Re: virtual server and clients from sql
Alan DeKok wrote: Norbert Wegener wrote: will this be in 2.0.6 by default? Yes. It's also in 2.0.5, if you're willing to try it out in a testing environment. I will try it, but what about the comment from [EMAIL PROTECTED]: the logic is in rlm_sql.c alrady, all you need to do is update your nas_query so that it looks like eg SELECT id,nasname,shortname,type,secret,virtual_server FROM nas then it'll pull in the details from the DB alan where those changes alone did not seem to help... So in 2.0.5 something seems to be missing. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Norbert Wegener wrote: where those changes alone did not seem to help... See raddb/sql/mysql/nas.sql The field name is server, not virtual_server. And it's commented out by default. So in 2.0.5 something seems to be missing. The SQL tables have to be updated to contain the right information, too. Once that's done, and the queries updated, it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM and EAP-AKA fast-reauth support
Hi all, I have a question about EAP-SIM and EAP-AKA authentication. Is fast-reauthentication supported (in eap or eap2 module)? Thanks in advance for your answers. Geoff. _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
[EMAIL PROTECTED] wrote: Hi, Modified nas_query: {nas_query, PW_TYPE_STRING_PTR, offsetof(SQL_CONFIG,nas_query), NULL, SELECT id,nasname,shortname,type,secret,server FROM nas}, rebuild the server. huh? thats the default query in the code - if you edit sql.conf and modify nas_query in the config it will do the required task. Correct, thanks. I have been confused by the nas_query in rlm_sql.c Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM and EAP-AKA fast-reauth support
Geoffroy Arnoud wrote: I have a question about EAP-SIM and EAP-AKA authentication. Is fast-reauthentication supported (in eap or eap2 module)? Fast re-authentication is supported only in the eap2 module, so far as I know. We should add the EAP-AKA patches to rlm_eap at some point. I've bene avoiding it because the patches do a *lot* of cut paste of existing code, rather than re-using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius user disconnection and same account multiplication problem in radacct
A new doubt. Is there anyway to safe disconnet an user from the radius server, in a way that it auto disconnects him from the nas (a pppoe server)? And about that Packet of Disconnect, is it still working? I forgot to cite the version I'm using, and considering the message was sent on weekend, with less chance of reading, I'm replying it. If I'm doing wrong, I apologize, but I still trust in your experience to provide me with some ideas. I'm using all the last stuff (Freeradius 2.0.3) from the ports repository on a FreeBSD 6.3. The server is an ISP in production and we have to restart the connection suit (pppoe, radius, firewall) everytime some account starts to multiply itself, so the users that are multiplying can log in again, and not receive the message 'Still logged in' . I'll be realy grateful for any reply. Thanks Again. Hi again, I solved the last trouble with ippool.db using the sqlippool instead. But I got a new shining problem. :) Now, almost everything seems to be working fine. Almost, cause I have some account multiplication in the radacct table. Only a few users are doing that. And the multiplication doesn't stop while the users remain logged on. Only a few appear in table, I'm using an unique index with acctstarttime and nasipaddress. And the numbers of radacctid jump a lot (from 1400 to 4000, for example). I'm using also the set rad_alive 40 in ppp.conf and in the radiusd.conf, cleanup_delay 8 and max_request_time 50. All that with chap authentication. Select on one of the users who get the problem: +---+--+--++---+---++--- +-+-+--+-+---+---+-- +-+--+-+--++-++- ++---+--+ | radacctid | acctsessionid | acctuniqueid | username | groupname | realm | nasipaddress | naspor tid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay | xascendsessionsvrkey | +---+--+--++---+---++--- +-+-+--+-+---+---+-- +-+--+-+--++-++- ++---+--+ | 14419 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:31 | NULL | 0 | | | | 0 | 0 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | 0 | | | 14421 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:34 | NULL | 40 | | | NULL | 31795 | 102873 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | NULL | | | 14424 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:37 | NULL | 80 | | | NULL | 59226 | 215383 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | NULL | | +---+--+--++---+---++--- +-+-+--+-+---+---+-- +-+--+-+--++-++- ++---+--+ Radius log exact when the problem starts: 74242 Fri Jul 4 03:40:25 2008 : Info: Ready to process requests. 74243 Fri Jul 4 03:41:02 2008 : Info: Allocated IP: XXX.XXX.XXX.121 from valid (did cli 0 port 678 user x) 74244 Fri Jul 4 03:41:10 2008 : Info: Allocated IP: XXX.XXX.XXX.179 from valid (did cli 0 port 679 user x) 74245 Fri Jul 4 04:40:00 2008 : Info: Allocated IP: XXX.XXX.XXX.186 from valid (did cli 0 port 680 user x) 74246 Fri Jul 4 06:37:33 2008 : Info: Allocated IP: XXX.XXX.XXX.67 from valid (did cli 0 port 681 user x) 74247 Fri Jul 4 06:57:05 2008 : Info: Released IP XXX.XXX.XXX.67 (did cli 0 user x) 74248 Fri Jul 4 07:01:50 2008 : Info: Allocated IP: XXX.XXX.XXX.153 from valid (did cli 0 port 682 user x) 74249 Fri Jul 4 07:07:34 2008 : Info: Allocated IP: XXX.XXX.XXX.105 from valid (did cli 0 port 683 user x) 74250 Fri Jul 4 07:29:44 2008 : Info: Released IP XXX.XXX.XXX.186 (did cli 0 user x) 74251 Fri Jul 4 07:33:22 2008 : Info: Allocated IP: XXX.XXX.XXX.141 from valid (did cli 0 port 684 user
Re: radius user disconnection and same account multiplication problem inradacct
A new doubt. Is there anyway to safe disconnet an user from the radius server, in a way that it auto disconnects him from the nas (a pppoe server)? Users are not connected to the radius server, so there is no need to disconnect them. The server is an ISP in production and we have to restart the connection suit (pppoe, radius, firewall) everytime some account starts to multiply itself, so the users that are multiplying can log in again, and not receive the message 'Still logged in' . Radius server is working fine. Your NAS is broken. | radacctid | acctsessionid | acctuniqueid | username | groupname | realm | nasipaddress | naspor tid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay | xascendsessionsvrkey | +---+--+--++---+---++--- +-+-+--+-+---+---+-- +-+--+-+--++-++- ++---+--+ | 14419 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:31 | NULL | 0 | | | | 0 | 0 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | 0 | | | 14421 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:34 | NULL | 40 | | | NULL | 31795 | 102873 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | NULL | | | 14424 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:37 | NULL | 80 | | | NULL | 59226 | 215383 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | NULL | | It's sending different start times for this session. Fix your NAS to do accounting properly. Or get one that works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about EAP using 1.1.7 and 2.0.3
Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 and procurve switch, sadly it doesn't work. but when I 'am using freeradius 1.1.7 it works smoothly I've tried not only using native windows XP SP 2 supplicant but also wpa_supplicant. both don't work using freeradius2. I've also tried reinstall the freeradius 2.0.3 ( i'm forget using mercurial ), I thought I misconfigure something..but. even using fresh from the oven configuration still just don't work. , here are the debug: Sending duplicate reply to client test port 1024 - ID: 4 Cleaning up request 2 ID 4 with timestamp +46 Ready to process requests. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-58-c7 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x023a000c0174657374696e67 Message-Authenticator = 0x55d6fa8c198752bd6c62c351b234a57b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 58 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 102 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x013b001604101fee1ce904aea0659f790123de5bc761 Message-Authenticator = 0x State = 0x9e1dcf679e26cbc870b5fae6a11d133d Finished request 3. Going to the next request Waking up in 4.9 seconds. Sending duplicate reply to client test port 1024 - ID: 4 --- any clue what is it ? Cleaning up request 3 ID 4 with timestamp +56 Ready to process requests. from the wpa_supplicant's debug it broke right before EAP message method, so it (the supplicant) doesn't receive any MD5 Challenge from radius. anyone have same problem? really appreciate for any help Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Norbert Wegener wrote: I took today's cvs/git, modified the nas table: ... Modified nas_query: {nas_query, PW_TYPE_STRING_PTR, Err raddb/sql/mysql/dialup.conf, nas_query. :) It's not in the default config yet, but it should be updated before 2.0.6 is released. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR on CentOS 5 via yum?
On Mon, 2008-07-07 at 20:51 +0200, Jos Vos wrote: On Mon, Jul 07, 2008 at 02:27:18PM -0400, John Dennis wrote: NOTE: The Fedora src rpms's were never meant to build on RHEL (centos), you may encounter build problems as a consequence. YMMV, you're on your own :-) I have recently built the Fedora 2.0.5-1 src.rpm on RHEL4, so it will probably also build ok on RHEL5. For RHEL4 I had to comment out the following lines in the spec file: BuildRequires: libtool-ltdl-devel BuildRequires: perl-devel Furthermore, comment out the first line of %post (chown ...), as this is a bug and will be removed in the next Fedora RPM. Likewise we have CentOS 5.2 servers, but have rebuilt FR 5.0.1 from the source RPM from a Fedora 10 mirror. For that just comment out the 'perl-devel' from the spec file, run 'rpmbuild -ba freeradius.spec', then install the 'freeradius', 'freeradius-libs' and 'freeradius-utils' RPMs. It works fine. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
users: Matched entry testing at line 102 What is this entry? Does it contain Cleartext-Password as debug clearly suggests? Fix that. Sending duplicate reply to client test port 1024 - ID: 4 --- any clue what is it ? Your supplicant is sending initial request again. Server is responding with the duplicate reply assuming supplicant didn't recieve the initial reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ASSERT FAILED
As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Now with cat x | radclient -d /usr/share/freeradius/ 127.0.0.1 status adminsecret, where x contains: Message-Authenticator = 0x00 FreeRADIUS-Statistics-Type=1 I got: rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request-listener-type == RAD_LISTEN_NONE Abgebrochen Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
Hi, As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Now with cat x | radclient -d /usr/share/freeradius/ 127.0.0.1 status adminsecret, where x contains: Message-Authenticator = 0x00 FreeRADIUS-Statistics-Type=1 I got: rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request-listener-type == RAD_LISTEN_NONE Abgebrochen have you enabled the statistics virtual server? copy or link the entry in sites-available/ alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
Norbert Wegener wrote: As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... Whoops. The intent was to allow Status-Server to any port, but to permit the statistics only to a status port. First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Hmm... The if src/include/libradius.h has a DICT_ATTR with attrname[40], then you have an old copy of the source. This was fixed in a commit on June 19. rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request-listener-type == RAD_LISTEN_NONE Abgebrochen Grab an update from the new CVS tree: cvs -d :pserver:[EMAIL PROTECTED]:/freeradius-server.git checkout -d radiusd master You should be able to just copy src/main/listen.c from there you your existing tree, so you don't have to do a full configure/make again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
[EMAIL PROTECTED] wrote: Hi, ... I got: rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request-listener-type == RAD_LISTEN_NONE Abgebrochen have you enabled the statistics virtual server? copy or link the entry in sites-available/ In radiusd.conf: status_server = yes If you mean the status file from sites-available: It is linked to sites-enabled. Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
Alan DeKok wrote: Norbert Wegener wrote: As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... Whoops. The intent was to allow Status-Server to any port, but to permit the statistics only to a status port. First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Hmm... The if src/include/libradius.h has a DICT_ATTR with attrname[40], then you have an old copy of the source. This was fixed in a commit on June 19. rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request-listener-type == RAD_LISTEN_NONE Abgebrochen Grab an update from the new CVS tree: cvs -d :pserver:[EMAIL PROTECTED]:/freeradius-server.git checkout -d radiusd master You should be able to just copy src/main/listen.c from there you your existing tree, so you don't have to do a full configure/make again. Thanks, works now. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Hello Alan. further to previous post - your log shows several WARNING entries - fix those. Yes, fixed with eap.conf indications. finally, read eap.conf - especially the part about Windows systems not responding to EAP challenges...which is what your log looks like I've read it again, this time consciously, but i think is already there, maybe i'm loosing something, please correct me; as i know, sp3 already brings the patch needed with sp2. As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Other things that made me doubt was the username received by fr, most of the time is the machine name: host/caja02.cosmart.bo, instead of the domain username: COSMART\\jat, so as Tom pointed in previous email, i'm using wired configuration service on windows services, i'm not doing wireless at all, so disabled MPPE keys, put use_mppe = no on mschap module, but it continues to appear messages like these with radiusd -X MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 Last i will regenerate the certs with the new way, sorry i stayed with 1.X long ago and recently upgraded to 2.0.5, what i did was to copy the certs directory from my previous working setup, guess there's something different. I'll let you know as soon as possible. Best regards. Oxiel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about. It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0.c patch to support Apache 2.2.x
Hi, I've tried sending this directly to the author, but there seems to be a problem somewhere, so I'm sending it to the list instead. Maybe I should file it as a bug report... This has been in the Debian package for a while now (http://packages.debian.org/libapache2-mod-auth-radius). - Forwarded message from Josip Rodin [EMAIL PROTECTED] - Date: Sat, 31 May 2008 22:37:00 +0200 From: Josip Rodin [EMAIL PROTECTED] To: Alan DeKok [EMAIL PROTECTED] Subject: mod_auth_radius-2.0.c patch to support Apache 2.2.x Hi, I'm resending the below e-mail just in case you didn't notice, it's been almost three months now. http://www.freeradius.org/mod_auth_radius/ is still only shipping the old versions... On Sun, Mar 09, 2008 at 09:12:19PM +0100, Josip Rodin wrote: On Thu, Mar 06, 2008 at 03:36:27AM +0100, Josip Rodin wrote: On Sat, Jul 21, 2007 at 06:08:23PM +0200, joy wrote: Is the mod_auth_radius-2.0.c supposed to work properly with Apache 2.2.x? I can compile it just fine, but can't get it to work on runtime. Maybe, like LDAP, this module should become a an AuthBasicProvider? I took a hint from mod_auth_xradius' changes for Apache 2.1+, and made the patch which is attached... but it still doesn't work. Apache is so annoying to debug, I need to compile the server with debugging symbols and run it through gdb... :( Okay, I debugged it a bit further (no help from gdb), and managed to produce a working patch. The problem that threw me off was the early DECLINED handling in the authenticate_basic_user() function, which got activated both when the module was inactive and when the RADIUS server definition was missing. However, these two conditions are functionally quite different, so I split the handling in two, with the latter case leaving a warning in the log file. The working patch is attached. It allows people to define: AuthBasicProvider radius and everything appears to be working well after that. -- 2. That which causes joy or happiness. --- libapache-mod-auth-radius-1.5.7.orig/mod_auth_radius-2.0.c +++ libapache-mod-auth-radius-1.5.7/mod_auth_radius-2.0.c @@ -300,6 +300,9 @@ #include apr_general.h #include apr_tables.h #include apr_strings.h +/* Apache 2.1+ */ +#include ap_provider.h +#include mod_auth.h module AP_MODULE_DECLARE_DATA radius_auth_module; @@ -1122,8 +1125,11 @@ * basic authentication... */ -static int -authenticate_basic_user(request_rec *r) +/* common stuff for both Apache 2.0 and 2.1+ */ +int +authenticate_basic_user_common(request_rec *r, + const char* user, + const char* sent_pw) { radius_dir_config_rec *rec = (radius_dir_config_rec *)ap_get_module_config (r-per_dir_config, radius_auth_module); @@ -1131,21 +1137,25 @@ radius_server_config_rec *scr = (radius_server_config_rec *) ap_get_module_config (s-module_config, radius_auth_module); conn_rec *c = r-connection; - const char *sent_pw; char errstr[MAX_STRING_LEN]; - int res, min; + int min; char *cookie; char *state = NULL; char message[256]; time_t expires; struct stat buf; - if (!rec-active || !scr-radius_ip) /* not active here, or no radius */ -return DECLINED;/* server declared, decline */ + /* not active here, just decline */ + if (!rec-active) +return DECLINED; + + /* no server declared, decline but note for debugging purposes -joy */ + if (!scr-radius_ip) { +ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_WARNING, 0, r-server, + AuthRadiusActive set, but no RADIUS server IP - missing AddRadiusAuth in this context?); +return DECLINED; + } - if ((res = ap_get_basic_auth_pw(r, sent_pw))) -return res; - if (r-user[0] == 0) /* NUL users can never be let in */ return HTTP_UNAUTHORIZED; @@ -1227,9 +1237,57 @@ return OK; } +/* Apache 2.1+ */ +static authn_status +authenticate_basic_user_newargs(request_rec *r, +const char *user, +const char *password) +{ + int normalreturnvalue = authenticate_basic_user_common(r, user, password); + + if (normalreturnvalue == OK) +return AUTH_GRANTED; + else if (normalreturnvalue == HTTP_UNAUTHORIZED) +return AUTH_DENIED; + else +return AUTH_GENERAL_ERROR; + /* AUTH_USER_NOT_FOUND would be nice, but the typical RADIUS server + never gives any such information, it just sends an Access-Reject + packet, no reasons given + */ +} + +/* Apache 2.0 */ +static int +authenticate_basic_user(request_rec *r) +{ + int res; + const char *sent_pw; + + /* this used to say just if ((res=...)), which relied on the fact that + OK is defined as 0, and the other states are non-0, which is then + used in a typical C fashion... but it's a
RE: xp sp3 and freeradius 2.0.5
I'm seeing the same problems with Vista devices: Sending Access-Accept of id 12 to 131.202.9.32 port 2048 User-Name = u3t98 Tunnel-Private-Group-Id:0 = Academic Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0xce1ea72659c68cceba45498192e03bbb73292f9cdc314bbdea6e5ede0302b86a MS-MPPE-Send-Key = 0xe2cafe2564df85dd04dddb4816c00c8afeea831cbbdb444b45789625771f6c9c EAP-Message = 0x03180004 Message-Authenticator = 0x Even though I have MPPE disabled in FR: mschap { # # As of 0.9, the mschap module does NOT support # reading from /etc/smbpasswd. # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # #use_mppe = no use_mppe = no Thoughts? Matt Ashfield [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SecureW2 (List) Sent: Monday, July 07, 2008 10:58 AM To: 'FreeRadius users mailing list' Subject: RE: xp sp3 and freeradius 2.0.5 Dear Oxiel, Are you using wired or wireless 802.1x? I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when the MPPE keys are being sent by the RADIUS server (which are not used in (most) wired 802.1X setups): Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = host/caja02.cosmart.bo MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x If you are using wired try disabling the MPPE keys in Freeradius. Regards, Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Ivan Kalik Verzonden: maandag 7 juli 2008 15:32 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: xp sp3 and freeradius 2.0.5 Has anybody achieved to authenticate xp sp3 with default 802.1x client to freeradius ? You! Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = host/caja02.cosmart.bo MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy-to-realm versus using a suffix
Hello, FreeRADIUS version 2.0.4 I'm wonder what's the difference between using a suffix like @realmname versus using the proxy-to-realm in the users file. My current setup is testing using the XP supplicant using PEAP. I've already been able to terminate the PEAP connection and then proxy the MSCHAPV2 to the IAS server, but the behavior I get by doing this doesn't allow the XP client to popup the re-enter you credentials window after you change your password. So now I'm just trying to proxy the whole request through, which works using just the @realmname. But it doesn't working using the stanza entry with the proxy-to-realm in the users file. Any help would be appreciated. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
I'm wonder what's the difference between using a suffix like @realmname versus using the proxy-to-realm in the users file. Not much. With suffix the request will be proxied to that realm by default (if that realm is defined) while proxy-to-realm attribute forces it in the cases when it normally wouldn't be proxied there. http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP-Password does NOT match local User-Password
Hi everyone ! I'm a newbie in freeradius. I've tryied several freeradius versions, but i get always the same error: auth: user supplied CHAP-Password does NOT match local User-Password Currently i'm using freeradius 1.0.5 and i want to bind it with the pppoe-server(accounts are mysql based). This is the ppp auth part of the radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=50, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = qweqwe CHAP-Password = 0x1a490e809284566aa959336e511314fe82 Calling-Station-Id = 00:04:61:5C:14:11 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705 modcall[authorize]: module auth_log returns ok for request 0 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value 'qweqwe' modcall[authorize]: module dwukropki returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = qweqwe, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 radius_xlat: 'qweqwe' rlm_sql (sql): sql_set_user escaped user -- 'qweqwe' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id' rlm_sql_mysql: query: SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [qweqwe] (from client localhost port 0 cli 00:04:61:5C:14:11) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 50 to 127.0.0.1:32772 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 486f753f Nothing to do. Sleeping until we see a request. Thanks for the support and sorry for my lame eng. -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
Maciej Drobniuch wrote: I've tryied several freeradius versions, but i get always the same error: auth: user supplied CHAP-Password does NOT match local User-Password Currently i'm using freeradius 1.0.5 Upgrade to 2.0.5. and i want to bind it with the ... rlm_chap: Setting 'Auth-Type := CHAP' ... rad_check_password: Found Auth-Type Local You are forcing Auth-Type. Don't do that. auth: type Local auth: user supplied CHAP-Password does NOT match local User-Password And the passwords don't match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS / LDAP
Hello, After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP (in my case, i'm interested in EAP-TTLS). Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? Cheers, Joris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
On Tue, 08 Jul 2008 18:49:48 +0200, Alan DeKok [EMAIL PROTECTED] wrote: Upgrade to 2.0.5. I had tht version and the same error appeared You are forcing Auth-Type. Don't do that. So, what I must force to don't mess up things? And the passwords don't match. The passwords match. Do they have to be in plaint text (in db) or some kind of a hash ? How can I see what password (in plain, when auth in pap) comes in to freeradius from pppd. THANKS FOR YOUR SUPPORT! sorry for my lame eng. -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
2008/7/8 joris [EMAIL PROTECTED]: Hello, After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP (in my case, i'm interested in EAP-TTLS). Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? Cheers, Joris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What documentation says is that you can't use encrypted password in LDAP with EAP/PEAP. But you can use EAP/TTLS + PAP with LDAP. The main problem for this approach is that the f**k Windows has not native support for TTLS, so you should install some software eg: SecureW2... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
joris wrote: After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP I don't think it says that. What part of the configuration file leads you to think it's impossible? Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? It's possible. Lots of people are doing it. I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
Maciej Drobniuch wrote: You are forcing Auth-Type. Don't do that. So, what I must force to don't mess up things? Don't force anything. Use the default configuration. And the passwords don't match. The passwords match. Do they have to be in plaint text (in db) or some kind of a hash ? No. See the FAQ for an example of how to configure a known good password for a user. How can I see what password (in plain, when auth in pap) comes in to freeradius from pppd. Then post the debug output from *that*, and not from a CHAP request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). That relates to ldap bind as user authentication, not using ldap to store user information. Ivan Kalik Kalik Informatika ISP Dana 8/7/2008, joris [EMAIL PROTECTED] piše: Hello, After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP (in my case, i'm interested in EAP-TTLS). Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? Cheers, Joris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLANs based on AD group membership
Does anyone have a FreeRADIUS server handing out dynamic VLANs based on group membership in AD to a HP 2800 series switch that's configured for 802.1X? How do I configure FreeRADIUS to read the AD group membership attribute, and how do I then pass the matching VLAN-ID back to the switch? Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Below is the debug output from FreeRADIUS. The first attempt is using the suffix [EMAIL PROTECTED], which works. The second attempt is using the users file and no realm, which fails. I'm just trying to figure out the differences between the two configurations and how to make the users file entry work like the suffix behavior. In the users file: DEFAULT Proxy-To-Ream := SW If you want to add the realm to the username if one doesn't exist best place to do this is before processing (preprocess) in hints not users file. Your problem is that eap module is trying to process the request before it is proxied. And it shouldn't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLANs based on AD group membership
How do I configure FreeRADIUS to read the AD group membership attribute, See group membeship section in ldap module configuration. and how do I then pass the matching VLAN-ID back to the switch? Your switch documentation should tell you that. You normally use Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Here is my update from testing with different versions. I tried to test the same scenario with 2.0.5 and got the same failed results. Then I went back to 1.1.7 and it worked. Here is more information on what I am trying to do. I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. I was thinking of doing something like this below in the users file. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := SW or DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := SW or by defining a huntgroup DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := SW If there is a better way to do this in 2.0.4-5, please let me know. Thanks again, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. If there is a better way to do this in 2.0.4-5, please let me know. http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLANs based on AD group membership
Follow-up question (sorry I'm new this): I'm currently authenticating users with FreeRadius against an AD database (PEAP-MS-CHAPv2). Would I still have to use the ldap module to get a user's AD group membership? Thanks, Daniel -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Ivan Kalik Sent: Tuesday, July 08, 2008 03:34 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLANs based on AD group membership How do I configure FreeRADIUS to read the AD group membership attribute, See group membeship section in ldap module configuration. and how do I then pass the matching VLAN-ID back to the switch? Your switch documentation should tell you that. You normally use Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Alan DeKok-4 wrote: Ryan Setiawan H wrote: Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan, I am a new user of freeRadius. I fount you are a expert for it. I have same question about it. Can you give me a guideline : how to install and enable eap with 2.0.5 version ? Thanks a lot. Waiting your reply. -- View this message in context: http://www.nabble.com/about-EAP-using-1.1.7-and-2.0.3-tp18335676p18352554.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLANs based on AD group membership
Daniel Baumann wrote: Follow-up question (sorry I'm new this): I'm currently authenticating users with FreeRadius against an AD database (PEAP-MS-CHAPv2). Would I still have to use the ldap module to get a user's AD group membership? Yes. There is no other way to get the AD group membership. See the AD documentation. If it says there's another way to get AD group membership, you can use that. Otherwise, use the method which IS documented: ldap queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Chris Fruehwirth wrote: Here is my update from testing with different versions. I tried to test the same scenario with 2.0.5 and got the same failed results. Then I went back to 1.1.7 and it worked. Read the debug output to see where the differences are. I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. Why add realm name? Why not just proxy traffic? The two statements are *very* different. On top of that, you *can't* proxy by EAP type. The server recommends an EAP type... which means that by the time an EAP type is selected, the EAP session has already started. You can't switch an EAP session from one server to another. I was thinking of doing something like this below in the users file. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := SW That won't work. Ever. DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := SW If your NAS sends that NAS-Port-Type, it should work. DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := SW That should work, too. If there is a better way to do this in 2.0.4-5, please let me know. It SHOULD work. If it doesn't, read the FAQ for it doesn't work. i.e. You've posted configurations that you think *might* work. You've also said that you tried *other* configurations (not posted) that didn't work. How do you expect anyone to help you when you don't say what you're doing, and you don't say what happened? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
jbenben wrote: I am a new user of freeRadius. I fount you are a expert for it. I have same question about it. Can you give me a guideline : how to install and enable eap with 2.0.5 version ? Thanks a lot. Waiting your reply. Read the documentation. It's all there. Do you have a specific question about the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Alan DeKok wrote: Chris Fruehwirth wrote: Here is my update from testing with different versions. I tried to test the same scenario with 2.0.5 and got the same failed results. Then I went back to 1.1.7 and it worked. Read the debug output to see where the differences are. I will review and post them tomorrow. I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. Why add realm name? Why not just proxy traffic? The two statements are *very* different. I just want to proxy traffic. I got a little confused reviewing Ivan's reply. On top of that, you *can't* proxy by EAP type. The server recommends an EAP type... which means that by the time an EAP type is selected, the EAP session has already started. You can't switch an EAP session from one server to another. Good to know. I was thinking of doing something like this below in the users file. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := SW That won't work. Ever. DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := SW If your NAS sends that NAS-Port-Type, it should work. DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := SW That should work, too. If there is a better way to do this in 2.0.4-5, please let me know. It SHOULD work. If it doesn't, read the FAQ for it doesn't work. i.e. You've posted configurations that you think *might* work. You've also said that you tried *other* configurations (not posted) that didn't work. How do you expect anyone to help you when you don't say what you're doing, and you don't say what happened? I thought I sent my debug to the list earlier, again apparently not. I do appreciate the help. I try to make it a little easier next time. Thanks, Chris Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. Hi Alan, Thanks for the reply, I've Update to freeradius 2.0.5, but still didn't show result, the debug still the same, here are the debug : rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = 0xf267668d55a632d7f6ff3b2b94735eca +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 97 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 61 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x016200160410706dc9d0aeae1c2c1fe2d41a5f8cc84a Message-Authenticator = 0x State = 0xba2a19f0ba481d03bf0d1926ffd8f60a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Sending duplicate reply to client local port 1024 - ID: 27 Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Cleaning up request 0 ID 27 with timestamp +164 Ready to process requests. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = --- I'm not sure it will help but i include the configure warning for 2.0.5 config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting chmod: check-radiusd-config: No such file or directory configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. - I'm using default configuration, just only change client.conf and users. there is clue, when I saw debug from 1.1.7 the second access request has different id but in this debug, it had same id ( that's is 27 ) maybe because