Re: Rlm_sql in freeradius-1.1.7
Orion wrote: ---++--+++--+- | id | username | attribute | op | value| ++--+++--+ | 1 | orioni | Called-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test | | 3 | orioni | Simultaneous-Use | := | 2| ++--+++--+ . you can put to record for 'Called-Station-Id' with the mac addresses of the Access Points from wich the client is allowed to login. Thank you, Orion. Your suggestion is useful, it works. I had made up my mind that the best way is to do it with groups and I was not looking at the simple solutions. However, the solution that you suggest has a restriction. It can be used for only 1 NAS (a user can authenticate himself at only one access point). However I would like the user to be able to access the internet through several access points. This can be done if we use the attribute Called-Station-Id (or NAS-Identifier) with the operator '=~' and a value like this: (00-1b-d1-36-e2-85|11-1b-d1-36-e2-86|22-1b-d1-36-e2-87) This is a regular expression that will match the attribute if its value is one of them that are listed. This solution still has a restriction. Since the value of an attribute is varchar(253), it cannot contain more than 14 MAC-s listed. So, a user cannot use more than 14 access points for connecting to the internet. For the time being this is acceptable for me, however I am still looking for other solutions. I am also planning to try freeradius 2. Regards, Dashamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +LDAP + Active Directory + Authenticate Only questions
William Segura wrote: I am trying to setup Freeradius to authenticate against an active directory server. Only bind as user will work, and even then not always. Here are the relevant files: Please do not post configuration files to the list. Radius Log: ... rad_recv: Access-Request packet from host 127.0.0.1:35655, id=159, length=58 User-Name = user1 User-Password = \204\016V\332\226\325\007\347\254Hm\262}B\321M Your shared secret is wrong. Fix it. modcall[authorize]: module preprocess returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 You have re-ordered the modules in the authorize section. Why? Do you understand what the PAP module does? rlm_ldap: Bind failed with invalid credentials Because the password was wrong. The password *should* be visible in debugging mode. It should NOT be binary garbage. auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Perhaps this message might be useful. Did you read it? Did you follow it's instructions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius-1.1.7
Hi, This can be done if we use the attribute Called-Station-Id (or NAS-Identifier) with the operator '=~' and a value like this: (00-1b-d1-36-e2-85|11-1b-d1-36-e2-86|22-1b-d1-36-e2-87) This is a regular expression that will match the attribute if its value is one of them that are listed. This solution still has a restriction. Since the value of an attribute is varchar(253), it cannot contain more than 14 MAC-s listed. So, a user cannot use more than 14 access points for connecting to the internet. For the time being this is acceptable for me, however I am still looking for other solutions. I am also planning to try freeradius 2. in this case, use huntgroups - assign each station or NAS to the huntgroup and then use a huntgroup check for the user alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Arlinelson Fernandes dos Santos wrote: The pre1 version is buggy!!! Yes... which is why 2.0.0 was released. Now, I'm working to solver this: rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent Grab the latest version from CVS. It has this issue fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not sending a reply packet from proxy
Pshem Kowalczyk wrote: One more reason to upgrade ;-) Where should I look for that functionality? proxy.conf? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not sending a reply packet from proxy
On 18/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: Pshem Kowalczyk wrote: Is it possible to discard the packet on the proxy if the home server doesn't reply and let the device to fall back to a different proxy? Currently we use radius 1.1.7, but looking into upgrading it to 2.0.0. 2.0.0 has this capability. 1.1.7 does not. One more reason to upgrade ;-) Where should I look for that functionality? proxy.conf? Thx for your help regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius-1.1.7
As I can see Mikrotik wants mac address in next format XX:XX:XX:XX:XX:XX (all letters must be in uppercase) On Jan 17, 2008 7:53 PM, orion [EMAIL PROTECTED] wrote: pershendetje/Hi dashamir. sorry for my english , not my mother language. i use the same scenario at our isp but we check the MAC address of the NAS where the client comes from. In mysql we have: ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 1 | orion| Calling-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test| | 3 | orioni| Simultaneous-Use | := | 2| ++--+++--+ s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems
machine: TLS_accept:error in SSLv3 read client certificate A user:(other): SSL negotiation finished successfully There doesn't seem to be a machine certificate in the certificate store. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, Michael Olson [EMAIL PROTECTED] piše: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Traffic volume accounting
Hello everyone, I am trying to implement traffic volume accounting in my Radius server. Is it possible to have a counter setup to achieve this? I've tested a lot and it seems freeradius is just ignoring my counter. I have somewhat managed to do some traffic accounting relying on external scripts, but it doesn't work properly. I'd like to know if someone has implemented realtime upload/download limitations and what methods were used. Thank you all! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius-1.1.7
[EMAIL PROTECTED] wrote: Hi, This can be done if we use the attribute Called-Station-Id (or NAS-Identifier) with the operator '=~' and a value like this: (00-1b-d1-36-e2-85|11-1b-d1-36-e2-86|22-1b-d1-36-e2-87) This is a regular expression that will match the attribute if its value is one of them that are listed. This solution still has a restriction. Since the value of an attribute is varchar(253), it cannot contain more than 14 MAC-s listed. So, a user cannot use more than 14 access points for connecting to the internet. For the time being this is acceptable for me, however I am still looking for other solutions. I am also planning to try freeradius 2. in this case, use huntgroups - assign each station or NAS to the huntgroup and then use a huntgroup check for the user Thanks for the suggestion, Alan. But does it mean that I should modify the file 'raddb/huntgroups'? If so, than it is not so suitable, because I would like to maintain the data from an external application (which may or may not be located in the same server as radius). But anyway, the database tables radgroupcheck and radgroupreply would be the equivalent of the configuration file 'huntgroups'. Is it true that they don't work as described/expected, or it is just a bug, or maybe I have missed something? Do you think it is better to try radius 2? Thanks, Dashamir alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang?
Hi, I am not sure why, I inherited this setup and I am still trying to understand it. The LDAP server is eDirectory (FreeRADIUS compiled with -with-edir) The -X output says: WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user) expand: o=uol - o=uol What is the replacement for :- given I don't know what it did in the first place for man unlang to be any help! if Stripped-User-Name exists, then use that, otherwise use User-Name the :- operator is in unlang too - but the expansion check may need to be rewritten - eg %{%{Stripped-User-Name}:-%{User-Name}} its only deprecated right now - not too essential 2) Rejecting a user I have a specific user account (call it special) it was barred using: special Auth-Type := Reject Reply-Message = Cannot use this user account in the users file. Variants like special, Special and SPECIAL etc get by this check, and out LDAP server allows them!, so I added: lower_user = before lower_pass = no nospace_user = before nospace_pass = no to radius.conf. These no longer seem to work. How do you achieve this with version 2.0.0? gosh. a lot of ways of doing this you could use the unlang method to checkeg if (%User-Name ~= /^special$/i ) etc etc etc or via the attrib filter rewrite alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Administering with MySQL DB
Hi list, Im completely new to freeradius, I have installed the server with MySQL and also got the dialup web GUI up and running. However its still not clear to me how I add new NAS devices, you dont appear to be able to do that in the GUI. I just want to add a system by IP address with a secret. Do I need to manually do an insert into mysql? If so can someone give me a pointer to how the data should be entered? Or any other help!! thanks! Andy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Traffic volume accounting
Is it possible to have a counter setup to achieve this? Yes. It is. I'd like to know if someone has implemented realtime upload/download limitations and what methods were used. Realtime traffic accounting would have to be supported by your NAS. Any kind of traffic/bandwidth limitations has to be supported by you NAS, you have to tell freeRADIUS what data to store and how to calculate the values.. and of course, what attributes should it answer to NAS ! Regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Max-Daily-Session
As entitled, with my office we have installed at a library town a server with Ubuntu 7.10, Freeradius and Chilispot to ensure wireless navigation to users with their notebooks from the local library; The access point is configured without any authentication, anyone can connect, authentication is performed by the server radius, which are stored registered users who are entitled to navigation (etc / freeradius / users), for simplicity we have not used SQL; Everything works great: Users come, authentify and happy surfing, what we fail to do is set the maximum daily navigation (which in our case should be 2 hours), the Daily-Session-Time works, after 2 hours of connection users are disconnected, only they can safely again for another 2 hours, which we would like to avoid (a maximum of 2 hours of daily connection); this is our configuration file (etc/freeradius/radiusd.conf ) of the counter module: counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } Do we need to set some other parameter somewhere else? Any advice is welcome Thanks for the answers :) -- Gabriele Giuliani STUDIO 16 64 S.r.l. Via degli Abeti, 52 61100 PESARO Tel. 0721 0130897 Fax. 06 452215814 Cell. 329 9503621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
Erm, thanks. But Im trying to work out how I Administer the data in MySQL. Are there no utilities for entering data? If I have to enter data manually with SQL insert etc can anyone point me at some docs explaining the format the information should be in?? Andy Smith wrote: Im completely new to freeradius, I have installed the server with MySQL and also got the dialup web GUI up and running. However its still not clear to me how I add new NAS devices, you dont appear to be able to do that in the GUI. I just want to add a system by IP address with a secret. Do I need to manually do an insert into mysql? If so can someone give me a pointer to how the data should be entered? Or any other help!! Edit the configuration files with a text editor. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco wlse patch
Hello, Have you a patch for cisco wlse leap authentication, working for freeradius 2.0 ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin sql table creation error
(pt-BR) Ol Marcos,Eu tinha me deparado com este mesmo problema a um tempo atrs, eu retirei o default e mudei de Date para IncidentDate, isso resolveu.(en-US) Hi, Marcos,I saw this problem a time ago, I delete the default in ID and replace Date to IncidentDate, appers to work fine. I was making some tests with the freeradius 2 install, and found that the creation schema for the badusers table for dialupadmin (in the /dialup_admin/sql/mysql folder) has 2 problems: # # Table structure for table 'badusers' # CREATE TABLE badusers ( id int(10) DEFAULT '0' NOT NULL auto_increment, UserName varchar(30), IncidentDate datetime DEFAULT '-00-00 00:00:00' NOT NULL, Reason varchar(200), Admin varchar(30) DEFAULT '-', PRIMARY KEY (id), KEY UserName (UserName), KEY Date (Date) ); The first is in the 'id' creation line. Starting with version 4.11 (I think its this version), MySQL does not accept having a default value when you use auto_increment. So, id int(10) NOT NULL auto_increment would be the correct entry. The second problem is in the last line. There is a reference to 'Date' beeing used as key, but the 'Date' was not created. There is no reference creating it. Checking version 1.1.7, the line was Date datetime DEFAULT '-00-00 00:00:00' NOT NULL,. Now, was it removed because it's no longer used, or was it removed by accident, ir should it be renamed to the IncidentDate field? I guess it would be the last option Thanks, Roberto --- Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Acelerador POP Acelere a sua conexo discada em at 19 x. Use o Acelerador POP. grtis, pegue j o seu. http://www.pop.com.br/acelerador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rlm_sql in freeradius-1.1.7
Hi, I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql For example, I have inserted such data in the database: radcheck: +--+--+--++---+ | id | UserName | Attribute| op | Value | +--+--+--++---+ | 5272 | test | User-Password| := | test | | 5262 | test | Simultaneous-Use | := | 5 | +--+--+--++---+ radreply: ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 42 | test | Reply-Message | := | Wellcome | ++--+---++--+ usergroup: +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | test | group2|2 | | test | group1|1 | +--+---+--+ radgroupcheck: ++---+++---+ | id | GroupName | Attribute | op | Value | ++---+++---+ | 42 | group1| NAS-Identifier | != | 123 | | 52 | group2| NAS-Identifier | == | 123 | ++---+++---+ radgroupreply: ++---+---+++ | id | GroupName | Attribute | op | Value | ++---+---+++ | 52 | group1| Reply-Message | += | group1 | | 62 | group2| Reply-Message | += | group2 | ++---+---+++ When I try to login with username 'test' and password 'test' I get debug messages like these: Sending Access-Accept of id 30 to 192.168.252.47 port 2053 Reply-Message := Wellcome Reply-Message += group1 Reply-Message += group2 It seems to me that this is not according to the behavior described in the documentation above. Am I right or I am missing something? Regards, Dashamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
FreeRadius Wiki is a good starting point. SQL Howto Andy Smith wrote: Erm, thanks. But Im trying to work out how I Administer the data in MySQL. Are there no utilities for entering data? If I have to enter data manually with SQL insert etc can anyone point me at some docs explaining the format the information should be in?? Andy Smith wrote: /Im completely new to freeradius, I have installed the server with // MySQL and also got the dialup web GUI up and running. // However its still not clear to me how I add new NAS devices, you dont // appear to be able to do that in the GUI. I just want // to add a system by IP address with a secret. Do I need to manually do an // insert into mysql? If so can someone give me // a pointer to how the data should be entered? Or any other help!! / Edit the configuration files with a text editor. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang?
I am testing my current 1.1.7 config with version 2.0.0. I have 2 bits of config that are not quite right on 2.0.0 1) I have the line: filter = (cn=%{Stripped-User-Name:-%{User-Name}}) I am not sure why, I inherited this setup and I am still trying to understand it. The LDAP server is eDirectory (FreeRADIUS compiled with -with-edir) The -X output says: WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user) expand: o=uol - o=uol What is the replacement for :- given I don't know what it did in the first place for man unlang to be any help! 2) Rejecting a user I have a specific user account (call it special) it was barred using: special Auth-Type := Reject Reply-Message = Cannot use this user account in the users file. Variants like special, Special and SPECIAL etc get by this check, and out LDAP server allows them!, so I added: lower_user = before lower_pass = no nospace_user = before nospace_pass = no to radius.conf. These no longer seem to work. How do you achieve this with version 2.0.0? --- Barry Dean Networks Team Computing Services Department Tel: 0151 794 5641 (x45641) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authenticate over ldap database
I'm trying to install and configure my freeradius at rhel 5 to authenticate in ldapdatabase. i read the rml_ldap and configure then according i understand. I start my server with no problem, but i'm not sure if its working good or bad. I create a test user at ldap database with username and passowrd are teste and try to test it from radtest, but it won't work. The password at ldap database are crypt. [EMAIL PROTECTED] raddb]# radtest teste teste localhost:1812 testing123 Usage: radtest user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] [EMAIL PROTECTED] raddb]# When i start my radiusd, they start without problens. What i need to do to put it working fine over ldap database? [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib64 main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib64 Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = cn=admin,dc=radius,dc=com,dc=br ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = pcistl00 ldap: basedn =
Re: rlm_perl build on mac osx
Alan, Thanks for your quick response! Yes, I'm aware that apple has included FR into Leopard and am curious to see how it works in that version of the OS once I move to it eventually. However, for the Tiger users of which I'll remain for a while, I'd like to provide ease of installation via macports. Though a build-able 1.1.7 is available via macports right now, it needs a patch -- which may be a moot point now that 2.0 is here and it fixes the trouble that stripping the binaries (i.e, the INSTALLSTRIP -s switch) caused. I'll look more into the PATH setting for building against 5.10. Perhaps adding the PERL5LIB variable in my env will do the trick. Jim ___ James H. Graham II, Creative Director • Spark Media Group 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com On Jan 18, 2008, at 3:19 PM, [EMAIL PROTECTED] wrote: Hi, several folk run FreeRADIUS on MacOSX already - and Apple even have added code themselves - I believe FR is the fundamental EAP system in eg latest airport/timecapsule product (though I may be wrong on that aspect of usage! ;-) ) 2] Is perl only a build dependency for rlm_perl, or does the module make runtime calls to external perl libs? correct. its only for rlm_perl 3] I've discovered with an install of perl 5.10 that, during configure (of freeradius 2), the linker chooses the /System/Library/5.8.6... over the new perl ( at {prefix}/lib/perl/5.10.0 ). The only thing I can guess is that when searching for perl libs/includes, the linker only expands to seek version n.n.n and does not recognize a two digit subversion n.nn.n. If that's what's happening, is that patchable? or likely its a PATH problem and you have to tell it where your 5.10.0 is living. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Max-Daily-Session
Have a look in debug mode to see if you are getting accounting packets from Chillispot. If you are not getting accounting data there is no way for counter to work. Off topic, what stops a user to use a different username and gain another 2 hours? Mikrotik has a trial mode where users can gain unathorized access for a certain period of time controlled by MAC address. Is there something like that for Chillispot that you can implement? Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, Gabriele Giuliani [EMAIL PROTECTED] piše: As entitled, with my office we have installed at a library town a server with Ubuntu 7.10, Freeradius and Chilispot to ensure wireless navigation to users with their notebooks from the local library; The access point is configured without any authentication, anyone can connect, authentication is performed by the server radius, which are stored registered users who are entitled to navigation (etc / freeradius / users), for simplicity we have not used SQL; Everything works great: Users come, authentify and happy surfing, what we fail to do is set the maximum daily navigation (which in our case should be 2 hours), the Daily-Session-Time works, after 2 hours of connection users are disconnected, only they can safely again for another 2 hours, which we would like to avoid (a maximum of 2 hours of daily connection); this is our configuration file (etc/freeradius/radiusd.conf ) of the counter module: counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } Do we need to set some other parameter somewhere else? Any advice is welcome Thanks for the answers :) -- Gabriele Giuliani STUDIO 16 64 S.r.l. Via degli Abeti, 52 61100 PESARO Tel. 0721 0130897 Fax. 06 452215814 Cell. 329 9503621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
The nas table definition can be found at the bottom of this page http://wiki.freeradius.org/MySQL_DDL_script make sure to set: readclients = yes (probably at the bottom of sql.conf) the column names in the nas table are pretty self-explanatory after you have that set up. Just be sure to re-start radius after you make changes to that table since it's read at startup. On Jan 18, 2008 1:18 PM, Andy Smith [EMAIL PROTECTED] wrote: Hi, thanks, Ive looked at this and its a good guide to initial install but doesnt seem to provide any detailed info on how to administer the data in the tables. IE there is a sample of some data from a test system but this doesnt even mention the NAS table, how are other people administering their systems? thanks! Andy. * FreeRadius Wiki is a good starting point. SQL Howto* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Dread Pirate Roberts: Truly, you have a dizzying intellect. Vizzini: WAIT TILL I GET GOING! Where was I? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang?
Dean, Barry wrote: 1) I have the line: filter = (cn=%{Stripped-User-Name:-%{User-Name}}) I am not sure why, I inherited this setup and I am still trying to understand it. The LDAP server is eDirectory (FreeRADIUS compiled with -with-edir) In 1.1.7, read doc/variables.txt What is the replacement for :- given I don't know what it did in the first place for man unlang to be any help! Look for :- in man unlang. In this case, you want: filter = (cn=%{%{Stripped-User-Name}:-%{User-Name}}) Which looks a lot like the example in the man page. I have a specific user account (call it special) it was barred using: special Auth-Type := Reject Reply-Message = Cannot use this user account in the users file. Variants like special, Special and SPECIAL etc get by this check, and out LDAP server allows them!, so I added: lower_user = before lower_pass = no nospace_user = before nospace_pass = no to radius.conf. These no longer seem to work. How do you achieve this with version 2.0.0? man unlang. Look for case-insensitive. In this case, you would delete that users file entry, and use unlang authorize { ... if (%{User-Name} =~ /special/i) { update reply { Reply-Message = Cannot use this user account reject } } ... That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems
I loaded the computer certificate via the MMC Certificates module, into the Local Machine, Personal store. When there isn't one in there I get a can't find a certificate error in widows when trying to connect and it never tries to do EAP. Also, looking at the user log and the computer log, they both get the TLS_accept:error in SSLv3 read client certificate A at that stage. Looking at User cert request ID #52 and Computer cert request ID #40 (Where the SSLv3 read client certificate A error occurs) they are pretty much identical. The next messages in the sequence (#53/#41) are also almost identical (the freeradius reply is identical right down to the EAP-Message blobs in the response). The message after that is where things appear to go wrong, in User #54, a ton of EAP data comes in from the client, the client cert details show up, and authentication seems to be wrapping up; but in Computer #42 barely anything appears in the EAP blobs and the process appears to start cycling over again. Thanks -- Mike Olson [EMAIL PROTECTED] wrote: machine: TLS_accept:error in SSLv3 read client certificate A user:(other): SSL negotiation finished successfully There doesn't seem to be a machine certificate in the certificate store. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, Michael Olson [EMAIL PROTECTED] piše: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl build on mac osx
Greetings, Quick disclaimer: Though I've been working on my unix chops for the last year (intermittently), I still consider myself a bit of a newbie, so I apologize for any questions that might have obvious answers. That said: I'm working on a port of FR 2.0 for macports.org and had a couple questions about what appears to be the main stumbling block when building it on the mac (both ppc and intel, in this case under osx 10.4.11). The problem, as those familiar with installing this on the mac, has to do with linking to the apple build of perl under /System/ Library... Bug #471 shows this, and an example of my initial attempts showed much the same: ... (cd .libs rm -f rlm_perl.so ln -s rlm_perl-2.0.0.so rlm_perl.so) ar cru .libs/rlm_perl.a /System/Library/Perl/5.8.6/darwin-thread- multi-2level/auto/DynaLoader/DynaLoader.a rlm_perl.o /System/Library/ Perl/5.8.6/darwin-thread-multi-2level/auto/DynaLoader/DynaLoader.a ranlib: archive member: .libs/rlm_perl.a(DynaLoader.a) fat file for cputype (7) cpusubtype (3) is not an object file (bad magic number) ar: internal ranlib command failed gmake[6]: *** [rlm_perl.la] Error 1 ... Mind you, I've found a way to get past this by simply installing my own build of perl (5.8.8). Regardless, I have these questions: 1] Is it at all possible for rlm_perl to build against apple's install of perl? 2] Is perl only a build dependency for rlm_perl, or does the module make runtime calls to external perl libs? 3] I've discovered with an install of perl 5.10 that, during configure (of freeradius 2), the linker chooses the /System/Library/ 5.8.6... over the new perl ( at {prefix}/lib/perl/5.10.0 ). The only thing I can guess is that when searching for perl libs/includes, the linker only expands to seek version n.n.n and does not recognize a two digit subversion n.nn.n. If that's what's happening, is that patchable? Cheers, Jim ___ James H. Graham II, Creative Director • Spark Media Group 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems - Resolved
Found the problem... and ummm... I'm really ashamed to admit this one. I had the CA root certificate in the users trusted root store, moved it over the machine trusted root store and all is well. Thank you for enduring my duh moment. -- Mike Olson Michael Olson wrote: I loaded the computer certificate via the MMC Certificates module, into the Local Machine, Personal store. When there isn't one in there I get a can't find a certificate error in widows when trying to connect and it never tries to do EAP. Also, looking at the user log and the computer log, they both get the TLS_accept:error in SSLv3 read client certificate A at that stage. Looking at User cert request ID #52 and Computer cert request ID #40 (Where the SSLv3 read client certificate A error occurs) they are pretty much identical. The next messages in the sequence (#53/#41) are also almost identical (the freeradius reply is identical right down to the EAP-Message blobs in the response). The message after that is where things appear to go wrong, in User #54, a ton of EAP data comes in from the client, the client cert details show up, and authentication seems to be wrapping up; but in Computer #42 barely anything appears in the EAP blobs and the process appears to start cycling over again. Thanks -- Mike Olson [EMAIL PROTECTED] wrote: machine: TLS_accept:error in SSLv3 read client certificate A user:(other): SSL negotiation finished successfully There doesn't seem to be a machine certificate in the certificate store. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, Michael Olson [EMAIL PROTECTED] piše: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
Andy Smith wrote: Im completely new to freeradius, I have installed the server with MySQL and also got the dialup web GUI up and running. However its still not clear to me how I add new NAS devices, you dont appear to be able to do that in the GUI. I just want to add a system by IP address with a secret. Do I need to manually do an insert into mysql? If so can someone give me a pointer to how the data should be entered? Or any other help!! Edit the configuration files with a text editor. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
Hi, thanks, Ive looked at this and its a good guide to initial install but doesnt seem to provide any detailed info on how to administer the data in the tables. IE there is a sample of some data from a test system but this doesnt even mention the NAS table, how are other people administering their systems? thanks! Andy. FreeRadius Wiki is a good starting point. SQL Howto- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Hi Alan, I understand that you know a lot more than i do. Can you point me to right RFC or draft which tells about the EAP-MSCHAPv2 radius call flow. We are trying to establish an IKEv2 tunnel using the EAP-MSCHAPv2 authentication. We are not using EAP-PEAP, so no certificates involved. We are following the draft-kamath-pppext-eap-mschapv2-01.txthttp://www3.tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01.txt, RFC 3748, RFC 2869, RFC 3079, RFC 3579. But none of these RFC's talk about the Radius message flow for the EAP-MSCHAPv2. Do you have a sample trace for the EAP-MSCHAPv2 radius call flow. I will really appericiate if you can point me to the right place with the call flow. The problem I am facing is that how will we have the Session Keys which are used to generate the Master Shared Key used for the IKEv2 tunnel establishment. The RFC says that we should get the SEND-KEY and the RECV-KEY from the AAA server. Any help will be greatly appericiated. Cheers, Indira. On Jan 18, 2008 9:35 AM, indira kolli [EMAIL PROTECTED] wrote: I am doing IKEv2 EAP-MSCHAPv2 radius Passthrough. On Jan 18, 2008 1:43 AM, Alan DeKok [EMAIL PROTECTED] wrote: indira kolli wrote: I finally got it working. I missed the reply to the second access-challenge. How could you possibly miss that? If you're using a standard supplicant, that packet should be about 1/10 of a second after the first one. One thing I am still not sure is about MPPE keys. For us we are using only EAP-MSCHAPv2 without peap. The authenticator needs the MPPE keys to authenticate the peer. But in the EAP-MSCAHPv2 Access-Challenge or Access-accept don't see the keys. I see that the keys are generated for MSCHAPv2 but are deleted before the request is sent. Perhaps you could try reading my messages. You were already told that EAP-MSCHAPv2 does not generate the MPPE keys. Even if you changed the server source code, the AP's wouldn't look for the MPPE keys. Even if you fixed the AP's, the supplicants wouldn't use encryption for the wireless links. And you haven't said if you're using this for wireless or wired authentication. I think you're really not clear on what you want to do, how the equipment works, and how the protocols work. I suggest spending time reading more AP documentation before asking EAP-MSCHAPv2 questions on this list. The problem is NOT EAP-MSCHAPv2. The problem is that you don't know what's going on, and as a result, are expecting that EAP-MSCHAPv2 do things it's not supposed to do. Trying to Fix EAP-MSCHAPv2 is a waste of time. Find out why your expectations are wrong, and fix them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
Hi, thanks, Ive looked at this and its a good guide to initial install but doesnt seem to provide any detailed info on how to administer the data in the tables. IE there is a sample of some data from a test system but this doesnt even mention the NAS table, how are other people administering their systems? this is realyl a 'how to use mysql' question - there are several GUIs for Mysql - eg PHPMyAdmin - however, it seems theres nasty security holes found in it every week. ideally, you would use the command line eg eg to connect mysql -u username radius -p to see whats what mysqlshow tables; to get into mysqldescribe TABLENAME; to see something mysqlselect * from nas; if you need to insert/update, simply use the insert or update command the the appropriate arguments (each DB admin have their own prefered method) - do a quick google for insert mysql example alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
Rupert Finnigan wrote: On 17/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have hp procurve 3500yl switches for which i use mac based authentication against radius server. The radius server should assign the vlan's. The pc that hangs behind the phone get the correct vlan, but the phone doesn't. Are you connecting the phone to the wall socket, and then the PC to the link socket on the phone? If this is the case then it's working as it should do.. the HP switch NAS is authenticating the PC's MAC, and opening the switchport on the correct VLAN for the PC, and so the phone will be on that VLAN too - they're on the same ethernet segment. If you've got a PC linked via the phone, and you want the phone to be on one VLAN, and the PC on the other I believe you have to configure the switch-port as a trunk, and then configure the phone accordingly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html HP ProCurve edge series can only dynamically assign a single untagged VLAN to any one switch port. It is not possible to create dynamic VLAN trunks. It may be possible to create a VLAN trunk statically, then leave the switch to do VLAN assignment, and just deny/allow access via the RADIUS server. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
Hi, HP ProCurve edge series can only dynamically assign a single untagged VLAN to any one switch port. It is not possible to create dynamic VLAN trunks. It may be possible to create a VLAN trunk statically, then leave the switch to do VLAN assignment, and just deny/allow access via the RADIUS server. ..and with Cisco switches you can assign a switchport vlan and a voice vlan for the port - with each servicing each device on the port - using multihost 802.1x method...but the cisco phone has, of couse, cisco-centric features. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius-1.1.7
pershendetje/Hi dashamir. sorry for my english , not my mother language. i use the same scenario at our isp but we check the MAC address of the NAS where the client comes from. In mysql we have: ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 1 | orion| Calling-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test| | 3 | orioni| Simultaneous-Use | := | 2| ++--+++--+ shnet e pare / bye. On 17/01/2008, Dashamir Hoxha [EMAIL PROTECTED] wrote: Hi, Actually, what I am trying to do is this: I have several access points that have hotspot and use radius for AAA. I would like to register users in radius so that they are able to login using some of the access points, and not able to login using the others. The way that I was trying to do it is like this: Suppose that there are the access points A1, A2, A3 and the user 'test' should be able to access the internet only from A1 and A3. The data in radius that would make this scenario work, could be like this: radcheck: +--+--+--++---+ | id | UserName | Attribute| op | Value | +--+--+--++---+ | 5272 | test | User-Password| := | test | | 5262 | test | Simultaneous-Use | := | 5 | +--+--+--++---+ radreply: ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 42 | test | Auth-Type | := | Reject | | 43 | test | Fall-Through | := | Yes | ++--+---++--+ usergroup: +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | test | A1|1 | | test | A2|1 | | test | A3|1 | +--+---+--+ radgroupcheck: ++---+++---+ | id | GroupName | Attribute | op | Value | ++---+++---+ | 42 | A1| NAS-Identifier | == | ID-A1 | | 43 | A2| NAS-Identifier | == | ID-A2 | | 44 | A2| NAS-Identifier | == | ID-A3 | ++---+++---+ radgroupreply: ++---+---+++ | id | GroupName | Attribute | op | Value | ++---+---+++ | 52 | A1| Auth-Type | := | Accept | | 53 | A1| Fall-Through | := | No | | 54 | A2| Auth-Type | := | Reject | | 55 | A2| Fall-Through | := | Yes| | 56 | A3| Auth-Type | := | Accept | | 57 | A3| Fall-Through | := | No | ++---+---+++ However, if the radius does not follow the algorithm described in http://wiki.freeradius.org/Rlm_sql, then this setup should not work. Do you have any suggestion or idea on how to make the scenario above work? Regards, Dashamir Dashamir Hoxha wrote: I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
Andy Smith wrote: Erm, thanks. But Im trying to work out how I Administer the data in MySQL. Are there no utilities for entering data? If I have to enter data manually with SQL insert etc can anyone point me at some docs explaining the format the information should be in?? There are many applications, depending on what you want to use radius for. For example I use Radius Manager. It is not free (open source), but it is also not expensive. If you have your own application for managing users, it is not so difficult to connect it to the database of radius. However you have to understand first how radius works. These pages can be useful: http://wiki.freeradius.org/SQL_HOWTO http://wiki.freeradius.org/Rlm_sql http://wiki.freeradius.org/Operators However I would advice you to use the latest release, freeradius-2. Good luck, Dashamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html