check_cert_cn translation
We've noticed several people have posted their eap.conf for eap-tls troubleshooting, and that both the check_cert_issuer and check_cert_cn are commented out. In these configurations is freeradius just checking for the certificate in the crl list and that the proper CA root is in the CA_file on the freeradius server? What is gained by using check_cert_cn? When we have check_cert_cn enabled it seems that the User-Name is translated differently from different types of devices. When a test user with an iPhone tries to connect he receives errors, but the same certificate on a Microsoft Vista wireless client is successfully authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1. Which file controls the User-Name translation? Fri Oct 24 19:46:58 2008 : Auth: rlm_eap_tls: Certificate CN (Test User (Company 1)) does not match specified value ([EMAIL PROTECTED])! Fri Oct 24 19:46:58 2008 : Error: TLS Alert write:fatal:certificate unknown Fri Oct 24 19:46:58 2008 : Error: TLS_accept:error in SSLv3 read client certificate B Fri Oct 24 19:46:58 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Fri Oct 24 19:46:58 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Fri Oct 24 19:46:58 2008 : Auth: Login incorrect: [EMAIL PROTECTED] (from client tstca-wc-c01 port 29 cli 00-23-6C-5B-1C-23) Regards, Kas _ Want to read Hotmail messages in Outlook? The Wordsmiths show you how. http://windowslive.com/connect/post/wedowindowslive.spaces.live.com-Blog-cns!20EE04FBC541789!167.entry?ocid=TXT_TAGLM_WL_hotmail_092008- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert billiplan code in radacct table during authenticaiton
On Sun, Oct 26, 2008 at 4:12 AM, Bishal [EMAIL PROTECTED] wrote: Following is my radcheck table format: --+--+-+--+ | id | UserName | Attribute| op | Value| CrDate | creator | Usemac | activated | activeDate | status | rate | Type | BillingPlan | TimeToFinish | +--+--+--++--+-+-++---+-++--+--+-+--+ | 1272 | bishal | User-Password| == | testpass| 2006-07-28 18:42:58 | bishal | 0 | 0 | 2007-07-22 20:49:17 | 0 | 0 | | 001 |0 | | 1273 | Hary | User-Password | == | lamp | 2007-08-28 20:443:58 | bishal | 0| 0 | 2007-08-28 20:443:58 | 0 |0 | | 002 |0| = Yickes! Why would anyone torture radcheck table like that? :-) I'm curious to know which management application you are using if it's ok for you to let us know. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log partially solved
Hi, I am using freeradiusd 2.0.2 I have edited config files, so radiusd.conf has: ---snip--- detail auth_log { detailfile = ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type} # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! # detailperm = 0600 # You may also strip out passwords completely suppress { User-Password } } ---snip--- and /etc/raddb/sites-available/default has: eap { ok = return } authorize { preprocess chap mschap suffix eap { ok = return } unix files ldap expiration logintime pap auth_log } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } Now, I get files log as follows: -rw--- 1 radiusd radiusd928 Oct 27 11:01 auth-detail-20081027_NAK -rw--- 1 radiusd radiusd411 Oct 27 11:01 auth-detail-20081027_MS-CHAP-V2 -rw--- 1 radiusd radiusd 6757 Oct 27 11:10 auth-detail-20081027_Identity -rw--- 1 radiusd radiusd 1195 Oct 27 11:10 auth-detail-20081027_ But still, it says nothing if supplicant is using TTLS or PAP which is what I'd like to see as filenames suffixes. Am I missing something? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suse SLES 10SP2 with freeradius 2.x
Hello, has anyone running freeradius v. 2x running on SLES 10 against edirectory? Best regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MSK WiMAX-MSK validity?
Hi All, i use: -WiMAX-MSK = EAP-MSK and all it works correctly, and I suppose It's validity is only for the authentication session, it is right? -WiMAX-AAA-Session-Id: is set as a pseudo-random value. It's correct? It's value is related to the duration of the session? Thanks all in advance! Stefano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert billiplan code in radacct table during authenticaiton
Hi Liran, I have developed my own php based online viewing gui interface. Bishal On 10/27/2008, liran tal [EMAIL PROTECTED] wrote: On Sun, Oct 26, 2008 at 4:12 AM, Bishal [EMAIL PROTECTED] wrote: Following is my radcheck table format: --+--+-+--+ | id | UserName | Attribute| op | Value| CrDate | creator | Usemac | activated | activeDate | status | rate | Type | BillingPlan | TimeToFinish | +--+--+--++--+-+-++---+-++--+--+-+--+ | 1272 | bishal | User-Password| == | testpass| 2006-07-28 18:42:58 | bishal | 0 | 0 | 2007-07-22 20:49:17 | 0 | 0 | | 001 |0 | | 1273 | Hary | User-Password | == | lamp | 2007-08-28 20:443:58 | bishal | 0| 0 | 2007-08-28 20:443:58 | 0 |0 | | 002 |0| = Yickes! Why would anyone torture radcheck table like that? :-) I'm curious to know which management application you are using if it's ok for you to let us know. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log partially solved
2008/10/27 [EMAIL PROTECTED]: detail auth_log { detailfile = ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type} # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d .. But still, it says nothing if supplicant is using TTLS or PAP which is what I'd like to see as filenames suffixes. Am I missing something? Try EAP-Type-TTLS and EAP-Type-PEAP instead of EAP-Type. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I don't understand, if I set ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_EAP-Type-TTLS always be appended with _EAP-Type-TTLS and if I set ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type-TTLS} won't work either. Am I doing something wrong? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help for configuration - LDAP with custom files Failover
Dear All, I'm facing a problem with Freeradius 2.0.4. I want to make a configuration to allow our Cisco routers to auth via RADIUS. For this, we're using a password file now (let's call it ciscopwd) and another file for granting rights. I want to change the config file, so that the auth is done by LDAP (plain passwords), BUT if the LDAP is not available the ciscopwd file will do the job. How can this be done? (moreover, I want to have some LDAP group limitations on the logins) Thanks in advance, Tamas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use check not working
Good afternoon, I have inherited an aged ICRadius install and I am in process of converting to FreeRadius 1.1.7. Currently I have a master DB on our Management server replicating to two radius servers. Each radius server has a unique sql instance to send accounting data to the master DB. Everything is working, the DB conversion from ICRadius to FreeRadius went fine. In testing the only issue I have found is I am unable to stop Simultaneous use. I read the docs carefully, checked the Wiki, and I believe I have everything configured properly. Using RadiusTest 2.4.3 and radwho I see the following. I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:35 192.168.4 192.168.0.1 10/27/2008 11:55:13 AM Test started [check newrad1]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 Password = marlin User-Name = yellowhousejake Framed-IP-Address = 192.168.0.1 Acct-Session-Id = 201 Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:13 AM Test finished [check newrad1]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:55 192.168.4 192.168.0.1 Here are the parts of my conf I believe I need to check for simultaneous use. ## radiusd.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = no callerid = yes } accounting { radutmp ## sradutmp sql_acct } session { radutmp sql_acct } ## sql.conf # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE UserName='%{SQL-User-Name}' \ AND AcctStopTime = 0 Note I enabled radutmp after sql was failing to stop the second login. I am certain I have missed something simple but I am unable to find it. Any help, cluesmacks, etc are appreciated. DAve -- I am watching the debate and I am very disappointed. The rules are simple, answer the question. I would vote right now, and I can in Indiana, for the man who answered the question directly, in less than a minute, and then sat down before the green light was out. - List
problems with authorization PEAP - EAP-MSCHAPv2 clients
Hello, I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5. Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included). I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine. EAP - MD5 Challenge works fine. Attaching radiusd.conf and radius -X output. Thanks for help. -- Lukas Lisa prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} log_auth = yes run_dir = ${localstatedir}/run/radiusd db_dir = $(raddbdir) libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes # proxy # # $INCLUDE proxy.conf realm NULL { type= radius authhost= LOCAL accthost= LOCAL secret = ss } ## clients ## # $INCLUDE clients.conf client 127.0.0.1 { secret = ss shortname = localhost nastype = other } client 10.1.11.0{ netmask = 24 secret = ss shortname = LAN_clients nastype = other } snmp= no $INCLUDE snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { # $INCLUDE ${confdir}/modules/ acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } ### detail detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = %t } files files { usersfile = ${confdir}/users #acctusersfile = ${confdir}/acct_users #preproxy_usersfile = ${confdir}/preproxy_users compat = no } mschap mschap { authtype = MS-CHAP } pap pap { auto_header = no } preprocess preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } realm realm suffix { format = suffix delimiter = @ } eap ### eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = DEFAULT #make_cert_command = ${certdir}/bootstrap fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 #copy_request_to_tunnel = no #use_tunneled_reply = no use_tunneled_reply = yes #virtual_server = inner-tunnel } peap { default_eap_type = mschapv2
Re: problems with authorization PEAP - EAP-MSCHAPv2 clients
I am not an expert on this but I think here is the problem. Under *eap* you have this: eap ### eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no I think you want to change it to: eap ### eap { default_eap_type = *mschapv2* timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no That seem to work for me. Give it a try. I have test FR 2.1.1 with that configuration. Client is Win XP SP3 Lukas Lisa wrote: Hello, I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5. Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included). I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine. EAP - MD5 Challenge works fine. Attaching radiusd.conf and radius -X output. Thanks for help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help for configuration - LDAP with custom files Failover
I'm facing a problem with Freeradius 2.0.4. I want to make a configuration to allow our Cisco routers to auth via RADIUS. For this, we're using a password file now (let's call it ciscopwd) and another file for granting rights. I want to change the config file, so that the auth is done by LDAP (plain passwords), BUT if the LDAP is not available the ciscopwd file will do the job. How can this be done? (moreover, I want to have some LDAP group limitations on the logins) Have a look at these: http://wiki.freeradius.org/Fail-over http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert billiplan code in radacct table during authenticaiton
Hey Bishal, On Mon, Oct 27, 2008 at 5:08 PM, Bishal [EMAIL PROTECTED] wrote: Hi Liran, I have developed my own php based online viewing gui interface. That's somewhat sad for me to hear as I do believe that daloRADIUS is a great platform or at least honestly trying to be with a whole lot of effort that I put into it. Unless ofcourse you have developed it 2 years ago, which is when I started the daloRADIUS project too for the lack of proper management platform, in which case I symphatize with you. http://www.daloradius.com http://daloradius.sourceforge.net/ Regards, Liran. Bishal On 10/27/2008, liran tal [EMAIL PROTECTED] wrote: On Sun, Oct 26, 2008 at 4:12 AM, Bishal [EMAIL PROTECTED] wrote: Following is my radcheck table format: --+--+-+--+ | id | UserName | Attribute| op | Value| CrDate | creator | Usemac | activated | activeDate | status | rate | Type | BillingPlan | TimeToFinish | +--+--+--++--+-+-++---+-++--+--+-+--+ | 1272 | bishal | User-Password| == | testpass| 2006-07-28 18:42:58 | bishal | 0 | 0 | 2007-07-22 20:49:17 | 0 | 0 | | 001 |0 | | 1273 | Hary | User-Password | == | lamp | 2007-08-28 20:443:58 | bishal | 0| 0 | 2007-08-28 20:443:58 | 0 |0 | | 002 |0| = Yickes! Why would anyone torture radcheck table like that? :-) I'm curious to know which management application you are using if it's ok for you to let us know. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. The fact that you have user listed in radwho doesn't mean that he is connected to the NAS as well. checkrad script will delete stale entries and allow connection if it finds out that there is no such session on the NAS. To check if Simultaneous use works from accounting data only: - change nastype to other in clients.conf - check if radius thinks that user is online by running simul_count_query by hand - send Access-Request It should fail. But checkrad script is old and there might be issues with some nastypes (for instance Cisco OID might need to be changed for some equipment). You might need to fix it for your particular NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with authorization PEAP - EAP-MSCHAPv2 clients
I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5. Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included). I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine. Your supplicant has issues then. Examine eapol.log file (XP): http://technet.microsoft.com/en-us/library/bb457018.aspx Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
[EMAIL PROTECTED] wrote: I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. The fact that you have user listed in radwho doesn't mean that he is connected to the NAS as well. checkrad script will delete stale entries and allow connection if it finds out that there is no such session on the NAS. To check if Simultaneous use works from accounting data only: - change nastype to other in clients.conf It is other both in the localhost client and in the client I created to test using radiustest. - check if radius thinks that user is online by running simul_count_query by hand I have, it shows 5 sessions for this user. mysql SELECT COUNT(*) FROM radacct WHERE UserName='yellowhousejake' AND AcctStopTime = 0; +--+ | COUNT(*) | +--+ |5 | +--+ 1 row in set (0.00 sec) - send Access-Request Changed Packet-Type to Access-Request, auth is approved. 10/27/2008 2:26:27 PM Test started [check_simul]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 User-Name = yellowhousejake User-Password = marlin Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 Since I am testing with a test client from my laptop, and using radtest on the radius server (localhost), and using only accounting data to check for simultaneous use, does checkrad even come into play? Thanks, DAve It should fail. But checkrad script is old and there might be issues with some nastypes (for instance Cisco OID might need to be changed for some equipment). You might need to fix it for your particular NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- I am watching the debate and I am very disappointed. The rules are simple, answer the question. I would vote right now, and I can in Indiana, for the man who answered the question directly, in less than a minute, and then sat down before the green light was out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
Are you telling the radius to check for Simultaneous-Use := 1 anywhere? Even if you have the SQL for simultaneous use uncommented, you still have to configure Simultaneous-Use := 1 to that specific user or group, otherwise it will just ignore the SQL... I also use SQL for my authentication but on the /etc/raddb/users file, I added the following to force every login to match it: DEFAULT Simultaneous-Use := 1 Fall-Through = Yes Try adding that to that file or to add one of that for every user or group you have in your SQL database. The users file is easier to debug later IMO... -- Marcelus Trojahn I-Conecta Redes de Telecomunicação Ltda On Mon, Oct 27, 2008 at 1:46 PM, DAve [EMAIL PROTECTED] wrote: Good afternoon, I have inherited an aged ICRadius install and I am in process of converting to FreeRadius 1.1.7. Currently I have a master DB on our Management server replicating to two radius servers. Each radius server has a unique sql instance to send accounting data to the master DB. Everything is working, the DB conversion from ICRadius to FreeRadius went fine. In testing the only issue I have found is I am unable to stop Simultaneous use. I read the docs carefully, checked the Wiki, and I believe I have everything configured properly. Using RadiusTest 2.4.3 and radwho I see the following. I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:35 192.168.4 192.168.0.1 10/27/2008 11:55:13 AM Test started [check newrad1]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 Password = marlin User-Name = yellowhousejake Framed-IP-Address = 192.168.0.1 Acct-Session-Id = 201 Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:13 AM Test finished [check newrad1]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:55 192.168.4 192.168.0.1 Here are the parts of my conf I believe I need to check for simultaneous use. ## radiusd.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = no callerid = yes } accounting {
Re: Simultaneous-Use check not working
It is other both in the localhost client and in the client I created to test using radiustest. I have, it shows 5 sessions for this user. mysql SELECT COUNT(*) FROM radacct WHERE UserName='yellowhousejake' AND AcctStopTime = 0; +--+ | COUNT(*) | +--+ |5 | +--+ 1 row in set (0.00 sec) - send Access-Request Changed Packet-Type to Access-Request, auth is approved. 10/27/2008 2:26:27 PM Test started [check_simul]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 User-Name = yellowhousejake User-Password = marlin Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 Since I am testing with a test client from my laptop, and using radtest on the radius server (localhost), and using only accounting data to check for simultaneous use, does checkrad even come into play? Not when nastype is set to other. Post the debug (radiusd -X). And user/group entry (where is Simultaneous-Use set). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
[EMAIL PROTECTED] wrote: It is other both in the localhost client and in the client I created to test using radiustest. I have, it shows 5 sessions for this user. mysql SELECT COUNT(*) FROM radacct WHERE UserName='yellowhousejake' AND AcctStopTime = 0; +--+ | COUNT(*) | +--+ |5 | +--+ 1 row in set (0.00 sec) - send Access-Request Changed Packet-Type to Access-Request, auth is approved. 10/27/2008 2:26:27 PM Test started [check_simul]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 User-Name = yellowhousejake User-Password = marlin Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 Since I am testing with a test client from my laptop, and using radtest on the radius server (localhost), and using only accounting data to check for simultaneous use, does checkrad even come into play? Not when nastype is set to other. Post the debug (radiusd -X). And user/group entry (where is Simultaneous-Use set). Here is the last debug I ran plus the query results for that user's config. http://pixelhammer.com/Dan/debug.txt DAve Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- I am watching the debate and I am very disappointed. The rules are simple, answer the question. I would vote right now, and I can in Indiana, for the man who answered the question directly, in less than a minute, and then sat down before the green light was out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
Marcelus Trojahn wrote: Are you telling the radius to check for Simultaneous-Use := 1 anywhere? Even if you have the SQL for simultaneous use uncommented, you still have to configure Simultaneous-Use := 1 to that specific user or group, otherwise it will just ignore the SQL... I also use SQL for my authentication but on the /etc/raddb/users file, I added the following to force every login to match it: DEFAULT Simultaneous-Use := 1 Fall-Through = Yes Try adding that to that file or to add one of that for every user or group you have in your SQL database. The users file is easier to debug later IMO... Hmmm, the previous ICR install has only Simultaneous-Use = 2 for the group allowed SU. Do I need to set Simultaneous-Use := 1 for the groups not allowed SU, and Simultaneous-Use := 2 for the group allowed SU? DAve -- Marcelus Trojahn I-Conecta Redes de Telecomunicação Ltda On Mon, Oct 27, 2008 at 1:46 PM, DAve [EMAIL PROTECTED] wrote: Good afternoon, I have inherited an aged ICRadius install and I am in process of converting to FreeRadius 1.1.7. Currently I have a master DB on our Management server replicating to two radius servers. Each radius server has a unique sql instance to send accounting data to the master DB. Everything is working, the DB conversion from ICRadius to FreeRadius went fine. In testing the only issue I have found is I am unable to stop Simultaneous use. I read the docs carefully, checked the Wiki, and I believe I have everything configured properly. Using RadiusTest 2.4.3 and radwho I see the following. I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:35 192.168.4 192.168.0.1 10/27/2008 11:55:13 AM Test started [check newrad1]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 Password = marlin User-Name = yellowhousejake Framed-IP-Address = 192.168.0.1 Acct-Session-Id = 201 Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:13 AM Test finished [check newrad1]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:55 192.168.4 192.168.0.1 Here are the parts of my conf I believe I need to check for simultaneous use. ## radiusd.conf
users file auth failing
Dear freeradius-users, I've succeeded in getting LDAP authz/authn working with MSCHAPv2 and have been using it successfully for a few months now. I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I would like both the users file and LDAP to be queried for users, with a query falling through to the next source if a particular user is not found. In other words, I would like to be able to use *both* a users file *and* LDAP for auth. I've added the following at the top of the users file, which has not been modified otherwise from the sample that ships with 2.0.3. someuserCleartext-Password := somepassword The authorize section of my default config (sans comments) looks like this. authorize { preprocess chap mschap suffix eap { ok = return } files ldap expiration logintime pap } As you can see, files is there, so it would seem that (based on my admittedly limited understanding of how FreeRADIUS is supposed to work) the users file should be queried. Nevertheless, authentication is failing and nothing is being logged apart from the following. Login incorrect (rlm_ldap: User not found) What could I be doing wrong? -- Anthony Chavez http://hexadecagram.org/ mailto:[EMAIL PROTECTED]xmpp:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
Do I need to set Simultaneous-Use := 1 for the groups not allowed SU, and Simultaneous-Use := 2 for the group allowed SU? OK. This is how Simultaneous-Use works in freeradius: you put that attribute when you want to set the limit for a number of simultaneous connections. The number you enter is the number of simultaneous connections allowed. So: Simultaneous-Use := 1 (only one connection allowed) Simultaneous-Use := 2 (two simultaneous connections allowed) Simultaneous-Use := 100 (up to 100 simultaneous connections allowed) no Simultaneous-Use attribute in the configuration (unlimited number of simultaneous connections allowed) Put the user in dialup2 group and he won't be able to connect. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file auth failing
I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I would like both the users file and LDAP to be queried for users, with a query falling through to the next source if a particular user is not found. In other words, I would like to be able to use *both* a users file *and* LDAP for auth. I've added the following at the top of the users file, which has not been modified otherwise from the sample that ships with 2.0.3. someuser Cleartext-Password := somepassword Post the debug (radiusd -X). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file auth failing
[EMAIL PROTECTED] wrote: I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I would like both the users file and LDAP to be queried for users, with a query falling through to the next source if a particular user is not found. In other words, I would like to be able to use *both* a users file *and* LDAP for auth. I've added the following at the top of the users file, which has not been modified otherwise from the sample that ships with 2.0.3. someuser Cleartext-Password := somepassword Post the debug (radiusd -X). Ivan Kalik Kalik Informatika ISP Here it is. After looking at the log myself, I thought that perhaps setting access_attr=NULL in radiusd.conf might do the trick, so I tried it without success. Note that the following log is what was produced before setting access_attr=NULL. I have not installed a RADIUS schema into my LDAP DIT yet, so I've been using access_attr=uid. Script started on Mon Oct 27 18:16:13 2008 FreeRADIUS Version 2.0.3, for host i386-portbld-freebsd7.0, built on Jun 16 2008 at 16:15:34 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log libdir = /usr/local/lib radacctdir = /var/log/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid user = freeradius group = freeradius checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = secret nastype = other } client 192.168.0.132 { require_message_authenticator = no secret = secret shortname = someap1 } client 192.168.0.133 { require_message_authenticator = no secret = secret shortname = someap2 } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = secret response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto
Re: Suse SLES 10SP2 with freeradius 2.x
I am running FR 2.1.0 OK on SLES10SP1 against edir LDAP backend. The way I did it, I installed the C/C++ Compiler and Tools in the Yast patterned setup. This takes care of a number of dependencies. If you don't want to do this, simply install the required deps later but there will be quite a few of them. Backup your /etc/raddb and uninstall your existing FR 1.x first. I would suggest deleting /etc/raddb and do a clean slate install. As long as you backed up your config you can refer to the old files. Build using rpmbuild having first extracted the freeradius.spec from the archive and placed in the SPECS folder as per the build instructions on freeradius.org. Depending on the archive you are using, you may need to modify the spec file a bit. Search the list for freeradius.spec. The build process should complete successfully. Any errors you need to post here. When you install the rpms you may need to install some dependencies - using Yast you may need to check the provides checkbox if you are searching for a .so file. As I recall (fuzzy memory). Once installed you can run radiusd -X and you may need to chown some of the files in /etc/raddb/certs, the debug output will tell you which ones. Done, now you can modify those config files - especially modules/ldap. 2008/10/28 Hubert Kupper [EMAIL PROTECTED]: I have something to ask. With SLES there comes only freeradius 1.1.0-19.9 and with this version no Vista Clients can authenticate. I found a 1.1.6-2.1 rpm and installed it. Now I will update to a newer version but there is no rpm for SLES 10 available. When I try to compile freeradius v. 2.x then there are problems with shared libraries they are not available in SLES. On a Opensuse 11.0 machine the 2.0.5 version runs fine and authenticate against edirectory. Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html