = /usr/local/freeradius2/lib
radacctdir = /usr/local/freeradius2/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = /usr/local/freeradius2/var/log/radius/radius.log
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
pidfile = /usr/local/freeradius2/var/run/radiusd/radiusd.pid
user = radiusd
group = radiusd
checkrad = /usr/local/freeradius2/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
syslog_facility = daemon
}
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
home_server localhost {
ipaddr = 127.0.0.1 IP address [127.0.0.1]
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
server_pool my_auth_failover {
type = my_auth_failover
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
ldflag = fail_over
}
realm test {
ldflag = fail_over
}
port = 1812
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client 150.150.40.0/16 {
secret = ciscotest1
shortname = private-network-1
nastype = cisco
}
radiusd: entering modules setup
radiusd: Library search path is /usr/local/freeradius2/lib
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
rlm_exec: wait=yes but no output defined. Did you mean output=none?
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
modules {
Module: Instantiating section authenticate
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp =
Re: what is use of LDAP option!!!!
shantanu choudhary wrote: well i want to use database in place of user file. now as i see one option is using mysql or using LDAP. Unfortunately i am biased towards LDAP as i have already created my database in it. That's fine. and my problem starts here this radius server will come into picture only when i enable WPA in my AP and when i enable this i cant send user-password in clear text to server, but my sever which is configured for LDAP wont understand that THEN WHY WE HAVE THIS OPTION??? I don't think you're understanding it. again even on client side if you use wpa you have to mention eap type, for windows we dont have more then two options available PEAP and TTLS not even md5 and all so if they are configured for wpa they wont send password in clear text then also how will my server authenticate it using LDAP... http://deployingradius.com/documents/protocols/oracles.html LDAP is a database. It is NOT an authentication server. FreeRADIUS is an authentication server. my username and password has a big list and i just want to use database for this connection now can anyone help me out!!! You can use a database. FreeRADIUS takes the clear-text password from the database, and authenticates the user. All of the documentation you're reading is correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange crash with freeradius 1.1.2 on startup
[EMAIL PROTECTED] a écrit : Hi, Hello. I'm a mandriva package maintainer, and I'm trying to solve a strange 1.1.7 As stated in my initial message, I have to fix the issue without changing version (standard distribution bugfix policy). Meaning backporting fix eventually. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange crash with freeradius 1.1.2 on startup
Guillaume Rousse wrote: 1.1.7 As stated in my initial message, I have to fix the issue without changing version (standard distribution bugfix policy). Meaning backporting fix eventually. If you stick with 1.1.2, there's a whack of other fixes you MUST back-port: http://freeradius.org/security.html It's likely easier to upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with freeradius 2.0 pre1 and realms
hi, you are using the Stripped-User-Name and/or the User-Name. however, the method you are attempting to use goes through the MSCHAP module...so you want to look at using mschap:User-Name attribute. or use unlang to regexp the domain. have you also got with_ntdomain_hack = yes ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. those are prolly the lines of interest, your ntlm_auth is failing. try it via the command line, once you get it working via the command line you'll have a MUCH better chance of it working in freeradius. hints are kinit - get that working also get wbinfo -u listing your domain users Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? yes - when used with those commands. On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. this shows a login failure with ntlm_auth. check out the debug to see why. it could be that the username or domain is being passed incorrectly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
tks alan! there is some way to force log show me what parameter it has passing to ntlm_auth bin? On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? yes - when used with those commands. On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. this shows a login failure with ntlm_auth. check out the debug to see why. it could be that the username or domain is being passed incorrectly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi alan, when I captured log I was using radiusd -X -A -y -z output.log another thing: I capture some pieces of output log: radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=REFAP' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=dadfh9' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: c6 radius_xlat: '--challenge=8fd10da49268b4b6' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1' and did another test: s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 --challenge=8fd10da49268b4b6 --nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1 Logon failure (0xc06d) -logon error again s8860ru01:/tmp# s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 14:47:06, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/tmp# it's like wrong response or challenge ou some kind of hash. ps.: on output.log I saw this lines: mschap: with_ntdomain_hack = yes mschapv2: with_ntdomain_hack = no - this must be yes or not? preprocess: with_ntdomain_hack = no On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hi, last time i checked i'm sure its printed in full debug mode : radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi alan, enabling log_goodpass and log_badpass I took this lines: rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Login incorrect (rlm_mschap: Logon failure (0xc06d)): [REFAP\\dadfh9/no User-Password attribute] (from client localhost port 0) this means that ntlm_auth isn't receiving password parameter?? On 8/17/07, Alexsander [EMAIL PROTECTED] wrote: hi alan, when I captured log I was using radiusd -X -A -y -z output.log another thing: I capture some pieces of output log: radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=REFAP' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=dadfh9' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: c6 radius_xlat: '--challenge=8fd10da49268b4b6' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1' and did another test: s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 --challenge=8fd10da49268b4b6 --nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1 Logon failure (0xc06d) -logon error again s8860ru01:/tmp# s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 14:47:06, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/tmp# it's like wrong response or challenge ou some kind of hash. ps.: on output.log I saw this lines: mschap: with_ntdomain_hack = yes mschapv2: with_ntdomain_hack = no - this must be yes or not? preprocess: with_ntdomain_hack = no On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hi, last time i checked i'm sure its printed in full debug mode : radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: hi alan, enabling log_goodpass and log_badpass I took this lines: rlm_mschap: External script failed. And right before that in the log it shows you WHAT script it's running, and WHY it failed. If you want to solve the problem, don't delete every piece of useful information from the logs you post to the list. The debug output shows you the ntlm_auth command that the server is running. Since it works when you run it from the command line, the obvious next step is to _compare_ the two. Then, if there are differences, make the BROKEN one more like the WORKING one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
