Re: FreeRadius MAC address authorization (no authentication)
Yes, I aim not to install hotfix in Windows XP client. My main purpose is to check valid MAC address of every Wireless Device (with Windows XP SP2). Based on radiusd -X log in my previous email, I tried to conclude that even in Authorization phase, calling-station-id has been validated to be match with MAC address data in SQL db. In this case, I don't need further Authentication phase. However, I dont know how to configure radius server to ignore authentication phase. Is there any idea for me to follow? thanks in advance. On Fri, Aug 8, 2008 at 12:44 PM, Alan DeKok [EMAIL PROTECTED] wrote: Ramot Lubis wrote: Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Could you explain? Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius. Does that mean you won't be installing the hotfix? If so, it's likely that XP may not work. And it's not compatibility with FreeRADIUS, it's following the standards. FreeRADIUS works with every other supplicant that exists. Microsoft keeps breaking their supplicants with new releases of their OS, and *every* RADIUS server has to change in order to be compatible. After digging more, I realize that Authorization using checkval module is enough to verified valid MAC address from Wireless Client. I would not use the checkval module. Try using another module. But my question is how can I use only Authorization where Authentication will always return Access-Accept. You can do MAC address checking in the authorization stage. Here is my radiusd -X output: ... EAP-Message = 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72 Message-Authenticator = 0x891b437263cd48909255484bb081c823 ... auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. You edited the default configuration and broke it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
php radius client (mount packet data)
Hello !!
Based on 'Pure PHP radius class' (http://developer.sysco.ch/php/) i´m
trying to implement disconnect-packet like this command:
echo User-Name := xx | radclient -x 111.222.333.444 disconnect
secret
freeradius recognizes that packet are disconnect-request but i think
checksum of packet are incorrect, can someone look and try to discover
the error ?!
attached class, my changes are commented with //AlexandrE
thanks !!!
--
Sds.
Alexandre Jeronimo Correa
Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net
Linux User ID #142329
UNOTEL S/A - http://www.unotel.com.br
.
*
*
* @author: SysCo/al
* @since CreationDate: 2008-01-04
* @copyright (c) 2008 by SysCo systemes de communication sa
* @version $LastChangedRevision: 1.1 $
* @version $LastChangedDate: 2008-02-04 $
* @version $LastChangedBy: SysCo/al $
* @link $HeadURL: radius.class.php $
* @link http://developer.sysco.ch/php/
* @link [EMAIL PROTECTED]
* Language: PHP 4.0.7 or higher
*
*
* Usage
*
* require_once('radius.class.php');
* $radius = new Radius($ip_radius_server = 'radius_server_ip_address', $shared_secret = 'radius_shared_secret'[, $radius_suffix = 'optional_radius_suffix'[, $udp_timeout = udp_timeout_in_seconds[, $authentication_port = 1812]]]);
* $result = $radius->Access_Request($username = 'username', $password = 'password'[, $udp_timeout = udp_timeout_in_seconds]);
*
*
* Examples
*
* Example 1
* AccessRequest('user', 'pass'))
* {
* echo "Authentication accepted.";
* }
* else
* {
* echo "Authentication rejected.";
* }
* ?>
*
* Example 2
* SetNasPort(0);
* if ($radius->AccessRequest('user', 'pass'))
* {
* echo "Authentication accepted.";
* echo "";
* }
* else
* {
* echo "Authentication rejected.";
* echo "";
* }
* echo $radius->GetReadableReceivedAttributes();
* ?>
*
*
* External file needed
*
* none.
*
*
* External file created
*
* none.
*
*
* Special issues
*
* - Sockets support must be enabled.
* * In Linux and *nix environments, the extension is enabled at
* compile time using the --enable-sockets configure option
* * In Windows, PHP Sockets can be activated by un-commenting
* extension=php_sockets.dll in php.ini
*
*
* Other related ressources
*
* FreeRADIUS, a free Radius server implementation for Linux and *nix environments: http://www.freeradius.org/
* WinRadius, Windows Radius server (free for 5 users): http://www.itconsult2000.com/en/product/WinRadius.zip
* Radl, a free Radius server for Windows: http://www.loriotpro.com/Products/RadiusServer/FreeRadiusServer_EN.php
* DOS command line Radius client: http://www.itconsult2000.com/en/product/WinRadiusClient.zip
*
*
* Change Log
*
* 2008-02-04 1.1 SysCo/al Typo error for the udp_timeout parameter (line 256 in the version 1.0)
* 2008-01-07 1.0 SysCo/al Initial release
*
*/
/*
*
* Radius
* Pure PHP radius class
*
* Creation 2008-01-04
* @package radius
* @version v.1.0
* @author SysCo/al
*
*/
class Radius
{
var $_ip_radius_server; // Radius server IP address
var $_shared_secret; // Shared secret with the radius server
var $_radius_suffix; // Radius suffix (default is '');
var $_udp_timeout;// Timeout of the UDP connection in seconds (default value is 5)
var $_authentication_port;// Authentication port (default value is 1812)
var $_accounting_port;// Accouting port (default value is 1813)
var $_nas_ip_address; // NAS IP address
var $_nas_port; // NAS port
var $_encrypted_password; // Encrypted password, as described in the RFC 2865
var $_user_ip_address;// Remote IP address of the user
var $_request_authenticator; // Request-Authenticator, 16 octets random number
var $_response_authenticator; // Request-Authenticator, 16 octets random number
var $_username; // Username to sent to the Radius server
var $_password; // Password to sent to the Radius server (clear password, must be encrypted)
var $_identifier_to_send; // Identifier field for the packet to be sent
var $_identifier_received;// Identifier field for the received packet
var $_radius_packet_to_send; // Radius packet code (1=Access-Request, 2=Access-Accept, 3=Access-Reject, 4=Accounting-Request, 5=Accounting-Response, 11=Access-Challenge, 12=Status-Server (experimental), 13=Status-Client (experimental), 255=Reserved
var $_radius_packet_received; // Radius
two types of auth on same freeradius
Hello again :P how i can configure radius to auth users from my pppoe concentrators but auth MAC from my access-point too ... (for each type, i need change sql queries) !? or i need to run other copy of freeradius (different port and config) ?! thanks !!! regards, -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Ramot Lubis wrote: Yes, I aim not to install hotfix in Windows XP client. Good luck. My main purpose is to check valid MAC address of every Wireless Device (with Windows XP SP2). Based on radiusd -X log in my previous email, I tried to conclude that even in Authorization phase, calling-station-id has been validated to be match with MAC address data in SQL db. In this case, I don't need further Authentication phase. That's not how EAP-TLS works. However, I dont know how to configure radius server to ignore authentication phase. Is there any idea for me to follow? If you only need to do MAC authentication, see MAC authentication bypass, which is in Cisco switches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Hi, Hi, I'm trying to implement FreeRadius to authenticate Wireless CLient based on MAC address only, unfortunately all my wireless client using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are not leading me to the right direction. Besides, I will not burden my Windows XP SP2 client to search hotfix for EAP/TLS compatibility with FreeRadius. there is no hotfix for EAP/TLS compatability. there ARE 2 important windows hotfixes for wireless supplicant bahaviour etc. is enough to verified valid MAC address from Wireless Client. But my question is how can I use only Authorization where Authentication will always return Access-Accept. you cant. if you're trying to use PEAP than you must follow all the specifications and return the correct stuff when and as needed. you cant just throw back an accept. if you want a noddy poor wireless infrastructure then just go for WPa-PSK or even a MAC-based captive portal alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: php radius client (mount packet data)
Pasting class source won't help. You need to ask specific question. I believe that nobody here doesn't have enough time to read 1000 lines just to answer you. You can find all about POD in FreeRadius FAQ section. create shell script and call it when you need to disconnect someone. On Fri, Aug 8, 2008 at 8:29 AM, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] wrote: Hello !! Based on 'Pure PHP radius class' (http://developer.sysco.ch/php/) i´m trying to implement disconnect-packet like this command: echo User-Name := xx | radclient -x 111.222.333.444 disconnect secret freeradius recognizes that packet are disconnect-request but i think checksum of packet are incorrect, can someone look and try to discover the error ?! attached class, my changes are commented with //AlexandrE thanks !!! -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br . List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Thanks for all advices. So, I decide to change my course.
Now, I am using default radiusd.conf. I have installed hotfix for
supplicant Windows XP SP2. I have also installed Certificate on
supplicant based. Btw, I am using Linksys WAP4400N as my NAS access
point
now I still got this clueless log messages. Please, help me.
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3
++[checkval] returns ok
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for unsupported type 25
rlm_eap: No common EAP types found.
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - PIDEL-3C5B30E9C\Administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 3 to 10.0.0.2 port 1027
EAP-Message = 0x04020004
Message-Authenticator = 0x
thanks in advance.
On Fri, Aug 8, 2008 at 2:09 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Ramot Lubis wrote:
Yes, I aim not to install hotfix in Windows XP client.
Good luck.
My main purpose is to check valid MAC address of every Wireless Device
(with Windows XP SP2).
Based on radiusd -X log in my previous email, I tried to conclude
that even in Authorization phase, calling-station-id has been
validated to be match with MAC address data in SQL db. In this case, I
don't need further Authentication phase.
That's not how EAP-TLS works.
However, I dont know how to configure radius server to ignore
authentication phase. Is there any idea for me to follow?
If you only need to do MAC authentication, see MAC authentication
bypass, which is in Cisco switches.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Aug 8, 2008 at 2:13 PM, [EMAIL PROTECTED] wrote:
Hi,
Hi, I'm trying to implement FreeRadius to authenticate Wireless
CLient based on MAC address only, unfortunately all my wireless client
using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are
not leading me to the right direction. Besides, I will not burden my
Windows XP SP2 client to search hotfix for EAP/TLS compatibility with
FreeRadius.
there is no hotfix for EAP/TLS compatability. there ARE 2 important
windows hotfixes for wireless supplicant bahaviour etc.
is enough to verified valid MAC address from Wireless Client. But my
question is how can I use only Authorization where Authentication will
always return Access-Accept.
you cant. if you're trying to use PEAP than you must follow all
the specifications and return the correct stuff when and as needed.
you cant just throw back an accept. if you want a noddy poor wireless
infrastructure then just go for WPa-PSK or even a MAC-based captive
portal
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Hi,
now I still got this clueless log messages. Please, help me.
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3
++[checkval] returns ok
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for unsupported type 25
rlm_eap: No common EAP types found.
The client asked for an EAP type which is not configured in your server.
Check eap.conf and uncomment the tls { } section for doing EAP-TLS. If
you also want to enable PEAP, also uncomment the peap { } and maschapv2
{ } sections.
Greetings,
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL module and Oracle Stored Procedures
Hi all, i have a question: is there a problem if instead of INSERT, SELECT or UPDATE I use Oracle stored procedures with FreeRadius 2.0.5? I haven't tested this because the procedure isn't ready yet. I searched the other posts and found similarities of my question only for FreeRadius 1.x.x which is configured differently. Thanks -- View this message in context: http://www.nabble.com/SQL-module-and-Oracle-Stored-Procedures-tp18887408p18887408.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two types of auth on same freeradius
Alexandre J. Correa - Onda Internet wrote: how i can configure radius to auth users from my pppoe concentrators but auth MAC from my access-point too ... (for each type, i need change sql queries) !? You can run two copies of the SQL module, each with different queries. See also man unlnag for a general policy language. or i need to run other copy of freeradius (different port and config) ?! Maybe that's necessary on other servers. Not with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Ramot Lubis wrote: thanks Stefan. it's already uncommented by default. I didn't change any default value except the SQL authorization. I wonder what might be the problem? You haven't installed the OpenSSL libraries and header files. As a result, FreeRADIUS wasn't built with support for PEAP. Run the server in debug mode, and read the output. When it's loading the EAP module, it will TELL YOU that it's not loading PEAP. It will also tell you why it's not loading PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: php radius client (mount packet data)
On Fri, Aug 08, 2008 at 03:29:15AM -0300, Alexandre J. Correa - Onda Internet wrote: Hello !! Based on 'Pure PHP radius class' (http://developer.sysco.ch/php/) i´m trying to implement disconnect-packet like this command: echo User-Name := xx | radclient -x 111.222.333.444 disconnect secret freeradius recognizes that packet are disconnect-request but i think checksum of packet are incorrect, can someone look and try to discover the error ?! PoD need to be signed, like Accounting-Request. You can't just send them, like an Access-Request. For more details, see the radius RFCs. I don't see any sign of that code in the PHP class. attached class, my changes are commented with //AlexandrE thanks !!! -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication. I put the log here. Please, tell me what my next mistake is. rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=76, length=189 User-Name = PIDEL-3C5B30E9C\\Administrator NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = 00-1E-E5-9D-61-85:DEL_LR1 Calling-Station-Id = 00-21-00-0B-68-E3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020c00061900 State = 0x61fcdc3962f0c5fd5ac44742bec48a4e Message-Authenticator = 0xf9de9a4b155e31af40d1602df959ad77 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = PIDEL-3C5B30E9C\Administrator, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 12 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9. rgds On Fri, Aug 8, 2008 at 3:06 PM, Alan DeKok [EMAIL PROTECTED] wrote: Ramot Lubis wrote: thanks Stefan. it's already uncommented by default. I didn't change any default value except the SQL authorization. I wonder what might be the problem? You haven't installed the OpenSSL libraries and header files. As a result, FreeRADIUS wasn't built with support for PEAP. Run the server in debug mode, and read the output. When it's loading the EAP module, it will TELL YOU that it's not loading PEAP. It will also tell you why it's not loading PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Ramot Lubis wrote: Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication. I put the log here. Please, tell me what my next mistake is. [...] Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9. Lucky guess... http://deployingradius.com/documents/configuration/eap-problems.html :-) kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
hi siply go to raddb directory and explore users dictionery file... 2:see any example of user with password in that file 3:similerly add a user with password. and now try it. it will work.. On Fri, Aug 8, 2008 at 2:02 PM, Lech Karol Pawłaszek [EMAIL PROTECTED] wrote: Ramot Lubis wrote: Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication. I put the log here. Please, tell me what my next mistake is. [...] Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9. Lucky guess... http://deployingradius.com/documents/configuration/eap-problems.html :-) kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yawar Hadi Noshahi QAU Islamabad (+92-0300-5504798) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP what password encryption is used?
Hello, I've been asked to setup freeradius to talk to a SQL Server database which contains users and passwords. This was not so much of a pain but I can't figure what password encryption is used. So I had hoped somebody with some more password encryption experience could shine a light here :) In the database I've set a password to 'testing' which results in the database as: DC724AF18FBDD4E59189F5FE768A5F8311527050 This looks like a SHA algorithm? I've browsed through the source code of the program that generates these password hashes. Indeed it uses SHA. This is the library they use: http://www.aspencrypt.com/object_context.html#CreateHash. They use the 'calgSHA'. But when I set the Password attribute in freeradius to SHA_password it doesn't match. It reads the database succesfully when I set User_password and use the hash as a password: radtest [EMAIL PROTECTED] DC724AF18FBDD4E59189F5FE768A5F8311527050 localhost 0 testing123 Sending Access-Request of id 61 to 127.0.0.1 port 1812 User-Name = [EMAIL PROTECTED] User-Password = DC724AF18FBDD4E59189F5FE768A5F8311527050 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=61, length=43 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 132 But when I change User-Password to SHA-Password it doesn't match: radtest [EMAIL PROTECTED] testing localhost 0 testing123 Sending Access-Request of id 131 to 127.0.0.1 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 131 to 127.0.0.1 port 1812 User-Name = [EMAIL PROTECTED] User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=131, length=20 So this isn't a SHA password hash? I don't know for sure if this the same encryption method but 'echo testing | openssl sha' generates a different hash: 581165b0cc90703a8e669d91effba108fbe2c83c Rg, Arnaud -- View this message in context: http://www.nabble.com/PAP-what-password-encryption-is-used--tp18887393p18887393.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP what password encryption is used?
It seems it is SHA. I found in the output that freeradius couldn't determine the Auth-Type so rejected the user: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user I've forced PAP by setting it in the users file for the realm: DEFAULT Realm == bla.com, Autz-Type := bla, Auth-Type := PAP It works: rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password testing rlm_pap: Using SHA1 encryption. rlm_pap: Normalizing SHA-Password from hex encoding rlm_pap: User authenticated successfully Great, now some good config practicing Thanks for all help :P Arnaud -- View this message in context: http://www.nabble.com/PAP-what-password-encryption-is-used--tp18887393p18887899.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP what password encryption is used?
PAP needs cleartext passwords See: http://en.wikipedia.org/wiki/Password_authentication_protocol Am 08.08.2008 um 11:53 schrieb sphaero: Hello, I've been asked to setup freeradius to talk to a SQL Server database which contains users and passwords. This was not so much of a pain but I can't figure what password encryption is used. So I had hoped somebody with some more password encryption experience could shine a light here :) In the database I've set a password to 'testing' which results in the database as: DC724AF18FBDD4E59189F5FE768A5F8311527050 This looks like a SHA algorithm? I've browsed through the source code of the program that generates these password hashes. Indeed it uses SHA. This is the library they use: http://www.aspencrypt.com/object_context.html#CreateHash. They use the 'calgSHA'. But when I set the Password attribute in freeradius to SHA_password it doesn't match. [...] Rg, Arnaud -- View this message in context: http://www.nabble.com/PAP-what- password-encryption-is-used--tp18887393p18887393.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP what password encryption is used?
Nicolas Goutte-2 wrote: PAP needs cleartext passwords See: http://en.wikipedia.org/wiki/Password_authentication_protocol Yes, I know. But in order to match the cleartext password to the encrypted password in the database it needs to know what encryption is used. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/PAP-what-password-encryption-is-used--tp18887393p18890180.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP what password encryption is used?
Am 08.08.2008 um 13:25 schrieb sphaero: Nicolas Goutte-2 wrote: PAP needs cleartext passwords See: http://en.wikipedia.org/wiki/Password_authentication_protocol Yes, I know. But in order to match the cleartext password to the encrypted password in the database it needs to know what encryption is used. Sorry, I have answered too quickly. It is not PAP that needs cleartext passwords on the server. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/PAP-what- password-encryption-is-used--tp18887393p18890180.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem returning a mapped LDAP attribute in EAP auths.
Hi, I'm migrating to FR2.0.5. After setting the new conf style, everything runs smooth and ok... but now I have a strange behavior: I have an attribute mapped in ldap.attrs file (as in FR1.1) but it's returned in the Access packet only in clear auths; with EAP auths, it is mapped (as -X shows), but it is not returned... Both sites-enabled/* files has the same conf: ldap uncommented in author. and authent. sections. Do I have to activate something more? Does the virtual_server configuration change returned attrs in some way? (different default modules activated)? Thanx for any suggestion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAP what password encryption is used?
SHA1: 20 chars (40 hex) MD5: 16 chars (31 hex) Your hash looks like SHA1. T. -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens sphaero Verzonden: vrijdag 8 augustus 2008 13:26 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: PAP what password encryption is used? Nicolas Goutte-2 wrote: PAP needs cleartext passwords See: http://en.wikipedia.org/wiki/Password_authentication_protocol Yes, I know. But in order to match the cleartext password to the encrypted password in the database it needs to know what encryption is used. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/PAP-what-password- encryption-is-used--tp18887393p18890180.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
As you guess, now I am stucked in EAP problem as described in http://deployingradius.com/documents/configuration/eap-problems.html Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request After that, nothing more happens. I have followed the instructed solution on the web, but I still have the same problem. What might be the trouble? this is my log output: rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=169, length=189 User-Name = PIDEL-3C5B30E9C\\Administrator NAS-IP-Address = 10.0.0.2 NAS-Port = 0 Called-Station-Id = 00-1E-E5-9D-61-85:DEL_LR1 Calling-Station-Id = 00-21-00-0B-68-E3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020c00061900 State = 0x8e584f678d5456652c4dc94a57520460 Message-Authenticator = 0x7b7251c229539af1b067c6bf5161a3e8 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = PIDEL-3C5B30E9C\Administrator, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 12 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 169 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x State = 0x8e584f678a5556652c4dc94a57520460 Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 165 with timestamp +305 Cleaning up request 6 ID 166 with timestamp +305 Cleaning up request 7 ID 167 with timestamp +305 Cleaning up request 8 ID 168 with timestamp +305 Cleaning up request 9 ID 169 with timestamp +305 Ready to process requests. thanks. On Fri, Aug 8, 2008 at 4:02 PM, Lech Karol Pawłaszek [EMAIL PROTECTED] wrote: Ramot Lubis wrote: Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication. I put the log here. Please, tell me what my next mistake is. [...] Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9. Lucky guess... http://deployingradius.com/documents/configuration/eap-problems.html :-) kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Ramot Lubis wrote: Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request After that, nothing more happens. Which OS are you using as a client? Are you using the default certificates that are created with the server? I have followed the instructed solution on the web, but I still have the same problem. What might be the trouble? You're likely running Windows. Even Microsoft has a hard time getting Windows to do 802.1X. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem returning a mapped LDAP attribute in EAP auths.
Roberto S. G. wrote: Hi, I'm migrating to FR2.0.5. After setting the new conf style, everything runs smooth and ok... but now I have a strange behavior: I have an attribute mapped in ldap.attrs file (as in FR1.1) but it's returned in the Access packet only in clear auths; with EAP auths, it is mapped (as -X shows), but it is not returned... Both sites-enabled/* files has the same conf: ldap uncommented in author. and authent. sections. Did you set use_tunneled_reply in eap.conf? This is also in 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Yes, I am using Windows XP as client. I have followed these steps: 1. Creating production certificate as described in http://deployingradius.com/documents/configuration/certificates.html 2. update hotfix as described in http://support.microsoft.com/kb/885453/en-us 3. Install certificate ca.der into Windows client. Use the new installed certificate in client when using PEAP from client. what else should I do? thanks in advance. On Fri, Aug 8, 2008 at 8:00 PM, Alan DeKok [EMAIL PROTECTED] wrote: Ramot Lubis wrote: Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request After that, nothing more happens. Which OS are you using as a client? Are you using the default certificates that are created with the server? I have followed the instructed solution on the web, but I still have the same problem. What might be the trouble? You're likely running Windows. Even Microsoft has a hard time getting Windows to do 802.1X. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Arran Cudbard-Bell wrote: I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar. Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1. Then disable handshake (dis)funcion. 5500 system-view [5500] undo dot1x handshake enable And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based [5500] dot1x port-method portbased If you will have any further questions - feel free to ask. Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl bug?
Greetings, I am running into a strange problem with the rlm_perl module. I am using some Perl middleware to do additional processing on some custom vendor accounting attributes and log them to MS-SQL via UnixODBC, in addition to using rlm_unixodbc for logging the basic accounting attributes. (As I'm sure you can imagine, I ran into a lot of problems with DB handle sharing and thread pools and DB slowness. But I have managed to mostly solve this by using the right combination of threads, maximum requests per server, # of Perl clones, etc. to make it work.) The issue I have is that the RADIUS server will run for 1-2 days under a fairly moderate load, and then abruptly crash (apparently) with this: Thu Aug 7 22:52:00 2008 : rlm_perl: Handling START record. Thu Aug 7 22:52:00 2008 : rlm_perl: Processing record type 1 Thu Aug 7 22:52:00 2008 : rlm_perl: Handling START record. Thu Aug 7 22:52:00 2008 : rlm_perl: Processing record type 1 Thu Aug 7 22:52:00 2008 : rlm_perl: Processing record type 1 Thu Aug 7 22:52:00 2008 : rlm_perl: Handling START record. Thu Aug 7 22:52:00 2008 : rlm_perl: Processing record type 1 Thu Aug 7 22:52:00 2008 : rlm_perl: Handling START record. Thu Aug 7 22:52:00 2008 : rlm_perl: Processing record type 1 Thu Aug 7 22:52:00 2008 : Error: Could not get @DynaLoader::dl_librefs for unloading. The latter is a Perl error. Now, DynaLoader::dl_librefs is a symbol that is loaded by the interpreter upon boot and is used in every clone invocation, so if the problem were simply that the module wasn't there, it would fail immediately. Instead, it happens once in a blue moon. The RADIUS server then stops and must be manually restarted. Any idea why? Thanks much! -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl bug?
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to create the pair: Invalid octet string...
Hi again ... I need this attribute ... UTstarcome-CLI-Access-Level .. but when I insert it .. I get: Failed to create the pair: Invalid octet string 10 for attribute name UTstarcom-CLI-Access-Level .. the valid values for it are 0,1,2,10 ! .. so how does this work ? Thanks in advance, Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to create the pair: Invalid octet string...
Hi I think you have to declare this attribute in the dictionary file 2008/8/8 S Adrian [EMAIL PROTECTED] Hi again ... I need this attribute ... UTstarcome-CLI-Access-Level .. but when I insert it .. I get: Failed to create the pair: Invalid octet string 10 for attribute name UTstarcom-CLI-Access-Level .. the valid values for it are 0,1,2,10 ! .. so how does this work ? Thanks in advance, Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to create the pair: Invalid octet string...
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to create the pair: Invalid octet string...
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to create the pair: Invalid octet string...
Ok, and how would that have to look like ? Hi I think you have to declare this attribute in the dictionary file 2008/8/8 S Adrian [EMAIL PROTECTED] Hi again ... I need this attribute ... UTstarcome-CLI-Access-Level .. but when I insert it .. I get: Failed to create the pair: Invalid octet string 10 for attribute name UTstarcom-CLI-Access-Level .. the valid values for it are 0,1,2,10 ! .. so how does this work ? Thanks in advance, Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to create the pair: Invalid octet string...
look at the dictionnary file, there is some exemple like that : #ATTRIBUTEMy-Local-String3000string #ATTRIBUTEMy-Local-IPAddr3001ipaddr #ATTRIBUTEMy-Local-Integer3002integer 2008/8/8 S Adrian [EMAIL PROTECTED] Ok, and how would that have to look like ? Hi I think you have to declare this attribute in the dictionary file 2008/8/8 S Adrian [EMAIL PROTECTED] Hi again ... I need this attribute ... UTstarcome-CLI-Access-Level .. but when I insert it .. I get: Failed to create the pair: Invalid octet string 10 for attribute name UTstarcom-CLI-Access-Level .. the valid values for it are 0,1,2,10 ! .. so how does this work ? Thanks in advance, Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to create the pair: Invalid octet string...
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to create the pair: Invalid octet string...
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Server not responding to requests
I found the problem, I was getting a DHCP address, which I did not want to do. The eth0 icon on the tray showed the correct static address, which was the same as in my /etc/hosts (and DNS), but the actual ifconfig eth0 showed the DHCP address. I corrected this, and now I am one step further. :-) In debug output I see rlm_realm: Looking up realm umpublishing.org for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm umpublishing.org yet this is the realm defined in smb.conf, and it also works fine when I have this line in the /usr/local/etc/raddb/users file: [EMAIL PROTECTED]Auth-Type := ntlm_auth Is there somewhere else that the realm needs to be defined for this to work? Regards, Cindy -Original Message- From: Yoho, Cindy Sent: Wednesday, August 06, 2008 12:48 PM To: 'FreeRadius users mailing list' Subject: RE: Server not responding to requests Alan, iptables -L -n output shows Chain INPUT (policy ACCEPT) target prot opt sourcedestination Chain OUTPUT (policy ACCEPT) target prot opt sourcedestination Chain FORWARD (policy ACCEPT) target prot opt sourcedestination tcpdump shows nothing when I am trying to connect. However, ifconfig shows eth0 has the wrong IP address. It looks like it grabbed a DHCP address from my Windows DHCP server. When I look at eth0 connection properties on the task bar it shows 172.16.3.4. In /etc/hosts, under System Administration Network Configuration, and on my DNS server, it is 172.16.1.15. How do I stop it from using the wrong address? I see in docs there is a file called /var/lib/dhclient/eth0-leases which contains the bad config info. Orion, client file is correct, for the 172.16.1.15 address, anyway. :-\ Greg, server is not multihomed, but multi-ip addresses do appear to be the problem. Hi, Hi All, I have freeradius 1.1.7 running on RHEL 5. radtest works with a local user setup, and also with authentication via Active Directory. However, anything outside the radius server host does not get a reply. I have configured a Multitech MA820 and also tried ntradping, and both get the same results - Could not receive a response from server is the message when I use ntradping, and Server did not respond in a timely manner is the response when I try to connect from the Multitech. Is there some setting I need to check to make sure external access is enabled? iptables? your host is firewalled and therefore FR doesnt see the packet at all? tcpdump -eqntl -i eth0 port 1812 (if eth0 is your NIC) then do some stuff. do you see anything? iptables -L -n are there entries? if so, ensure there are 1812/1813/1814 UDP entries too! alan -- Message: 2 Date: Tue, 5 Aug 2008 19:17:40 +0200 From: orion [EMAIL PROTECTED] Subject: Re: Server not responding to requests To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 take a look at client file. there you can specify which clients ( IP addresses ) are allowed . add the public ip of your outside clients/nas. 2008/8/5 Yoho, Cindy [EMAIL PROTECTED]: Hi All, I have freeradius 1.1.7 running on RHEL 5. radtest works with a local user setup, and also with authentication via Active Directory. However, anything outside the radius server host does not get a reply. I have configured a Multitech MA820 and also tried ntradping, and both get the same results - Could not receive a response from server is the message when I use ntradping, and Server did not respond in a timely manner is the response when I try to connect from the Multitech. Is there some setting I need to check to make sure external access is enabled? Thanks in advance ~ Cindy Yoho Systems Engineer United Methodist Publishing House Nashville, TN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris, openssl 0.9.8h --- does support sha256 ?
I have tested authentication works with my existing certs. When I load
the new certs (sha256), and I see below error at radiusd -X
I am using FreeeRadius 2.0.5, openssl 0.9.8h, OS Solaris.
Is there any known patch for this to support advance encryption...I
believe I saw somewhere in web that 1.1.7 has this patch, how about
2.0.5 ?
Thanks for your thoughts,
Rafi
tls {
rsa_key_exchange = yes
dh_key_exchange = no
rsa_key_length = 1024
dh_key_length = 1024
verify_depth = 2
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/wmxforum/xohm.com3.pvt.pe
m
certificate_file = /usr/local/etc/raddb/certs/wmxforum/xohm.com3.pem
CA_file = /usr/local/etc/raddb/certs/wmaxforum/sam-cacert.pem
dh_file = /usr/local/etc/raddb/certs/wmxforum/DH
random_file = /usr/local/etc/raddb/certs/wmxforum/random
fragment_size = 1024
include_length = yes
check_crl = no
}
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
rlm_eap_tls: Error reading Trusted root CA list /usr/local/etc/raddb/certs/wmaxf
orum/sam-cacert.pem
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[3]: Instantiation failed for module eap
/usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap
.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticat
e section.
}
}
Errors initializing modules
On 8/7/08, Rafiqul Ahsan [EMAIL PROTECTED] wrote:
I changed the Makefile for random file creation step (as a fix for my
earlier posted error)...
This is what I found at Makefile :
random:
@if [ -e /dev/urandom ] ; then \
dd if=/dev/urandom of=./random count=10 /dev/null 21; \
else \
date ./random; \
fi
I Changed to ...
random
date ./random;
That solved my earlier problem, and now my server is listening.
Thanks,
Rafi
On 8/7/08, Rafiqul Ahsan [EMAIL PROTECTED] wrote:
I see below error when I execute bootstrap
bash-3.00# /usr/local/etc/raddb/certs/bootstrap
...
make: Nothing to be done for `ca'.
make: Nothing to be done for `server'.
make: `dh' is up to date.
/bin/sh: test: argument expected
make: *** [random] Error 1
On 8/7/08, Alan DeKok [EMAIL PROTECTED] wrote:
Rafiqul Ahsan wrote:
Thanks, I was able to build freeradius 2.0.5 on Solaris 10. However,
server is not running, and I see below error when I run radiusd -X.
Here is the output.
...
make_cert_command = /usr/local/etc/raddb/certs/bootstrap
}
Exec-Program output:
It's trying to run the bootstrap command. It's not working.
Run the bootstrap command by hand, and then re-start the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Rafiqul Ahsan
--
Rafiqul Ahsan
--
Rafiqul Ahsan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.5 on Solaris, openssl 0.9.8h --- does support sha256 ?
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple NAS
Hi, I use different type of VoIP GWYs and SIP servers ( like Cisco, Asterisk, OpenSER ) in our VoIP network. They are writing detail accounting info to the freeradius server fine. But I am having some issues writing the accounting info to backend database like MySQL. For example the radius accounting attributes of Cisco is different from Asterisk or OpenSER. So the idea is to create multiple tables in the database where Freeradius is writing and store Cisco's accounting info to say radacct_1, Asterisk's to radacct_2, OpenSER's to radacct_3 tables. How do I assign a specific NAS like Cisco to use say sql_1.conf, Asterisk to use sql_2.conf and OpenSER to use sql_3.conf. Or if there is any other way to solve this.. thanks in advance Get more from your digital life. Find out how. _ Got Game? Win Prizes in the Windows Live Hotmail Mobile Summer Games Trivia Contest http://www.gowindowslive.com/summergames?ocid=TXT_TAGHM- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple NAS
Bonjour, je suis actuellement en congés pour 3 semaines. Je suis de retour le 1er septembre 2008. En cas d'urgence, vous pouvez contacter Monsieur Tixier au 03 80 24 44 27 ou la maintenance informatique au 03 80 24 45 84. Cordialement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
