RE: SNMP error
Hello, I am also curious about the answer on this question ! Are there any plans to implement AgentX protocol into freeradius project? Alan? Kind regards, E:S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Amr el-Saeed Sent: Dienstag, 05. Februar 2008 09:05 To: FreeRadius users mailing list Subject: Re: SNMP error Hi, any suggestions about what to do to make snmp work on 64-bit?? Amr el-Saeed wrote: Dear Alan, i build from the source file that i downloaded from freeradius.org i suspected the 64-bit i made several trials , and here is the result freeradius-1.1.7 , snmp-5.0.9-2.30E.20 , RHEL3 , 32-bit working freeradius-1.1.7 , snmp-5.0.9-2.30E.20 , RHEL5 , 32-bit working freeradius-1.1.7 , snmp-5.0.9-2.30E.20 , RHEL5 , 64-bit NOT working freeradius-1.1.7 , snmp-5.3.1-19.el5 , RHEL5 , 32-bit NOT working freeradius-1.1.7 , snmp-5.3.1-19.el5 , RHEL5 , 64-bit NOT working any comments ?? [EMAIL PROTECTED] wrote: Hi, i have OS RHEL5 it looks like it didnt build with the required debug parts - once again, as you are using the SPEC for your distro they could have other things that mess it up - I can only help if you build from the source and leave package management stuff alone. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2 and proxing
In freeradius 1, if I need to proxy requests whose realm are remote, I put the following in proxy.conf: realm DEFAULT { type = radius authhost = remote.server1.com:1812 accthost = remote.server1.com:1813 secret = ldflag = round_robin nostrip } realm DEFAULT { type = radius authhost = remote.server2.com:1812 accthost = remote.server2.com:1813 secret = ldflag = round_robin nostrip } I've tried to put the same lines in my freeradius2 config file and it does not work as expected: radius -X output: rlm_realm: Looking up realm extern.realm.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm extern.realm.com Then, the request is done locally. If I put in my proxy.conf file this domain explicitely, it works fine: realm extern.realm.com { type = radius authhost = remote.server2.com:1812 accthost = remote.server2.com:1813 secret = ldflag = round_robin nostrip } radius -X output: rlm_realm: Looking up realm extern.realm.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm extern.realm.com rlm_realm: Proxying request from user anonymous to realm extern.realm.com rlm_realm: Adding Realm = extern.realm.com rlm_realm: Preparing to proxy accounting request to realm extern.realm.com Regards, Vincent Magnin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi, any suggestions about what to do to make snmp work on 64-bit?? Amr el-Saeed wrote: Dear Alan, i build from the source file that i downloaded from freeradius.org i suspected the 64-bit i made several trials , and here is the result freeradius-1.1.7 , snmp-5.0.9-2.30E.20 , RHEL3 , 32-bit working freeradius-1.1.7 , snmp-5.0.9-2.30E.20 , RHEL5 , 32-bit working freeradius-1.1.7 , snmp-5.0.9-2.30E.20 , RHEL5 , 64-bit NOT working freeradius-1.1.7 , snmp-5.3.1-19.el5 , RHEL5 , 32-bit NOT working freeradius-1.1.7 , snmp-5.3.1-19.el5 , RHEL5 , 64-bit NOT working any comments ?? [EMAIL PROTECTED] wrote: Hi, i have OS RHEL5 it looks like it didnt build with the required debug parts - once again, as you are using the SPEC for your distro they could have other things that mess it up - I can only help if you build from the source and leave package management stuff alone. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring radrelay using proxy.conf in v2.0.1
Dear Everyone, Need some advise/help on configuring the proxy.conf to replicate the radrelay function that was available in v1.1.3. However was not able to find any information so far as the radrelay has been deprecated in v2.0.1. Previously I had use /usr/local/bin/radrelay -n name_of_radius_server detail-combined -f to relay the details to another radius server. How will the configuration be done in proxy.conf in v2.0.1? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Amr el-Saeed wrote: any suggestions about what to do to make snmp work on 64-bit?? Debug it and submit a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Edvin Seferovic wrote: I am also curious about the answer on this question ! Are there any plans to implement AgentX protocol into freeradius project? No plans. At this point, the only plans for 2.0 are minor feature improvements and bug fixes. I plan on spending time working on the book, unless otherwise motivated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring radrelay using proxy.conf in v2.0.1
Ryan wrote: Need some advise/help on configuring the proxy.conf to replicate the radrelay function that was available in v1.1.3. However was not able to find any information so far as the radrelay has been deprecated in v2.0.1. radrelay has been replaced by radiusd reading directly from the detail file. See raddb/sites-available/copy-acct-to-home-server You will likely need to grab CVS head, as I've just committed a patch to fix some issues with reading the detail file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap.c
Kevin J wrote: In ldap.c:2660, there is a condition check to see if vals_idx is zero 2660if (!vals_idx){ 2661pairdelete(pairs, newpair-attribute); 2662} 2663pairadd(pairlist, newpair); this code line makes Radius not appending any reply attribute if the number of attribute is greater than 1. any thought in why we need this here? No... it deletes all existing attributes of that type the first time through the loop. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Jeffrey Hutzelman wrote on 04.02.2008 00:43: --On Thursday, January 31, 2008 05:42:50 PM +0100 Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] wrote: If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client certificates they might not work with Windows build-in supplicant. This is not surprising, if that is the only EKU in the cert. I was talking about a set of EKUs like MS Smartcard Logon in combination with clientAuth and eg. e-mail protection...even if I did not state that clearly enough. Windows does not like to use EE-certs containing EKUs clientAuth and MS Smartcard Logon for EAP-TLS with its build-in supplicant. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes sent to proxy servers ...
Hi, Noticed with CVS head that all attributes (including internal ones) appear to be getting proxied. Is this just a cosmetic thing ? Sending Access-Request of id 11 to 194.82.174.185 port 1812 Framed-MTU = 1480 NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Event-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 001438fb9400 Calling-Station-Id = 001b63a3a8dd Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 700 State = 0x06441900 EAP-Message = 0x0244002b19001703010020c006fdcd03d0e15b7001c3e94e1a45340325626fed36c7c97450769dc33c587f Message-Authenticator = 0x Proxy-State = 0x313035 Proxying request 60 to home server 194.82.174.185 port 1812 Sending Access-Request of id 11 to 194.82.174.185 port 1812 Framed-MTU = 1480 NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Event-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 001438fb9400 Calling-Station-Id = 001b63a3a8dd Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 700 State = 0x06441900 EAP-Message = 0x0244002b19001703010020c006fdcd03d0e15b7001c3e94e1a45340325626fed36c7c97450769dc33c587f Message-Authenticator = 0x Stripped-User-Name = [EMAIL PROTECTED] Realm = jrs EAP-Type = PEAP Called-Station-SSID = Packet-Src-Ip-Address-Oct1 = 139 Packet-Src-Ip-Address-Oct2 = 184 Packet-Src-Ip-Address-Oct3 = 8 Packet-Src-Ip-Address-Oct4 = 16 SS-Flags = 01 NAS-Flags = 01001011000 Supplicant-Flags = 000100 SQL-User-Name = [EMAIL PROTECTED] Realm = jrs Proxy-State = 0x313035 Going to the next request Thanks Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
hi, you are still pre-proxy attr filtering? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and RSA RADIUS Server
Hello, I have not many experiences with radius, so my question may be stupid. Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge) as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1? I need to solve following problem with the Agent host i.e. host which send authenticate request to RSA Auth Manager. When authentication request goest through freeradius proxy, RSA Manager thinks that Agent host is my freeradius proxy instead of original host which sent authenticate request. Below is pasted part of pre-proxy detail log and debug log. part of output from: freeradius -X: Sending Access-Request of id 0 to 10.100.25.2 port 1812 User-Name = jakub User-Password = 1234628665 NAS-IP-Address = 127.0.1.1 NAS-Identifier = ssh NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.5.0.39 Proxy-State = 0x313039 output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204: Packet-Type = Access-Request Mon Feb 4 23:55:50 2008 User-Name = jakub User-Password = 1234628665 NAS-IP-Address = 127.0.1.1 NAS-Identifier = ssh NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.5.0.39 Client-IP-Address = 10.5.0.31 Stripped-User-Name = jakub Realm = NULL Realm = NULL Proxy-State = 0x313039 Does this mean, that freeradius process all attributes from pre-proxy-detail-20080204 log, but sends only attributes, which are shown in extended debug mode? If so, can anybody give me any advice how can I configure freeradius to send more attributes? Jakub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR2 - proxying inner tunnel
Hi! Does anyone here have working inner tunnel proxying with freeradius 2.0.x? Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization. Switched to FreeRadius 2.0.1 from 1.1.7. What I need: extract MSCHAPv2 auth from PEAP, proxy auth to external server which knows nothing about EAP. All configs are almost default from distribution. Key changes: in eap.conf: peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = proxy-inner-tunnel } proxy-inner-tunnel is taken from examples with modified realm name: server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := xxx } } } As a result, no proxying has been done by freeradius: PEAP: Sending tunneled request EAP-Message = 0x0206000801616161 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = aaa server proxy-inner-tunnel { Tue Feb 5 14:56:01 2008 : Debug: +- entering group authorize Tue Feb 5 14:56:01 2008 : Debug: ++[control] returns notfound } # server proxy-inner-tunnel PEAP: Got tunneled reply RADIUS code 0 Tue Feb 5 14:56:01 2008 : Debug: PEAP: Tunneled authentication will be proxied to xxx Tue Feb 5 14:56:01 2008 : Debug: Tunneled session will be proxied. Not doing EAP. Tue Feb 5 14:56:01 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 6 Tue Feb 5 14:56:01 2008 : Debug: ++[eap] returns handled Tue Feb 5 14:56:01 2008 : Debug: There was no response configured: rejecting request 6 Tue Feb 5 14:56:01 2008 : Debug: Found Post-Auth-Type Reject Tue Feb 5 14:56:01 2008 : Debug: +- entering group REJECT -- Best wishes, Dmitry Sergienko (SDA104-RIPE) Trifle Co., Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
[EMAIL PROTECTED] wrote: hi, you are still pre-proxy attr filtering? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No, didn't really see the point.. Internal attributes aren't meant to be proxied, and those are the only ones I really wanted filtering out. Looks like something very strange is going on with proxying accounting packets as well. rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, id=225, length=141 Acct-Session-Id = 004E0019 Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 15 NAS-Port = 1 Calling-Station-Id = 00-1B-63-A3-A8-DD Event-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] server default-outer { +- entering group preacct ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) expand: %{User-Name} - [EMAIL PROTECTED] ? Evaluating (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++- entering if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) expand: %{2} - loopback.sussex.ac.uk ? Evaluating loopback.sussex.ac.uk - FALSE expand: %{2} - loopback.sussex.ac.uk ? Evaluating (%{2} == 'sussex.ac.uk') - FALSE +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE +++- entering else else expand: [EMAIL PROTECTED] - [EMAIL PROTECTED] [request] returns noop +++- else else returns noop ++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) returns noop ++ ... skipping else for request 20: Preceding if was taken expand: %{Realm} - %{2} ++- entering switch %{Realm} +++- entering case [control] returns noop [request] returns noop +++- case returns noop ++- switch %{Realm} returns noop ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) expand: %{Called-Station-Id} - ? Evaluating (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD ? Evaluating (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++- entering if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD +++[request] returns noop ++- if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns noop ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) expand: %{NAS-Port-Id} - ? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') expand: %{NAS-IP-Address} - 139.184.8.16 ? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1 ++[request] returns noop rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 139.184.8.16,Acct-Session-Id = 004E0019,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b. ++[acct_unique] returns ok +- entering group accounting expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - /var/log/radiusd/20080205/accounting-detail-12:00 rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to /var/log/radiusd/20080205/accounting-detail-12:00 expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb 5 12:49:09 2008 ++[accounting_log] returns ok expand: %{Stripped-User-Name} - [EMAIL PROTECTED] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: Noticed with CVS head that all attributes (including internal ones) appear to be getting proxied. Is this just a cosmetic thing ? It's just a cosmetic thing. The internal attributes are being printed, but not sent. I don't see why it's happening, though. The code in src/lib/radius.c doesn't print internal attributes in debugging mode... Does this happen in 2.0.1? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: [EMAIL PROTECTED] wrote: hi, you are still pre-proxy attr filtering? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No, didn't really see the point.. Internal attributes aren't meant to be proxied, and those are the only ones I really wanted filtering out. Looks like something very strange is going on with proxying accounting packets as well. rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, id=225, length=141 Acct-Session-Id = 004E0019 Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 15 NAS-Port = 1 Calling-Station-Id = 00-1B-63-A3-A8-DD Event-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] server default-outer { +- entering group preacct ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) expand: %{User-Name} - [EMAIL PROTECTED] ? Evaluating (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE ++- entering if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) expand: %{2} - loopback.sussex.ac.uk ? Evaluating loopback.sussex.ac.uk - FALSE expand: %{2} - loopback.sussex.ac.uk ? Evaluating (%{2} == 'sussex.ac.uk') - FALSE +++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE +++- entering else else expand: [EMAIL PROTECTED] - [EMAIL PROTECTED] [request] returns noop +++- else else returns noop ++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) returns noop ++ ... skipping else for request 20: Preceding if was taken expand: %{Realm} - %{2} ++- entering switch %{Realm} +++- entering case [control] returns noop [request] returns noop +++- case returns noop ++- switch %{Realm} returns noop ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) expand: %{Called-Station-Id} - ? Evaluating (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Called-Station-Id} =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - FALSE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD ? Evaluating (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++? if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE ++- entering if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD +++[request] returns noop ++- if (%{Calling-Station-Id} =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns noop ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) expand: %{NAS-Port-Id} - ? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE ++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} == 'Ethernet')) - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') expand: %{NAS-IP-Address} - 139.184.8.16 ? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE ++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1 ++[request] returns noop rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 139.184.8.16,Acct-Session-Id = 004E0019,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b. ++[acct_unique] returns ok +- entering group accounting expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - /var/log/radiusd/20080205/accounting-detail-12:00 rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to /var/log/radiusd/20080205/accounting-detail-12:00 expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb 5 12:49:09 2008 ++[accounting_log] returns ok expand: %{Stripped-User-Name} - [EMAIL PROTECTED] expand: %{%{Stripped-User-Name
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: ... Looks like something very strange is going on with proxying accounting packets as well. ... Where have all the attributes gone ?!!? I think you did a cvs update without re-building everything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Never mind ... ++[sql] returns ok expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated *sigh* All works now. Might be any idea to replace accounting { ... # Filter attributes from the accounting response. attr_filter.accounting_response } With accounting { ... # Filter attributes from the accounting response. if(!%{control:Proxy-To-Realm}){ attr_filter.accounting_response } } In the default config, or create a Post-Acct section for the filter to live in. Else all proxied accounting requests will have their attributes stripped out. Still getting internal attributes displayed... Sending Accounting-Request of id 206 to 194.82.174.185 port 1813 Acct-Session-Id = 004E001B Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-Port = 1 Calling-Station-Id = 001B63A3A8DD Event-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Stripped-User-Name = [EMAIL PROTECTED] Realm = jrs Acct-Unique-Session-Id = 98c00d277000c63a SQL-User-Name = [EMAIL PROTECTED] Realm = jrs Proxy-State = 0x323532 -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and RSA RADIUS Server
Jakub Morávek wrote: In RSA terminology Agent hosts is host which sends authetication request. ... In my case RSA rejects user1 access, because RSA thikns, that user1 wants to log into freeradius and there is no freeradius Agent host defined in RSA database. So... you might need to define one. My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server. The Client-IP-Address attribute is not sent in a packet. The RADIUS protocol uses the originating IP address to determine the client. I would suggest reading the RSA documentation to see how to make it think that FreeRADIUS is not the originating host. If the documentation does not define how to do that, it is likely impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Alan DeKok wrote: Arran Cudbard-Bell wrote: Might be any idea to replace accounting { ... # Filter attributes from the accounting response. if(!%{control:Proxy-To-Realm}){ attr_filter.accounting_response I'll look into it... Still getting internal attributes displayed... Fixed. Yep confirmed. Sending Accounting-Request of id 108 to 194.82.174.185 port 1813 Acct-Session-Id = 004E002C Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-Port = 1 Calling-Station-Id = 001B63A3A8DD Service-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Proxy-State = 0x313931 Proxying request 9 to home server 194.82.174.185 port 1813 Sending Accounting-Request of id 108 to 194.82.174.185 port 1813 Acct-Session-Id = 004E002C Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-Port = 1 Calling-Station-Id = 001B63A3A8DD Service-Type = Framed-User NAS-IP-Address = 139.184.8.16 NAS-Identifier = hp-e-its-dev8021x-sw1 User-Name = [EMAIL PROTECTED] Proxy-State = 0x313931 Going to the next request Thanks :) Small cosmetic one Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/filters/attrs.access_reject key = %{User-Name} } [/etc/raddb/filters/attrs.access_reject]:11 WARNING! Check item Event-Type found in filter list for realm DEFAULT. } } Thats not a 'Check-Item' thats a user defined internal attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and RSA RADIUS Server
Ivan Kalik wrote: My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server. Ahem, your first post: output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204: Packet-Type = Access-Request Mon Feb 4 23:55:50 2008 User-Name = jakub User-Password = 1234628665 NAS-IP-Address = 127.0.1.1 NAS-Identifier = ssh NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.5.0.39 Client-IP-Address = 10.5.0.31 === Stripped-User-Name = jakub Realm = NULL Realm = NULL Proxy-State = 0x313039 No. This was a bug, Alan just fixed it. It's cosmetic. 'Client-IP-Address' is never sent ! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and RSA RADIUS Server
My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server. Ahem, your first post: output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204: Packet-Type = Access-Request Mon Feb 4 23:55:50 2008 User-Name = jakub User-Password = 1234628665 NAS-IP-Address = 127.0.1.1 NAS-Identifier = ssh NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 10.5.0.39 Client-IP-Address = 10.5.0.31 === Stripped-User-Name = jakub Realm = NULL Realm = NULL Proxy-State = 0x313039 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2 - proxying inner tunnel
Dmitry Sergienko wrote: Does anyone here have working inner tunnel proxying with freeradius 2.0.x? Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization. Switched to FreeRadius 2.0.1 from 1.1.7. I think the issue was introduced recently. Try editing src/main/event.c, function request_post_handler() ... if (request-root-proxy_requests /* !request-proxy */ // comment out this line !request-in_proxy_hash // add this line (request-reply-code == 0) (request-packet-dst_port != 0) (request-packet-code != PW_STATUS_SERVER)) { ... Re-build install. See if that helps... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes sent to proxy servers ...
Arran Cudbard-Bell wrote: Might be any idea to replace accounting { ... # Filter attributes from the accounting response. if(!%{control:Proxy-To-Realm}){ attr_filter.accounting_response I'll look into it... Still getting internal attributes displayed... Fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and RSA RADIUS Server
Firs of all thanks for your reply. I'll try to be more specific. On Feb 5, 2008 2:58 PM, Alan DeKok [EMAIL PROTECTED] wrote: Jakub Morávek wrote: I have not many experiences with radius, so my question may be stupid. Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge) as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1? Many people have tried this. It works. I know, but I did not find anyone who discussed this problem. When authentication request goest through freeradius proxy, RSA Manager thinks that Agent host is my freeradius proxy instead of original host which sent authenticate request. I don't know what an Agent host is. FreeRADIUS *is* a RADIUS client to the RSA manager. In RSA terminology Agent hosts is host which sends authetication request. For example, if you want to setup ssh-server to authenticate ssh login against RSA, you have to add ssh-server (name and it's ip address) into RSA database and setup list of users, which are allowed to log into ssh-server. If user1 tries to access ssh-server, ssh-server sends authentication request to RSA. RSA looks into database if user1 is allowed to log into ssh-server host. In my case RSA rejects user1 access, because RSA thikns, that user1 wants to log into freeradius and there is no freeradius Agent host defined in RSA database. Does this mean, that freeradius process all attributes from pre-proxy-detail-20080204 log, but sends only attributes, which are shown in extended debug mode? If so, can anybody give me any advice how can I configure freeradius to send more attributes? To do... what? My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Jakub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and RSA RADIUS Server
Jakub Morávek wrote: Firs of all thanks for your reply. I'll try to be more specific. On Feb 5, 2008 2:58 PM, Alan DeKok [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Jakub Morávek wrote: I have not many experiences with radius, so my question may be stupid. Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge) as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1? Many people have tried this. It works. I know, but I did not find anyone who discussed this problem. When authentication request goest through freeradius proxy, RSA Manager thinks that Agent host is my freeradius proxy instead of original host which sent authenticate request. I don't know what an Agent host is. FreeRADIUS *is* a RADIUS client to the RSA manager. In RSA terminology Agent hosts is host which sends authetication request. For example, if you want to setup ssh-server to authenticate ssh login against RSA, you have to add ssh-server (name and it's ip address) into RSA database and setup list of users, which are allowed to log into ssh-server. If user1 tries to access ssh-server, ssh-server sends authentication request to RSA. RSA looks into database if user1 is allowed to log into ssh-server host. In my case RSA rejects user1 access, because RSA thikns, that user1 wants to log into freeradius and there is no freeradius Agent host defined in RSA database. Does this mean, that freeradius process all attributes from pre-proxy-detail-20080204 log, but sends only attributes, which are shown in extended debug mode? If so, can anybody give me any advice how can I configure freeradius to send more attributes? To do... what? My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server. Erm no, your wrong 'Client-IP-Address' in an internal FreeRADIUS attribute. If it was sent the Funk RADIUS server wouldn't understand it... but it's not sent as all FR internal attributes are filtered out. The RSA Funk Sever determines Agent Host identity from the UDP Packet Header, not any of the attributes inside the RADIUS Packet. It could in theory use NAS-IP-Address as an identifier, but I doubt it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Jakub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco 1200 AP
I have configured a Cisco 1200 AP for WPA2-PSK which is working with a wireless device able to connect OK. I have tried to add MAC authentication using the FreeRadius server, but have not been able to get it working. I can see from the FreeRadius log that the AP is sending the Access-Request packet and an Access-Accept response is being returned but the wireless device is unable to connect. Has anyone setup this configuration and got it working? Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 1200 AP
Hello, which firmware version? bye julian Am 05.02.2008 um 17:05 schrieb John Melton: I have configured a Cisco 1200 AP for WPA2-PSK which is working with a wireless device able to connect OK. I have tried to add MAC authentication using the FreeRadius server, but have not been able to get it working. I can see from the FreeRadius log that the AP is sending the Access-Request packet and an Access-Accept response is being returned but the wireless device is unable to connect. Has anyone setup this configuration and got it working? Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 1200 AP
Hi, 1200 AP is running c1200-k9w7-mx.123-8.JEB1 -- John Julian Stöver wrote: Hello, which firmware version? bye julian Am 05.02.2008 um 17:05 schrieb John Melton: I have configured a Cisco 1200 AP for WPA2-PSK which is working with a wireless device able to connect OK. I have tried to add MAC authentication using the FreeRadius server, but have not been able to get it working. I can see from the FreeRadius log that the AP is sending the Access-Request packet and an Access-Accept response is being returned but the wireless device is unable to connect. Has anyone setup this configuration and got it working? Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 1200 AP
but the wireless device is unable to connect. Has anyone setup this configuration and got it working? You did: that the AP is sending the Access-Request packet and an Access-Accept response is being returned Problems you are having are not with radius. How are you setting IP address etc.? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 1200 AP
Is the wireless device sending its own mac or the clients mac address? there's somethimes a bug (CSCsj17603) with the firmware that the CISCO 1200 AP sends his own mac address, in this case you should update you firmware. For detailed informations read the cisco docs. If it's a freeradius bug you should post the debug log. bye julian Am 05.02.2008 um 17:30 schrieb John Melton: Hi, 1200 AP is running c1200-k9w7-mx.123-8.JEB1 -- John Julian Stöver wrote: Hello, which firmware version? bye julian Am 05.02.2008 um 17:05 schrieb John Melton: I have configured a Cisco 1200 AP for WPA2-PSK which is working with a wireless device able to connect OK. I have tried to add MAC authentication using the FreeRadius server, but have not been able to get it working. I can see from the FreeRadius log that the AP is sending the Access-Request packet and an Access-Accept response is being returned but the wireless device is unable to connect. Has anyone setup this configuration and got it working? Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and RSA RADIUS Server
The RSA Authentication Server does not take requests from undefined agents. All Agent Hosts must be defined in the Server's Agent Host list.However, we are talking about RADIUS requests here,from theRSA Server's point of view, the RADIUS server is the agent host making the request to it via the RSA SecurIDAPIs. If you look at the RSA Server documentation you will find information on how to define Agent Hosts that happen to be RADIUS servers. Furthermore, there is a feature in our system that will also extend such "protection" to the NAS'es that originated the RADIUS request. This is a defense in depth to prevent rogue access points and the like. If this feature is enabled, all NASes that generate RSA auth requests must also be defined as Agent Hosts in the RSA Servers db. The originated IP address of the RADIUS request is passed up to RSA server and looked up. You can turn that feature off at the Agent Host interface between RADIUS and SecurID:- If using the Windows EAPplugins, its in the RSA Security Center application, Remote EAP Configuration page, Authentication Settings dialog, "Enable RADIUS Client Check" check box.- If using the RSA RADIUS server, open the securid.ini file and change the setting of CheckUserAllowedByClient=1 to =0 in the [Configuration] section and restart the server. This is documented in the manual. Dave.Feb 5, 2008 10:37:46 AM, freeradius-users@lists.freeradius.org wrote: Jakub Morávek wrote: In RSA terminology "Agent hosts" is host which sends authetication request. In my case RSA rejects "user1" access, because RSA thikns, that "user1" wants to log into "freeradius" and there is no "freeradius" Agent host defined in RSA database.So... you might need to define one. My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.The Client-IP-Address attribute is not sent in a packet. The RADIUSprotocol uses the originating IP address to determine the client.I would suggest reading the RSA documentation to see how to make itthink that FreeRADIUS is not the originating host. If the documentationdoes not define how to do that, it is likely impossible.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3
Greetings I have been working with freeradius v.2.0.1 and a Cisco 1200 Series Access Point (version 12.3 IOS) for many months now with no success to getting this working. I am doing research on freeradius product for a univeristy campus that I go to for implementation in the near future. I am out of ideas of how to configure this correctly. I still to this day do not have my Cisco 1200 AP authenticating with freeradius version 2.0.1. Does anyone have a configuration setup of this type of scheme or are willing to tell me how to start from ground up to make this work. My plan is simple at this point. I want to use freeradius, a Cisco 1200 Series Access Point, and one windows xp pro client to connect to the AP and authenticate against freeradius. I appreciate any input on this matter. Thanks again open source community. Dave _ Shed those extra pounds with MSN and The Biggest Loser! http://biggestloser.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3
Dave Cummings wrote: Greetings I have been working with freeradius v.2.0.1 and a Cisco 1200 Series Access Point (version 12.3 IOS) for many months now with no success to 2.0.1 has not been out for many months getting this working. I am doing research on freeradius product for a univeristy campus that I go to for implementation in the near future. I am out of ideas of how to configure this correctly. I still to this day do not have my Cisco 1200 AP authenticating with freeradius version 2.0.1. Does anyone have a configuration setup of this type of scheme or are willing to tell me how to start from ground up to make this work. My plan is simple at this point. I want to use freeradius, a Cisco 1200 Series Access Point, and one windows xp pro client to connect to the AP and authenticate against freeradius. I appreciate any input on this matter. Thanks again open source community. Lots of people have done this. However, you haven't given enough info for us to help you. In fact, you've given *NO* info. See here: http://linuxmafia.com/faq/Essays/smart-questions.html Also, have you tried running the server in debug mode, as documented in the README? This will tell you what the server is doing when things aren't working. When installing FreeRadius 2.0.1, the only thing you should need is to add this to /etc/raddb/users usernameCleartext-Password := thepassword ...and it should work. If it doesn't, by far the most likely explanation is that you have the Cisco AP configured incorrectly; you will need to examine the Cisco documentation, this is not a Cisco support list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wiki
I assume account creation is deliberately disabled on the wiki; could whoever runs/has access create me one? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3
Hi, When installing FreeRadius 2.0.1, the only thing you should need is to add this to /etc/raddb/users username Cleartext-Password := thepassword ..and the clients file (and maybe even the firewall on the server! ;-) ) so that the AP acting as a NAS can talk to FR :-) ...and it should work. If it doesn't, by far the most likely explanation is that you have the Cisco AP configured incorrectly; you will need to examine the Cisco documentation, this is not a Cisco support list. agreed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wiki
Write to Peter Nixon with your desired logon details. Ivan Kalik Kalik Informatika ISP Dana 5/2/2008, Phil Mayers [EMAIL PROTECTED] piše: I assume account creation is deliberately disabled on the wiki; could whoever runs/has access create me one? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3
Hi, I have been working with freeradius v.2.0.1 and a Cisco 1200 Series Access Point (version 12.3 IOS) for many months now with no success to getting this working. I am doing research on freeradius product for a univeristy campus that I go to for implementation in the near future. I am out of ideas of how to configure this correctly. I still to this day do not have my Cisco 1200 AP authenticating with freeradius version 2.0.1. Does anyone have a configuration setup of this type of scheme or are willing to tell me how to start from ground up to make this work. My plan is simple at this point. I want to use freeradius, a Cisco 1200 Series Access Point, and one windows xp pro client to connect to the AP and authenticate against freeradius. I appreciate any input on this matter. Thanks again open source community. most of us would simply follow the FreeRADIUS EAP-TLS guide (which covers PEAP etc too!) - which works 'out of the box' when you do a make install and run it for the first time, followed by following the cisco document on how to configure WPA for the 1200 series AP. then, configure FreeRADIUS client.conf to allow the AP to talk to the FR server install the FR CA cert onto the Windows client. et voila. thats most of the work done (or all of it if you EAP-TLS) so. what exactly is your problem? have you followed the cisco docs so that your AP is configured to do WPA and has the RADIUS server configured ? whats the debug output from your FR daemon? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New bee to FreeRadius; need help in configuration
Hi, I have successfully configured the Freeradius server. The one thing that I noticed is: Everytime I modify the Clients.conf file to include a client, I have to stop the server and then start it gain so that the client is picked up. I am wondering if there is any other way so that the server can refresh itself everytime I add a client, automatically. Can anybody help me out? Thanks, Deepak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP mschapv2 Proxy not working.
Hello, I'm having trouble getting freeradius-1.1.7 to proxy PEAP-mshcapv2 to another RADIUS server. My other server doesn't do EAP, so I'm just sending mschapv2 achieved with proxy_tunneled_request_as_eap = no in eap.conf. When I proxy to my other server, I get back an Access-Accept packet. Then, freeradius sends an Access Challenge to the client, receives a response and then things appear to break. I am able to successfully authenticate users with PEAP by defining them locally in the users file. Additionally, I have gotten TTLS to work by proxying to another server, it's just PEAP that I'm having problems with. The differing line in the debug seems to be: proxied eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 -vs- non-proxied eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. I'm running a pretty standard config, I think. I can send copies of it, if that would help. Thanks, Andrew Olson The complete proxied debug starting with the Access-Request is as follows: Sending Access-Request of id 0 to 198.82.247.36 port 1812 User-Name = anolson NAS-IP-Address := 198.82.245.57 MS-CHAP-Challenge = 0x85feba9cbed9e9191bf72a29f0f82312 MS-CHAP2-Response = 0x0700b776d1433b4d6dab43d5bde9163e8b45ee7fcb070f3766e7e7b0f198b72754b44a9ef0255d712db1 Proxy-State = 0x3136 Service-Type := Framed-User Waking up in 6 seconds... rad_recv: Access-Accept packet from host 198.82.247.36:1812, id=0, length=189 Filter-Id = CNS_NET1 MS-CHAP2-Success = 0x07533d4343304142444332354233304645314131394238363737413941334136454631364134454634 MS-MPPE-Send-Key = 0x7b5fcacde0c3798261894df701a5cdd5 MS-MPPE-Recv-Key = 0x3900c03d5b5851da66e8fb27d90077f9 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x000e Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 6 PEAP: Passing reply from proxy back into the tunnel. PEAP: Passing reply back for EAP-MS-CHAP-V2 0x8170500 2 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 6 rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8170500 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success modcall[post-proxy]: module eap returns ok for request 6 modcall: leaving group post-proxy (returns ok) for request 6 POST-PROXY 2 POST-AUTH 2 PEAP: Got reply 11 PEAP: Got tunneled Access-Challenge PEAP: Reply was handled modcall[post-proxy]: module eap returns ok for request 6 modcall: leaving group post-proxy (returns ok) for request 6 Sending Access-Challenge of id 16 to 128.173.10.131 port 56945 EAP-Message = 0x0107005b190017030100502c303c60e1337bcb4c17a281f71910d23777fd5f4a4d5aefab92a23ff28a993aa17ebc2d6bd7567b9386fec7c4e6f2f7ae4c4655a8492000e0e473fc7e8be63a1bf372449cba9f795dc6535b04648cdb Message-Authenticator = 0x State = 0x23a96486ec5dbd008e1eddcee31dfa93 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 128.173.10.131:56945, id=17, length=151 User-Name = anolson State = 0x23a96486ec5dbd008e1eddcee31dfa93 EAP-Message = 0x020700541980004e170301002050f4490743b89308d9bb84f411a1629e7b6f06dd6c02c2525747560f657f63d117030100209d0c853d82e17d05938ab49201447c135a90d068d1641a23db5fc04cfcc0dd08 Message-Authenticator = 0x3c828120c544cde1b5d4366b7e735350 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = anolson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 7 length 84 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 modcall[authorize]: module files returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap:
Re: New bee to FreeRadius; need help in configuration
Deepak, Have you considered using a ldap or sql backend instead of flat-file? Vijay On Feb 5, 2008 2:33 PM, Deepak Panigrahy [EMAIL PROTECTED] wrote: Hi, I have successfully configured the Freeradius server. The one thing that I noticed is: Everytime I modify the Clients.conf file to include a client, I have to stop the server and then start it gain so that the client is picked up. I am wondering if there is any other way so that the server can refresh itself everytime I add a client, automatically. Can anybody help me out? Thanks, Deepak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. -- ancient Sanskrit saying - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New bee to FreeRadius; need help in configuration
Hi, Deepak, Have you considered using a ldap or sql backend instead of flat-file? those , too, will need to be refreshed via a server restart - the SQL clients are only read upon start. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New bee to FreeRadius; need help in configuration
Hi, I feel there should be some way so that the server can refresh itself automatically with the clients without going down. Thanks, Deepak [EMAIL PROTECTED] wrote: Hi, Deepak, Have you considered using a ldap or sql backend instead of flat-file? those , too, will need to be refreshed via a server restart - the SQL clients are only read upon start. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail cisco logging
hello, you for the page web of freeradius, i look it befor i ask this question. can anyone give me the right configuration of the swith cisco3560 to authenticate a windows XP on lan network. i use TLS ou PEAP. thanks _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New bee to FreeRadius; need help in configuration
Users Yes, NAS No Julian Stöver wrote: Hi, i think thats wrong. I can add SQL users without refreshing the server, and the debug mode also shows me, how the database is requested for the user data on every request! bye julian Am 05.02.2008 um 22:40 schrieb [EMAIL PROTECTED]: Hi, Deepak, Have you considered using a ldap or sql backend instead of flat-file? those , too, will need to be refreshed via a server restart - the SQL clients are only read upon start. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3
I have found a Cisco document (FAQ-Wireless-Security.pdf) with the following statement: Q. Why does MAC authentication not work with Wi−Fi Protected Access (WPA) in Cisco IOS Software Release 12.3(8)JA2? A. The only level of security for MAC authentication is to check the MAC address of the client against a list of permitted MAC addresses. This is considered very weak. In earlier Cisco IOS Software releases, you could configure MAC authentication and WPA to encrypt the information. But because WPA itself has a MAC address that checks, Cisco decided not to allow this type of configuration in later Cisco IOS Software releases and decided only to improve security features. Regards, John On 5 Feb 2008, at 20:04, [EMAIL PROTECTED] wrote: Hi, When installing FreeRadius 2.0.1, the only thing you should need is to add this to /etc/raddb/users usernameCleartext-Password := thepassword ..and the clients file (and maybe even the firewall on the server! ;-) ) so that the AP acting as a NAS can talk to FR :-) ...and it should work. If it doesn't, by far the most likely explanation is that you have the Cisco AP configured incorrectly; you will need to examine the Cisco documentation, this is not a Cisco support list. agreed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail cisco logging
Well, look again. Same question was asked and answered today. Different Cisco device but that doesn't change a thing. Ivan Kalik Kalik Informatika ISP Dana 5/2/2008, hamid benane [EMAIL PROTECTED] piše: hello, you for the page web of freeradius, i look it befor i ask this question. can anyone give me the right configuration of the swith cisco3560 to authenticate a windows XP on lan network. i use TLS ou PEAP. thanks _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2 - proxying inner tunnel
Hi! Alan DeKok wrote: Dmitry Sergienko wrote: Does anyone here have working inner tunnel proxying with freeradius 2.0.x? Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization. Switched to FreeRadius 2.0.1 from 1.1.7. I think the issue was introduced recently. Try editing src/main/event.c, function request_post_handler() ... if (request-root-proxy_requests /* !request-proxy */ // comment out this line !request-in_proxy_hash // add this line (request-reply-code == 0) (request-packet-dst_port != 0) (request-packet-code != PW_STATUS_SERVER)) { ... Re-build install. See if that helps... Thanks for the tip. successfully_proxied_request() also needs patching: /* * If it was already proxied, do nothing. * * FIXME: This should really be a serious error. */ /* if (request-in_proxy_hash || request-proxy) { */ if (request-in_proxy_hash) { return 0; } AFAIU this function relies on empty request-packet, but it is not empty because has been filled in eappeap_process(): /* * Seed the proxy packet with the * tunneled request. */ rad_assert(request-proxy == NULL); request-proxy = fake-packet; The second oddity: when setting proxy_tunneled_request_as_eap = no proxying is not working because no inner MSCHAPv2 request extracted. Debug looks like this: Wed Feb 6 00:33:09 2008 : Debug: PEAP: Calling authenticate in order to initiate tunneled EAP session. Wed Feb 6 00:33:09 2008 : Debug: WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Solution is quite simple: write down the following in proxy-inner-tunnel file after authorize {} section: authenticate { eap } module_authenticate() is being called in eappeap_process() to extract MSCHAPv2 request and when no authenticate section in virtual server proxying will fail. IMHO it will be useful to have these lines in example proxy-inner-tunnel as a comment for proxy_tunneled_request_as_eap set to no. Maybe someone will run into the same issue and spend several hours or days to figure out how to fix this. -- Best regards, Dmitry Sergienko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password failover
Hello, How do I set up a freeradius server so that if the password fails for the primary radius server it tries the secondary for the password. In my scenario, the primary is up and servicing requests, but the password for the device is incorrect. Now the device looks to the secondary to get authorized and the secondary holds the correct secret for the device. I have looked at fail-over and load-balancing but am not sure if either of these are what I am looking for. Can someone tell me what I am looking for and I can do the rest. Thanks for any help, Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and RSA RADIUS Server
Jakub Morávek wrote: I have not many experiences with radius, so my question may be stupid. Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge) as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1? Many people have tried this. It works. When authentication request goest through freeradius proxy, RSA Manager thinks that Agent host is my freeradius proxy instead of original host which sent authenticate request. I don't know what an Agent host is. FreeRADIUS *is* a RADIUS client to the RSA manager. Does this mean, that freeradius process all attributes from pre-proxy-detail-20080204 log, but sends only attributes, which are shown in extended debug mode? If so, can anybody give me any advice how can I configure freeradius to send more attributes? To do... what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html