PPTP forward port per user
Hi, i would like to be able to forward an internal ports of users through the VPN. The idea is that a user picks 2-3 ports (or maybe just one) tcp port out of a given port-pool, and when he connects to the VPN, this portforwarding is established for him. Any idea how to do this? I'm using pptpd with freeradius + mysql. thanks for a hint. cheers, --sascha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting method
Hi, I just installed new Freeradius server (2.0.5) using LDAP and mysql for accounting and it's all working grate. I want to change the accounting method so instead of adding one accounting record with NULL at the acctstoptime field at accounting start I want it to be one record for accounting start with the code 1 and another record for stop with code 2. That way I can monitor user concurrency and so . I tried to google it and didn't found anything useful for this , is there anywhere I can read about this or anyone can help me here regarding this? Thanks in advance , Ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting method
Hi, Hi, I want to change the accounting method so instead of adding one accounting record with NULL at the acctstoptime field at accounting start I want it to be one record for accounting start with the code 1 and another record for stop with code 2. That way I can monitor user concurrency and so . I tried to google it and didn't found anything useful for this , is there anywhere I can read about this or anyone can help me here regarding this? Well, you could try to modify the queries for mysql ? ( sql/mysql/dialup.conf ) Thanks in advance , You welcome, Ram Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting method
On Sunday 10 August 2008 15:29:41 S Adrian wrote: Hi, Hi, I want to change the accounting method so instead of adding one accounting record with NULL at the acctstoptime field at accounting start I want it to be one record for accounting start with the code 1 and another record for stop with code 2. That way I can monitor user concurrency and so . I tried to google it and didn't found anything useful for this , is there anywhere I can read about this or anyone can help me here regarding this? Well, you could try to modify the queries for mysql ? ( sql/mysql/dialup.conf ) More specifically - the accounting_start_query and accounting_stop_query queries :) Thanks in advance , You welcome, Ram Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP forward port per user
On Sun, Aug 10, 2008 at 10:15:31AM +0400, Sascha Kiefer wrote: Hi, i would like to be able to forward an internal ports of users through the VPN. The idea is that a user picks 2-3 ports (or maybe just one) tcp port out of a given port-pool, and when he connects to the VPN, this portforwarding is established for him. Any idea how to do this? I'm using pptpd with freeradius + mysql. This is not a freeradius question. If you want to run a script on the VPN server and have it access values from the radius reply, see man pppd-radius and look at the ip-up script. thanks for a hint. cheers, --sascha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Diffie-Hellman
Sergio wrote: Please developers :) i only have a question: can freeradius and a client perform a rsa key exchange? There is no code to do *ephemeral* key exchange. *Normal* key exchange is part of the SSL protocol. See the SSL specifications, and the OpenSSL documentation for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Diffie-Hellman
Alan DeKok escribió: Sergio wrote: Please developers :) i only have a question: can freeradius and a client perform a rsa key exchange? There is no code to do *ephemeral* key exchange. *Normal* key exchange is part of the SSL protocol. See the SSL specifications, and the OpenSSL documentation for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, that's enough for me, thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant waits for minutes to failover
All,
I'm using 'redundant' to failover from SQL to Filebased Authentication
At the time, my MySQL Server is gone, FR is waiting for minutes to go on to
the next step...
++- entering policy redundant
expand: %{User-Name} - fred
rlm_sql (sql_access-1): sql_set_user escaped user -- fred
rlm_sql (sql_access-1): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
UserName = '%{SQL-User-Name}' and VolumeBucket = '%{VolumeBucket}' ORDER BY
id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE UserName =
'fred' ORDER BY id
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE UserName = 'fred' ORDER BY id
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql_access-1): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql_mysql: Couldn't connect socket to MySQL server
[EMAIL PROTECTED]:acctopus_te
rlm_sql_mysql: Mysql error 'Can't connect to MySQL server on 'db-access-1'
(146)'
rlm_sql (sql_access-1): Failed to connect DB handle #4
rlm_sql (sql_access-1): reconnect failed, database down?
rlm_sql_getvpdata: database query error
rlm_sql (sql_access-1): SQL query error; rejecting user
rlm_sql (sql_access-1): Released sql socket id: 4
+++[sql_access-1] returns fail
expand: %{User-Name} - fred
rlm_sql (sql_access-2): sql_set_user escaped user -- 'fred'
rlm_sql (sql_access-2): Trying to (re)connect unconnected handle 4..
rlm_sql (sql_access-2): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
'db-acceees-1' is the hostname from hosts file, it is the machine itselv
'db-acceees-2' is the hostname from hosts file, it is the other machine,
containing a replik... If up
Accounting went throug the redeundant directly into the file... Without
waisting time.
I have configured:
For access:
redundant {
sql_access-1
sql_access-2
ok
}
files
For Accounting:
redundant {
sql_accounting
detail
}
Are there any reconnect options beside
connect_failure_retry_delay = 60
?
Thaks Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Juniper and Nortel user access [SEC=UNCLASSIFIED]
UNCLASSIFIED -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan . Sent: Monday, 11 August 2008 10:18 To: freeradius-users@lists.freeradius.org Subject: Juniper and Nortel user access Hi I have a user setup in the /etc/freeradius/users file which can access Juniper routers, but I would like the same user to be able to access Nortel switches, but when I try and combine the user attributes authentication fails. This conf works for both devices:- test Auth-type:=Local, User-Password := test Juniper-Local-User-Name =DEV test2 Cleartext-Password := test Service-Type = Administrative-User When I try and combine auth fails for the Nortels. test Auth-type:=Local, User-Password := test Juniper-Local-User-Name =DEV Service-Type = Administrative-User You need a comma after the reply attribute: test Auth-type:=Local, User-Password := test Juniper-Local-User-Name =DEV, Service-Type = Administrative-User Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
I guess, Windows XP client has been able to communicate (EAP problem
has been fixed) according to the following log. However, the client
has not been authenticated because of username and password problem,
but its OK since my purpose is to authenticate based on client MAC
address rather than username/password.
My question is how can I configure FreeRadius to authenticate client
based on MAC address? Is there in possibility to use unlang, if so
how can I use unlang to authenticate client MAC address.
thanks in advance.
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
rlm_mschap: Told to do MS-CHAPv2 for PIDEL-3C5B30E9C\Administrator
with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 52 to 10.0.0.2 port 1027
EAP-Message =
0x010800261900170301001b916dabf876b637e708a5f0472e047d95636c8d755a4db6398bfd5a
Message-Authenticator = 0x
State = 0x5e8a10c0598209f9d72120367b73e4be
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.2 port 1027, id=53, length=221
User-Name = PIDEL-3C5B30E9C\\Administrator
NAS-IP-Address = 10.0.0.2
NAS-Port = 0
Called-Station-Id = 00-1E-E5-9D-61-85:DEL_LR1
Calling-Station-Id = 00-21-00-0B-68-E3
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x020800261900170301001b09c3f1df213e452b936c4d3a3a42a177644f14e998e6d36c128a55
State = 0x5e8a10c0598209f9d72120367b73e4be
Message-Authenticator = 0xaa9d67c2641d1c6281c0b7e1dcff3aec
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = PIDEL-3C5B30E9C\Administrator,
looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - PIDEL-3C5B30E9C\Administrator
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 53 to 10.0.0.2 port 1027
EAP-Message = 0x04080004
Message-Authenticator = 0x
Finished request 8.
Going to the next request
On Sun, Aug 10, 2008 at 2:20 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Ramot Lubis wrote:
1. Creating production certificate as described in
http://deployingradius.com/documents/configuration/certificates.html
2. update hotfix as described in http://support.microsoft.com/kb/885453/en-us
3. Install certificate ca.der into Windows client. Use the new
installed certificate in client when using PEAP from client.
For instructions on debugging the client side, see:
http://deployingradius.com/documents/configuration/eap-problems.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper and Nortel user access [SEC=UNCLASSIFIED]
awesome thanks! that works cheers Ivan On Mon, Aug 11, 2008 at 1:28 PM, Ranner, Frank MR [EMAIL PROTECTED] wrote: UNCLASSIFIED -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan . Sent: Monday, 11 August 2008 10:18 To: freeradius-users@lists.freeradius.org Subject: Juniper and Nortel user access Hi I have a user setup in the /etc/freeradius/users file which can access Juniper routers, but I would like the same user to be able to access Nortel switches, but when I try and combine the user attributes authentication fails. This conf works for both devices:- test Auth-type:=Local, User-Password := test Juniper-Local-User-Name =DEV test2 Cleartext-Password := test Service-Type = Administrative-User When I try and combine auth fails for the Nortels. test Auth-type:=Local, User-Password := test Juniper-Local-User-Name =DEV Service-Type = Administrative-User You need a comma after the reply attribute: test Auth-type:=Local, User-Password := test Juniper-Local-User-Name =DEV, Service-Type = Administrative-User Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius client can not connected!
Hi all,
Need help.
I'd been doing this for sometimes and can't get it solved.
Client try to communicate with server but just can't get it connected.
here are the message:
Waking up in 4.7 seconds.
User-Name = testing
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = 00:30:1a:29:03:66
Calling-Station-Id = 00:1c:f0:10:56:b8
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 127.0.0.1
Connect-Info = CONNECT 11Mbps 802.11b
State = 0x50713d8653743023ce88a0c1a1b930fe
EAP-Message =
0x020505c50d8005bb160301058b0b00037b0003780003753082037130820259a003020102020102300d06092a864886f70d01010405003070310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311730150603550403140e4d6172734e65745f5365727665723120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730383032323630315a170d3131303730383032323630315a306f310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520
EAP-Message =
0x496e632e311730150603550403140e4d6172734e65745f436c69656e74311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c82149515d4198e7647e1dd2fdaba3dd274d89fe59259ea656b5550118896812a05a0bad9307dda14f88582a1cfd1b8f475aabfc4e7ee2618d195fdb4fed673093982696a14d7a929c8590bfb32a930ee363d15a2ddadaf398d497527addbb88562c48803840ac7ab5cfd47709718078cee8489a415783ff1149bd2d8c4abd5ed1c83811392890b60e65dcfe3fae892d4ab0e3f98506387d47094656bb
EAP-Message =
0xc7b5fdebc4b342b797d0dcc7a3fdd68cfa52490ec10a1e4a5d9cc82decc3f7340611755269c937f882478b6a875c460ea997351f33291f4f94bc7661b7f76a5457479f72639fc9acf815aa5ed438309a1695ffe34f1f967ad8f0b63d2e72f71240050203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101008cb12a5b0e048b822dd0e435fdb3c808a183a2bfe5b8970d24c8d7d8de6183ac6bd0978accaa284093f927e49b512056fd5850cd2211016f0d68099bc90a2bf2fb93ab3f6a2552fe2b094ffb8830aabe7d00871f1f8b882d3bfec10f73a7af1688a51a2e915597276d
EAP-Message =
0x0e2c716dbd340dba22124f473ea8396e799c6de451101cb64cc0e8913535dc79d23e6194878814e7d6baa7a1ba616947cfe5d368a83f5db7e71e95e9b90f189033e9851b1d8419c4ab78b988ca9c4ff1163ed3e390e486bfc803e176cb108e7c31b51c5b618e644a046f7a60f232b0d57c47f1626a96115e83d457a3ad661c064986ebdd3629ef50b6a0d67e7b923d4a0d288b3652d98e110201003c14f10ae05a07ca00d74116971fd5d146e8640db1f58ebebf6e49c7cd8dabe98da7b6461af55c77e5fbde2336eb2914ceb3a6e09cdb6a46989cd9e22983bc672387ff0483700a70e396a9f844edd9ac4bb95c4b2a3bc45755d9408e41b37034
EAP-Message =
0x32c84f5b11d84870904e298defb383734235d6f67c9d9c0dfe20ed207fa3fe539571566103e2f55ee41cd3c7d6d9019f224594853387f67ccf453aa85ead173fa5059922888c7de3a689745cdc800423fc43522a91ee235704264a60eec90c62d01fde3cdda4f81666c26f8681c08b4a18b447d9971270ce92391e5c54f2537b3f7ff791fe7863daa40f6e0e244a02dab97755b4de554a21973a34dab24815ae0f00010201001b8569aff3bd371c1c7d782df9db0e00468d7806f2b5307f49dd2d4c5507aec96fe0db1fa401a613e021eec225eedf95303d1b2af768c011541086e89933d72b07d56d5a588e96d79906e1672e016fd5694fe694990ded
EAP-Message =
0x9dc92e8f839a0e40cc7a7563476be125135d91d45ed4b5c978273b5e1d0e30cb655d8d1a011fe0d7c93e21603ee63e618566dbf126d95e68f8bf1e2bfbf8145a3894ddeb74923d45fbac9fdbde4cd7bf070931c74a4a7d3153a4e5de2d74c4f6f6191e639f57d2d18a256f240726a7b3100fec13048cddc9a99f594c82742aeb918959fe193bd1cb691a81fbf413aaba7e57cca12151350d96dc18a4b0af99d63cb68c1a5214a087a21403010001011603010020251f2329bd8931db05f4268228c4258ec07f3d2bb9281b1b83b584b08b75214d
Message-Authenticator = 0xd97d042e7cb701a8720f28f6c5f1292b
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testing at line 91
expand: Hello, %{User-Name} - Hello, testing
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 1467
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: TLS 1.0 Handshake [length 037f], Certificate
-- verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read
Re: FreeRadius MAC address authorization (no authentication)
Ramot Lubis wrote: I guess, Windows XP client has been able to communicate (EAP problem has been fixed) according to the following log. However, the client has not been authenticated because of username and password problem, but its OK since my purpose is to authenticate based on client MAC address rather than username/password. My question is how can I configure FreeRadius to authenticate client based on MAC address? Is there in possibility to use unlang, if so how can I use unlang to authenticate client MAC address. It's impossible. EAP doesn't work like that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Free Radius.
no name wrote: I have an Active Directory on window 2k3 and I want to use the free radius on Linux machine for authenticating users domain. I tried to configure free radius with ntlm_auth for working auth but it not work. Although on free radius i can auth successful for domain user by command: ntlm_auth --domain=ABC --username=test --- result: auth sucess (...), but on the auth client when i checked with the wrong name/pass it still showed message auth sucess after that this user/pass cannot login to device on domain. Can anybody help me on this and share me how to configure freeradius for authenticating domain uses? Follow the instructions on my web site: http://deployingradius.com/documents/configuration/active_directory.html And read the FAQ for it doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client can not connected!
Kwok Sianbin wrote: I'd been doing this for sometimes and can't get it solved. Client try to communicate with server but just can't get it connected. Please READ the debug output. It is telling you what's going wrong. rlm_eap_tls: TLS 1.0 Handshake [length 037f], Certificate -- verify error:num=20:unable to get local issuer certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned You are doing EAP-TLS. The certificate presented is from a CA that is unknown. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
