check_cert_cn translation
We've noticed several people have posted their eap.conf for eap-tls troubleshooting, and that both the check_cert_issuer and check_cert_cn are commented out. In these configurations is freeradius just checking for the certificate in the crl list and that the proper CA root is in the CA_file on the freeradius server? What is gained by using check_cert_cn? When we have check_cert_cn enabled it seems that the User-Name is translated differently from different types of devices. When a test user with an iPhone tries to connect he receives errors, but the same certificate on a Microsoft Vista wireless client is successfully authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1. Which file controls the User-Name translation? Fri Oct 24 19:46:58 2008 : Auth: rlm_eap_tls: Certificate CN (Test User (Company 1)) does not match specified value ([EMAIL PROTECTED])! Fri Oct 24 19:46:58 2008 : Error: TLS Alert write:fatal:certificate unknown Fri Oct 24 19:46:58 2008 : Error: TLS_accept:error in SSLv3 read client certificate B Fri Oct 24 19:46:58 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Fri Oct 24 19:46:58 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Fri Oct 24 19:46:58 2008 : Auth: Login incorrect: [EMAIL PROTECTED] (from client tstca-wc-c01 port 29 cli 00-23-6C-5B-1C-23) Regards, Kas _ Want to read Hotmail messages in Outlook? The Wordsmiths show you how. http://windowslive.com/connect/post/wedowindowslive.spaces.live.com-Blog-cns!20EE04FBC541789!167.entry?ocid=TXT_TAGLM_WL_hotmail_092008- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert billiplan code in radacct table during authenticaiton
On Sun, Oct 26, 2008 at 4:12 AM, Bishal [EMAIL PROTECTED] wrote: Following is my radcheck table format: --+--+-+--+ | id | UserName | Attribute| op | Value| CrDate | creator | Usemac | activated | activeDate | status | rate | Type | BillingPlan | TimeToFinish | +--+--+--++--+-+-++---+-++--+--+-+--+ | 1272 | bishal | User-Password| == | testpass| 2006-07-28 18:42:58 | bishal | 0 | 0 | 2007-07-22 20:49:17 | 0 | 0 | | 001 |0 | | 1273 | Hary | User-Password | == | lamp | 2007-08-28 20:443:58 | bishal | 0| 0 | 2007-08-28 20:443:58 | 0 |0 | | 002 |0| = Yickes! Why would anyone torture radcheck table like that? :-) I'm curious to know which management application you are using if it's ok for you to let us know. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log partially solved
Hi, I am using freeradiusd 2.0.2
I have edited config files, so radiusd.conf has:
---snip---
detail auth_log {
detailfile =
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type}
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
---snip---
and /etc/raddb/sites-available/default has:
eap {
ok = return
}
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
auth_log
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Now, I get files log as follows:
-rw--- 1 radiusd radiusd928 Oct 27 11:01 auth-detail-20081027_NAK
-rw--- 1 radiusd radiusd411 Oct 27 11:01 auth-detail-20081027_MS-CHAP-V2
-rw--- 1 radiusd radiusd 6757 Oct 27 11:10 auth-detail-20081027_Identity
-rw--- 1 radiusd radiusd 1195 Oct 27 11:10 auth-detail-20081027_
But still, it says nothing if supplicant is using TTLS or PAP which is
what I'd like to see as filenames suffixes. Am I missing something?
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suse SLES 10SP2 with freeradius 2.x
Hello, has anyone running freeradius v. 2x running on SLES 10 against edirectory? Best regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MSK WiMAX-MSK validity?
Hi All, i use: -WiMAX-MSK = EAP-MSK and all it works correctly, and I suppose It's validity is only for the authentication session, it is right? -WiMAX-AAA-Session-Id: is set as a pseudo-random value. It's correct? It's value is related to the duration of the session? Thanks all in advance! Stefano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert billiplan code in radacct table during authenticaiton
Hi Liran, I have developed my own php based online viewing gui interface. Bishal On 10/27/2008, liran tal [EMAIL PROTECTED] wrote: On Sun, Oct 26, 2008 at 4:12 AM, Bishal [EMAIL PROTECTED] wrote: Following is my radcheck table format: --+--+-+--+ | id | UserName | Attribute| op | Value| CrDate | creator | Usemac | activated | activeDate | status | rate | Type | BillingPlan | TimeToFinish | +--+--+--++--+-+-++---+-++--+--+-+--+ | 1272 | bishal | User-Password| == | testpass| 2006-07-28 18:42:58 | bishal | 0 | 0 | 2007-07-22 20:49:17 | 0 | 0 | | 001 |0 | | 1273 | Hary | User-Password | == | lamp | 2007-08-28 20:443:58 | bishal | 0| 0 | 2007-08-28 20:443:58 | 0 |0 | | 002 |0| = Yickes! Why would anyone torture radcheck table like that? :-) I'm curious to know which management application you are using if it's ok for you to let us know. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log partially solved
2008/10/27 [EMAIL PROTECTED]:
detail auth_log {
detailfile =
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type}
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
..
But still, it says nothing if supplicant is using TTLS or PAP which is
what I'd like to see as filenames suffixes. Am I missing something?
Try EAP-Type-TTLS and EAP-Type-PEAP instead of EAP-Type.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, but I don't understand, if I set
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_EAP-Type-TTLS
always be appended with _EAP-Type-TTLS and if I set
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type-TTLS}
won't work either.
Am I doing something wrong?
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help for configuration - LDAP with custom files Failover
Dear All, I'm facing a problem with Freeradius 2.0.4. I want to make a configuration to allow our Cisco routers to auth via RADIUS. For this, we're using a password file now (let's call it ciscopwd) and another file for granting rights. I want to change the config file, so that the auth is done by LDAP (plain passwords), BUT if the LDAP is not available the ciscopwd file will do the job. How can this be done? (moreover, I want to have some LDAP group limitations on the logins) Thanks in advance, Tamas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use check not working
Good afternoon,
I have inherited an aged ICRadius install and I am in process of
converting to FreeRadius 1.1.7. Currently I have a master DB on our
Management server replicating to two radius servers. Each radius server
has a unique sql instance to send accounting data to the master DB.
Everything is working, the DB conversion from ICRadius to FreeRadius
went fine.
In testing the only issue I have found is I am unable to stop
Simultaneous use. I read the docs carefully, checked the Wiki, and I
believe I have everything configured properly. Using RadiusTest 2.4.3
and radwho I see the following. I check for a login using radwho and I
see I have a session, I then attempt both a new auth and start
accounting again and still radwho shows only one login.
[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login Name What TTY When From Location
yellowhous yellowhousejake shell S1 Mon 11:35 192.168.4 192.168.0.1
10/27/2008 11:55:13 AM Test started [check
newrad1]-
Info:Sending Access-Request of id 0 to 10.0.241.95:1645
Password = marlin
User-Name = yellowhousejake
Framed-IP-Address = 192.168.0.1
Acct-Session-Id = 201
Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-Compression = Van-Jacobson-TCP-IP
Filter-Id = std.ppp
Framed-MTU = 1500
Port-Limit = 1
Idle-Timeout = 600
Session-Timeout = 28800
Total approved auths: 1
Total denied auths: 0
Total lost auths: 0
Total time(secs): 0
10/27/2008 11:55:13 AM Test finished [check
newrad1]-
10/27/2008 11:55:40 AM Test started [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Start
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Alive
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20
Total approved auths: 2
Total denied auths: 0
Total lost auths: 0
Total time(secs): 0
10/27/2008 11:55:40 AM Test finished [start
acct]-
10/27/2008 11:55:40 AM Test started [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Start
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Alive
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20
Total approved auths: 2
Total denied auths: 0
Total lost auths: 0
Total time(secs): 0
10/27/2008 11:55:40 AM Test finished [start
acct]-
[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login Name What TTY When From Location
yellowhous yellowhousejake shell S1 Mon 11:55 192.168.4 192.168.0.1
Here are the parts of my conf I believe I need to check for simultaneous
use.
## radiusd.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = no
callerid = yes
}
accounting {
radutmp
## sradutmp
sql_acct
}
session {
radutmp
sql_acct
}
## sql.conf
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE UserName='%{SQL-User-Name}' \
AND AcctStopTime = 0
Note I enabled radutmp after sql was failing to stop the second login. I
am certain I have missed something simple but I am unable to find it.
Any help, cluesmacks, etc are appreciated.
DAve
--
I am watching the debate and I am very disappointed. The rules are
simple, answer the question. I would vote right now, and I can
in Indiana, for the man who answered the question directly, in
less than a minute, and then sat down before the green light was out.
-
List
problems with authorization PEAP - EAP-MSCHAPv2 clients
Hello,
I would like to authorize windows clients access to 3com Baseline
Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2.
Server certificate was created with bootstrap script (xpextensions
are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both
cause the same server output and authorization can't pass.
Testing tools eapol_test, radeapclient and jRadiusSimulator can pass
all tests fine.
EAP - MD5 Challenge works fine.
Attaching radiusd.conf and radius -X output.
Thanks for help.
--
Lukas Lisa
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
log_auth = yes
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
# proxy #
# $INCLUDE proxy.conf
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
secret = ss
}
## clients ##
# $INCLUDE clients.conf
client 127.0.0.1 {
secret = ss
shortname = localhost
nastype = other
}
client 10.1.11.0{
netmask = 24
secret = ss
shortname = LAN_clients
nastype = other
}
snmp= no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
# $INCLUDE ${confdir}/modules/
acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
### detail
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = %t
}
files
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
#preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
mschap
mschap {
authtype = MS-CHAP
}
pap
pap {
auto_header = no
}
preprocess
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
realm
realm suffix {
format = suffix
delimiter = @
}
eap ###
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = DEFAULT
#make_cert_command = ${certdir}/bootstrap
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
#copy_request_to_tunnel = no
#use_tunneled_reply = no
use_tunneled_reply = yes
#virtual_server = inner-tunnel
}
peap {
default_eap_type = mschapv2
Re: problems with authorization PEAP - EAP-MSCHAPv2 clients
I am not an expert on this but I think here is the problem. Under *eap*
you have this:
eap ###
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
I think you want to change it to:
eap ###
eap {
default_eap_type = *mschapv2*
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
That seem to work for me. Give it a try. I have test FR 2.1.1 with that
configuration. Client is Win XP SP3
Lukas Lisa wrote:
Hello,
I would like to authorize windows clients access to 3com Baseline
Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2.
Server certificate was created with bootstrap script (xpextensions
are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both
cause the same server output and authorization can't pass.
Testing tools eapol_test, radeapclient and jRadiusSimulator can pass
all tests fine.
EAP - MD5 Challenge works fine.
Attaching radiusd.conf and radius -X output.
Thanks for help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help for configuration - LDAP with custom files Failover
I'm facing a problem with Freeradius 2.0.4. I want to make a configuration to allow our Cisco routers to auth via RADIUS. For this, we're using a password file now (let's call it ciscopwd) and another file for granting rights. I want to change the config file, so that the auth is done by LDAP (plain passwords), BUT if the LDAP is not available the ciscopwd file will do the job. How can this be done? (moreover, I want to have some LDAP group limitations on the logins) Have a look at these: http://wiki.freeradius.org/Fail-over http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert billiplan code in radacct table during authenticaiton
Hey Bishal, On Mon, Oct 27, 2008 at 5:08 PM, Bishal [EMAIL PROTECTED] wrote: Hi Liran, I have developed my own php based online viewing gui interface. That's somewhat sad for me to hear as I do believe that daloRADIUS is a great platform or at least honestly trying to be with a whole lot of effort that I put into it. Unless ofcourse you have developed it 2 years ago, which is when I started the daloRADIUS project too for the lack of proper management platform, in which case I symphatize with you. http://www.daloradius.com http://daloradius.sourceforge.net/ Regards, Liran. Bishal On 10/27/2008, liran tal [EMAIL PROTECTED] wrote: On Sun, Oct 26, 2008 at 4:12 AM, Bishal [EMAIL PROTECTED] wrote: Following is my radcheck table format: --+--+-+--+ | id | UserName | Attribute| op | Value| CrDate | creator | Usemac | activated | activeDate | status | rate | Type | BillingPlan | TimeToFinish | +--+--+--++--+-+-++---+-++--+--+-+--+ | 1272 | bishal | User-Password| == | testpass| 2006-07-28 18:42:58 | bishal | 0 | 0 | 2007-07-22 20:49:17 | 0 | 0 | | 001 |0 | | 1273 | Hary | User-Password | == | lamp | 2007-08-28 20:443:58 | bishal | 0| 0 | 2007-08-28 20:443:58 | 0 |0 | | 002 |0| = Yickes! Why would anyone torture radcheck table like that? :-) I'm curious to know which management application you are using if it's ok for you to let us know. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. The fact that you have user listed in radwho doesn't mean that he is connected to the NAS as well. checkrad script will delete stale entries and allow connection if it finds out that there is no such session on the NAS. To check if Simultaneous use works from accounting data only: - change nastype to other in clients.conf - check if radius thinks that user is online by running simul_count_query by hand - send Access-Request It should fail. But checkrad script is old and there might be issues with some nastypes (for instance Cisco OID might need to be changed for some equipment). You might need to fix it for your particular NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with authorization PEAP - EAP-MSCHAPv2 clients
I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5. Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included). I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine. Your supplicant has issues then. Examine eapol.log file (XP): http://technet.microsoft.com/en-us/library/bb457018.aspx Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
[EMAIL PROTECTED] wrote: I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. The fact that you have user listed in radwho doesn't mean that he is connected to the NAS as well. checkrad script will delete stale entries and allow connection if it finds out that there is no such session on the NAS. To check if Simultaneous use works from accounting data only: - change nastype to other in clients.conf It is other both in the localhost client and in the client I created to test using radiustest. - check if radius thinks that user is online by running simul_count_query by hand I have, it shows 5 sessions for this user. mysql SELECT COUNT(*) FROM radacct WHERE UserName='yellowhousejake' AND AcctStopTime = 0; +--+ | COUNT(*) | +--+ |5 | +--+ 1 row in set (0.00 sec) - send Access-Request Changed Packet-Type to Access-Request, auth is approved. 10/27/2008 2:26:27 PM Test started [check_simul]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 User-Name = yellowhousejake User-Password = marlin Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 Since I am testing with a test client from my laptop, and using radtest on the radius server (localhost), and using only accounting data to check for simultaneous use, does checkrad even come into play? Thanks, DAve It should fail. But checkrad script is old and there might be issues with some nastypes (for instance Cisco OID might need to be changed for some equipment). You might need to fix it for your particular NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- I am watching the debate and I am very disappointed. The rules are simple, answer the question. I would vote right now, and I can in Indiana, for the man who answered the question directly, in less than a minute, and then sat down before the green light was out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
Are you telling the radius to check for Simultaneous-Use := 1 anywhere?
Even if you have the SQL for simultaneous use uncommented, you still
have to configure Simultaneous-Use := 1 to that specific user or
group, otherwise it will just ignore the SQL...
I also use SQL for my authentication but on the /etc/raddb/users file,
I added the following to force every login to match it:
DEFAULT Simultaneous-Use := 1
Fall-Through = Yes
Try adding that to that file or to add one of that for every user or
group you have in your SQL database. The users file is easier to debug
later IMO...
--
Marcelus Trojahn
I-Conecta Redes de Telecomunicação Ltda
On Mon, Oct 27, 2008 at 1:46 PM, DAve [EMAIL PROTECTED] wrote:
Good afternoon,
I have inherited an aged ICRadius install and I am in process of
converting to FreeRadius 1.1.7. Currently I have a master DB on our
Management server replicating to two radius servers. Each radius server
has a unique sql instance to send accounting data to the master DB.
Everything is working, the DB conversion from ICRadius to FreeRadius
went fine.
In testing the only issue I have found is I am unable to stop
Simultaneous use. I read the docs carefully, checked the Wiki, and I
believe I have everything configured properly. Using RadiusTest 2.4.3
and radwho I see the following. I check for a login using radwho and I
see I have a session, I then attempt both a new auth and start
accounting again and still radwho shows only one login.
[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login Name What TTY When From Location
yellowhous yellowhousejake shell S1 Mon 11:35 192.168.4 192.168.0.1
10/27/2008 11:55:13 AM Test started [check
newrad1]-
Info:Sending Access-Request of id 0 to 10.0.241.95:1645
Password = marlin
User-Name = yellowhousejake
Framed-IP-Address = 192.168.0.1
Acct-Session-Id = 201
Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-Compression = Van-Jacobson-TCP-IP
Filter-Id = std.ppp
Framed-MTU = 1500
Port-Limit = 1
Idle-Timeout = 600
Session-Timeout = 28800
Total approved auths: 1
Total denied auths: 0
Total lost auths: 0
Total time(secs): 0
10/27/2008 11:55:13 AM Test finished [check
newrad1]-
10/27/2008 11:55:40 AM Test started [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Start
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Alive
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20
Total approved auths: 2
Total denied auths: 0
Total lost auths: 0
Total time(secs): 0
10/27/2008 11:55:40 AM Test finished [start
acct]-
10/27/2008 11:55:40 AM Test started [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Start
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
User-Name = yellowhousejake
Acct-Session-Id = 201
Acct-Status-Type = Alive
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20
Total approved auths: 2
Total denied auths: 0
Total lost auths: 0
Total time(secs): 0
10/27/2008 11:55:40 AM Test finished [start
acct]-
[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login Name What TTY When From Location
yellowhous yellowhousejake shell S1 Mon 11:55 192.168.4 192.168.0.1
Here are the parts of my conf I believe I need to check for simultaneous
use.
## radiusd.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = no
callerid = yes
}
accounting {
Re: Simultaneous-Use check not working
It is other both in the localhost client and in the client I created to test using radiustest. I have, it shows 5 sessions for this user. mysql SELECT COUNT(*) FROM radacct WHERE UserName='yellowhousejake' AND AcctStopTime = 0; +--+ | COUNT(*) | +--+ |5 | +--+ 1 row in set (0.00 sec) - send Access-Request Changed Packet-Type to Access-Request, auth is approved. 10/27/2008 2:26:27 PM Test started [check_simul]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 User-Name = yellowhousejake User-Password = marlin Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 Since I am testing with a test client from my laptop, and using radtest on the radius server (localhost), and using only accounting data to check for simultaneous use, does checkrad even come into play? Not when nastype is set to other. Post the debug (radiusd -X). And user/group entry (where is Simultaneous-Use set). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
[EMAIL PROTECTED] wrote: It is other both in the localhost client and in the client I created to test using radiustest. I have, it shows 5 sessions for this user. mysql SELECT COUNT(*) FROM radacct WHERE UserName='yellowhousejake' AND AcctStopTime = 0; +--+ | COUNT(*) | +--+ |5 | +--+ 1 row in set (0.00 sec) - send Access-Request Changed Packet-Type to Access-Request, auth is approved. 10/27/2008 2:26:27 PM Test started [check_simul]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 User-Name = yellowhousejake User-Password = marlin Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 Since I am testing with a test client from my laptop, and using radtest on the radius server (localhost), and using only accounting data to check for simultaneous use, does checkrad even come into play? Not when nastype is set to other. Post the debug (radiusd -X). And user/group entry (where is Simultaneous-Use set). Here is the last debug I ran plus the query results for that user's config. http://pixelhammer.com/Dan/debug.txt DAve Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- I am watching the debate and I am very disappointed. The rules are simple, answer the question. I would vote right now, and I can in Indiana, for the man who answered the question directly, in less than a minute, and then sat down before the green light was out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
Marcelus Trojahn wrote: Are you telling the radius to check for Simultaneous-Use := 1 anywhere? Even if you have the SQL for simultaneous use uncommented, you still have to configure Simultaneous-Use := 1 to that specific user or group, otherwise it will just ignore the SQL... I also use SQL for my authentication but on the /etc/raddb/users file, I added the following to force every login to match it: DEFAULT Simultaneous-Use := 1 Fall-Through = Yes Try adding that to that file or to add one of that for every user or group you have in your SQL database. The users file is easier to debug later IMO... Hmmm, the previous ICR install has only Simultaneous-Use = 2 for the group allowed SU. Do I need to set Simultaneous-Use := 1 for the groups not allowed SU, and Simultaneous-Use := 2 for the group allowed SU? DAve -- Marcelus Trojahn I-Conecta Redes de Telecomunicação Ltda On Mon, Oct 27, 2008 at 1:46 PM, DAve [EMAIL PROTECTED] wrote: Good afternoon, I have inherited an aged ICRadius install and I am in process of converting to FreeRadius 1.1.7. Currently I have a master DB on our Management server replicating to two radius servers. Each radius server has a unique sql instance to send accounting data to the master DB. Everything is working, the DB conversion from ICRadius to FreeRadius went fine. In testing the only issue I have found is I am unable to stop Simultaneous use. I read the docs carefully, checked the Wiki, and I believe I have everything configured properly. Using RadiusTest 2.4.3 and radwho I see the following. I check for a login using radwho and I see I have a session, I then attempt both a new auth and start accounting again and still radwho shows only one login. [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:35 192.168.4 192.168.0.1 10/27/2008 11:55:13 AM Test started [check newrad1]- Info:Sending Access-Request of id 0 to 10.0.241.95:1645 Password = marlin User-Name = yellowhousejake Framed-IP-Address = 192.168.0.1 Acct-Session-Id = 201 Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-Compression = Van-Jacobson-TCP-IP Filter-Id = std.ppp Framed-MTU = 1500 Port-Limit = 1 Idle-Timeout = 600 Session-Timeout = 28800 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:13 AM Test finished [check newrad1]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- 10/27/2008 11:55:40 AM Test started [start acct]- Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Start NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20 Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646 User-Name = yellowhousejake Acct-Session-Id = 201 Acct-Status-Type = Alive NAS-Port = 1 Framed-IP-Address = 192.168.0.1 Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20 Total approved auths: 2 Total denied auths: 0 Total lost auths: 0 Total time(secs): 0 10/27/2008 11:55:40 AM Test finished [start acct]- [EMAIL PROTECTED] /usr/local/etc/raddb]# radwho Login Name What TTY When From Location yellowhous yellowhousejake shell S1 Mon 11:55 192.168.4 192.168.0.1 Here are the parts of my conf I believe I need to check for simultaneous use. ## radiusd.conf
users file auth failing
Dear freeradius-users,
I've succeeded in getting LDAP authz/authn working with MSCHAPv2 and
have been using it successfully for a few months now.
I would like to add a very simple user with only a Cleartext-Password to
the users file (this is strictly a FreeRADIUS user and in the interest
of security shouldn't be in LDAP). I would like both the users file and
LDAP to be queried for users, with a query falling through to the next
source if a particular user is not found. In other words, I would like
to be able to use *both* a users file *and* LDAP for auth.
I've added the following at the top of the users file, which has not
been modified otherwise from the sample that ships with 2.0.3.
someuserCleartext-Password := somepassword
The authorize section of my default config (sans comments) looks like this.
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
As you can see, files is there, so it would seem that (based on my
admittedly limited understanding of how FreeRADIUS is supposed to work)
the users file should be queried. Nevertheless, authentication is
failing and nothing is being logged apart from the following.
Login incorrect (rlm_ldap: User not found)
What could I be doing wrong?
--
Anthony Chavez http://hexadecagram.org/
mailto:[EMAIL PROTECTED]xmpp:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use check not working
Do I need to set Simultaneous-Use := 1 for the groups not allowed SU, and Simultaneous-Use := 2 for the group allowed SU? OK. This is how Simultaneous-Use works in freeradius: you put that attribute when you want to set the limit for a number of simultaneous connections. The number you enter is the number of simultaneous connections allowed. So: Simultaneous-Use := 1 (only one connection allowed) Simultaneous-Use := 2 (two simultaneous connections allowed) Simultaneous-Use := 100 (up to 100 simultaneous connections allowed) no Simultaneous-Use attribute in the configuration (unlimited number of simultaneous connections allowed) Put the user in dialup2 group and he won't be able to connect. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file auth failing
I would like to add a very simple user with only a Cleartext-Password to the users file (this is strictly a FreeRADIUS user and in the interest of security shouldn't be in LDAP). I would like both the users file and LDAP to be queried for users, with a query falling through to the next source if a particular user is not found. In other words, I would like to be able to use *both* a users file *and* LDAP for auth. I've added the following at the top of the users file, which has not been modified otherwise from the sample that ships with 2.0.3. someuser Cleartext-Password := somepassword Post the debug (radiusd -X). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file auth failing
[EMAIL PROTECTED] wrote:
I would like to add a very simple user with only a Cleartext-Password to
the users file (this is strictly a FreeRADIUS user and in the interest
of security shouldn't be in LDAP). I would like both the users file and
LDAP to be queried for users, with a query falling through to the next
source if a particular user is not found. In other words, I would like
to be able to use *both* a users file *and* LDAP for auth.
I've added the following at the top of the users file, which has not
been modified otherwise from the sample that ships with 2.0.3.
someuser Cleartext-Password := somepassword
Post the debug (radiusd -X).
Ivan Kalik
Kalik Informatika ISP
Here it is.
After looking at the log myself, I thought that perhaps setting
access_attr=NULL in radiusd.conf might do the trick, so I tried it
without success.
Note that the following log is what was produced before setting
access_attr=NULL. I have not installed a RADIUS schema into my LDAP
DIT yet, so I've been using access_attr=uid.
Script started on Mon Oct 27 18:16:13 2008
FreeRADIUS Version 2.0.3, for host i386-portbld-freebsd7.0, built on Jun
16 2008 at 16:15:34
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log
libdir = /usr/local/lib
radacctdir = /var/log/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
user = freeradius
group = freeradius
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = secret
nastype = other
}
client 192.168.0.132 {
require_message_authenticator = no
secret = secret
shortname = someap1
}
client 192.168.0.133 {
require_message_authenticator = no
secret = secret
shortname = someap2
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = secret
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
Re: Suse SLES 10SP2 with freeradius 2.x
I am running FR 2.1.0 OK on SLES10SP1 against edir LDAP backend. The way I did it, I installed the C/C++ Compiler and Tools in the Yast patterned setup. This takes care of a number of dependencies. If you don't want to do this, simply install the required deps later but there will be quite a few of them. Backup your /etc/raddb and uninstall your existing FR 1.x first. I would suggest deleting /etc/raddb and do a clean slate install. As long as you backed up your config you can refer to the old files. Build using rpmbuild having first extracted the freeradius.spec from the archive and placed in the SPECS folder as per the build instructions on freeradius.org. Depending on the archive you are using, you may need to modify the spec file a bit. Search the list for freeradius.spec. The build process should complete successfully. Any errors you need to post here. When you install the rpms you may need to install some dependencies - using Yast you may need to check the provides checkbox if you are searching for a .so file. As I recall (fuzzy memory). Once installed you can run radiusd -X and you may need to chown some of the files in /etc/raddb/certs, the debug output will tell you which ones. Done, now you can modify those config files - especially modules/ldap. 2008/10/28 Hubert Kupper [EMAIL PROTECTED]: I have something to ask. With SLES there comes only freeradius 1.1.0-19.9 and with this version no Vista Clients can authenticate. I found a 1.1.6-2.1 rpm and installed it. Now I will update to a newer version but there is no rpm for SLES 10 available. When I try to compile freeradius v. 2.x then there are problems with shared libraries they are not available in SLES. On a Opensuse 11.0 machine the 2.0.5 version runs fine and authenticate against edirectory. Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
