eap/ttls with windows XP and Linux
i'am trying to implement eap / ttls with Windows xp work well but i haven't put verify server certificate, it's correct? If yes why not put verify server certificate? And with xsupplicant of Linux ( ubuntu ) always in wired I receive this message:No configuration information for network ( null ) ) found. using default. then, successfully authenticate eth0. I have make / sbin / ifconfig eth0 up but doesn't work. thanks _ Gagnez des écrans plats avec Live.com http://www.image-addict.fr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use and PEAP doesn't work correctly.
Hi, I've configured Simultaneous-Use on my freeradius server and have it configured to use PEAP as an authentication method. Users can authenticate perfectly well, however when the Simultaneous-Use limit is exceeded, it only half works. The user is not allowed on, the PEAP message is set to FAILURE, but no Access-Reject is ever sent. I have also tried with md5 authentication and it works as expected. Unfortunately, md5 authentication is not an option. What I really need is for that Reject to be sent back after the user logs on too many times. I've attached the radiusd -X output (radius.out chopped to the end), radiusd.conf, eap.conf, and users file. Any help would be greatly appreciated as I've been searching the web for two full days now with no luck. Thank you, -Tyler eap.conf Description: eap.conf radius.out Description: radius.out radiusd.conf Description: radiusd.conf users Description: users - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP+MD5+SQL trouble
Here is the debug output When I run the server I get: # ./radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 16214 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = root sql: password = watchdog sql: radius_db = radius sql: nas_table = nas sql: sqltrace = yes sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query =UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', + AcctInputOctets = '%{Acct-Input-Gigawords:-0}' 32 | '%{Acct-Input-Octets:-0}', AcctOutputOctets= '%{Acct-Output-Gigawords:-0}' 32 | '%{Acct-Output-Octets:-0}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName= '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' sql: accounting_update_query_alt =INSERT INTO radacct (AcctSessionId,AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,ConnectInfo_start,
Re: Simultaneous-Use and PEAP doesn't work correctly.
Marcotte, Tyler wrote: I've configured Simultaneous-Use on my freeradius server and have it configured to use PEAP as an authentication method. Users can authenticate perfectly well, however when the Simultaneous-Use limit is exceeded, it only half works. The user is not allowed on, the PEAP message is set to FAILURE, but no Access-Reject is ever sent. I have also tried with md5 authentication and it works as expected. Unfortunately, md5 authentication is not an option. What I really need is for that Reject to be sent back after the user logs on too many times. It's a bug in 1.x. Set reject_delay = 0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
Hi Mark Mark J Elkins wrote: Matthias Cramer wrote: What magic lines would I need to add to my Cisco and what magic to add to FreeRadius? Anyone have Dialup clients being issued IPv6 addresses yet? 1 - I expect to add some sort of IPv6 field to MySQL (ie - for a static IPv6 address or to signify the NAS to use a Dynamic address) 2 - I expect the authorize_check_query and other SQL queries to change a bit... ie return IPv6 data - without breaking IPv4 only NAS's 3 - I expect to add an IPv6 pool and other lines of magic to my Cisco. There's Framed-IPv6-prefix, where you can assign Ip's to a client. I do it with: cisco-avpair = ipv6:route#1=2001:dead:beef::/64 srclient/faces/jsp/trademark/sr300.jsp?language=desection=tmid=510320 I do not use dynamic allocation. Cheers Matthias Can I ask why? (why no dynamic). I don't even know if there is a way to do this Because all the people i serve IPv6 this way are ADSL Customers, who are allways online anyway, and like to be able to run a webserver or such. Why a /64 - and not /60 or /56 ?? (not even sure if thats possible) I do /64 and /48, but any sensible subnet is possible in my oppinion. Sorry about the questions - but very few people seem to be providing any sort of IPv6 access to dialup clients Some more.. Do you use FreeRadius 2.0 or something older. No, i unse 1.1.3 because this is the last version which seams not to have the sighup bug. In order to support IPv6 - what new fields did you add to your backend (database). I use a traditional users file Did you add any new cisco-avpair parts apart from an IPv6 Route ... No which kind of seems strange to me - should you not have added a Prefix (ipv6:prefix#1) instead ? .. which adds an entry to the RIB table anyway? What did you have to add to the Cisco for user access? interface Virtual-Template1 mtu 1492 ip unnumbered Loopback0 no ip redirects no ip proxy-arp ip tcp adjust-mss 1452 ipv6 enable qos pre-classify peer default ip address pool ADSLPool1 ppp mtu adaptive ppp authentication chap pap callin ADSL ppp authorization ADSL Are many (any?) people using IPv6? Not that many .. we have abut 5-10 Customers using IPv6 What did they have to do on their end to get an address? Have a IPv6 Capable router... Which is a Cisco, Linux, *BSD Router. Probably it will also work with MacOSX or Vista doing PPP or PPPoE depending on what service you provice. I promise that I'll one day update the wiki with this sort of info.. That sounds nice. Best regards and greetings to South Africa Matthias -- Matthias CramerSystem Network Manager Interway Communication GmbHPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zuerichhttp://www.interway.ch/ signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use and PEAP doesn't work correctly.
Marcotte, Tyler wrote: I've configured Simultaneous-Use on my freeradius server and have it configured to use PEAP as an authentication method. Users can authenticate perfectly well, however when the Simultaneous-Use limit is exceeded, it only half works. The user is not allowed on, the PEAP message is set to FAILURE, but no Access-Reject is ever sent. I have also tried with md5 authentication and it works as expected. Unfortunately, md5 authentication is not an option. What I really need is for that Reject to be sent back after the user logs on too many times. It's a bug in 1.x. Set reject_delay = 0. Alan DeKok reject_delay = 0 is already set. If I check out the version from cvs will it have this problem fixed? -Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius for cisco management
Thanks!! 2007/10/8, [EMAIL PROTECTED] [EMAIL PROTECTED]: http://wiki.freeradius.org/Cisco Ivan Kalik Kalik Informatika ISP Dana 8/10/2007, German Garay [EMAIL PROTECTED] piše: Hi I want to do per user command authorization in a cisco network to replace a tacacs+ server. But I can´t find a how to in a page, can you send me the link? Thanks Germán - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP+MD5+SQL trouble
auth: type Local Don't set Auth-Type to Local. In fact, don't set it to anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP+MD5+SQL trouble
Now read my first reply again. It looks like you have replaced the password attribute, but left the Auth-Type. Ivan Kalik Kalik Informatika ISP Dana 9/10/2007, inl2goal [EMAIL PROTECTED] piše: Here is the debug output When I run the server I get: # ./radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 16214 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = root sql: password = watchdog sql: radius_db = radius sql: nas_table = nas sql: sqltrace = yes sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query =UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}', + AcctInputOctets = '%{Acct-Input-Gigawords:-0}' 32 | '%{Acct-Input-Octets:-0}', AcctOutputOctets= '%{Acct-Output-Gigawords:-0}' 32 | '%{Acct-Output-Octets:-0}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName= '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' sql: accounting_update_query_alt =INSERT INTO radacct (AcctSessionId,AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime,
Re: EAP+MD5+SQL trouble
Actually, all the way from the beginning, CleartextPassword has been set (without an Auth-Type) but for some reason the program chooses Local automatically. It is probably a default setting of FreeRadius to go Local when it doesn't find an Auth method. However, what I don't understand is why it doesn't find an authentication method if I have already configured the EAP.conf file with MD5 and have it in the Authorize and Authenticate sections of radiusd.conf O.n 10/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Now read my first reply again. It looks like you have replaced the password attribute, but left the Auth-Type. Ivan Kalik Kalik Informatika ISP Dana 9/10/2007, inl2goal [EMAIL PROTECTED] piše: Here is the debug output When I run the server I get: # ./radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 16214 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = root sql: password = watchdog sql: radius_db = radius sql: nas_table = nas sql: sqltrace = yes sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute, radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query =UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}',
Re: EAP+MD5+SQL trouble
Actually, all the way from the beginning, CleartextPassword has been set (without an Auth-Type anywhere in the files) but for some reason the program chooses Local automatically. It is probably a default setting of FreeRadius to go Local when it doesn't find an Auth method. However, what I don't understand is why it doesn't find an authentication method if I have already configured the EAP.conf file with MD5 and have it in the Authorize and Authenticate sections of radiusd.conf -- View this message in context: http://www.nabble.com/EAP%2BMD5%2BSQL-trouble-tf4571786.html#a13125214 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP+MD5+SQL trouble
On Tue, 2007-10-09 at 16:33 -0500, Syaoran Li wrote: Actually, all the way from the beginning, CleartextPassword has been set (without an Auth-Type) but for some reason the program chooses Local automatically. It is probably a default setting of FreeRadius to No go Local when it doesn't find an Auth method. Something is setting Auth-Type to Local. From the debug you listed, the only modules which execute in authorize are: * preprocess * suffix (realm module) * sql * eap Since suffix and eap return noop, one of the following must be the case * Auth-Type is being set in preprocess (virtually impossible, and not a server default) * Auth-Type is being set in SQL * You edited the debug * You mangled the debug * There is some amazing bug in FreeRadius which no-one else has seen. I suggest you look in SQL again, carefully. However, what I don't understand is why it doesn't find an authentication method if I have already configured the EAP.conf file with MD5 and have it in the Authorize and Authenticate sections of radiusd.conf It doesn't find an authentication method because you have overridden it, by setting Auth-Type to Local. This is the fourth time you've been told this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-Proxy attr_filter on Access-Accept Packets only
Hi Guys How do I only add a radius attribute via attr_filter on Accept-Accept Packets ? My current config is adding the attribute on accounting reply packets also. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html