Radius Server support for PEAP- EAP-MD5 & EAP-TTLS- Token Card

[Queenie de Melo]

Hi All,

had a few queries:

I read about Radius Server
http://deployingradius.com/documents/configuration/eap.html

1. I saw that in PEAP- EAP-MD5 is not mentioned. Is EAP-MD5 supported in
PEAP?
2. Also saw in EAP-TTLS- Token Card is not mentioned? is it supported?

3. Another query i had was, does LEAP Work with hostapd ? I have version
Hostapd 0.5.9 but read someplace on the net that LEAP doesnt work with
hostapd. Can you confirm?

Warm Regards
Queenie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Eric Ying]

I used sniffer to checked radius packet between authenticator <--> radius
I also use sniffer to checked eapol between supplicant <--> authenticator
By using these 2 ways to troubleshooting authentication issues.
Hope this info help you.

Eric YIng

2008/11/4 Sergio Belkin <[EMAIL PROTECTED]>

> 2008/11/4  <[EMAIL PROTECTED]>:
> >
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg45635.html
> >
> > There is nothing to see in server debug for the packet that's discarded.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> >
> > Dana 4/11/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
> >
> >>Sorry for bothering but does anyone know what's wrong with these nases?
> >>Is there any way to go a little deeper than  #radiusd -x ?
> >>
> >>
> >>Jelle wrote:
> >>> Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all
> >>> appear to be broken. To bad, but then again a reason to integrate the
> >>> N standard with other AP's... :)
> >>>
> >>>
> >>>
> >>> 2008/11/4 Stephen Bowman <[EMAIL PROTECTED]  [EMAIL PROTECTED]>>
> >>>
> >>>
> >>>
> >>> > But what do you mean for "fix the nas"? Should I use another
> >>> brand/model of AP?
> >>>
> >>> What I am trying to tell you is are the about of 30 AP's that
> >>> I am using broken?
> >>>
> >>>
> >>> Yes.
> >>>
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>>
> >>>
> >>>
> 
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >>
> >>-
> >>List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >>
> >>
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
> OK, AP's are broken, now with best regards, how I convince to my boss
> that he should buy more than 30 new AP's, should I tell him... "read
> the freeradius mailing list"?
>
> --
> --
> Open Kairos http://www.openkairos.com
> Watch More TV http://sebelk.blogspot.com
> Sergio Belkin -
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 43, Issue 17

[Rolando Tejada]

hi, i would like to know if somebady can help me to configurate a cautive
portal in monowall to autenticate user in freeradius.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Sergio Belkin]

2008/11/4  <[EMAIL PROTECTED]>:
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg45635.html
>
> There is nothing to see in server debug for the packet that's discarded.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 4/11/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
>
>>Sorry for bothering but does anyone know what's wrong with these nases?
>>Is there any way to go a little deeper than  #radiusd -x ?
>>
>>
>>Jelle wrote:
>>> Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all
>>> appear to be broken. To bad, but then again a reason to integrate the
>>> N standard with other AP's... :)
>>>
>>>
>>>
>>> 2008/11/4 Stephen Bowman <[EMAIL PROTECTED] >
>>>
>>>
>>>
>>> > But what do you mean for "fix the nas"? Should I use another
>>> brand/model of AP?
>>>
>>> What I am trying to tell you is are the about of 30 AP's that
>>> I am using broken?
>>>
>>>
>>> Yes.
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> 
>>>
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

OK, AP's are broken, now with best regards, how I convince to my boss
that he should buy more than 30 new AP's, should I tell him... "read
the freeradius mailing list"?

-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Trouble using % percent sign in usernames with MySQL auth

[Jonas Frey]

Hello,

i am running into problems while using usernames which include a percent
% sign. The rlm_sql_mysql module apparently translates these into the
ascii of "=25". So a username which was isp/somebody%somewhere gets
translated into isp/somebody=25somewhere.

Additionally these users are listed incorrect via dialup admin. If you
click on their names (even if they include the =25) you cant administer
them since dialupadmin apparently strips out the equalsign (as well as
the percent sign).

Is anyone observing similar behaviour and/or knows of a fix?

Regards,
Jonas

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[tnt]

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg45635.html

There is nothing to see in server debug for the packet that's discarded.

Ivan Kalik
Kalik Informatika ISP


Dana 4/11/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:

>Sorry for bothering but does anyone know what's wrong with these nases?
>Is there any way to go a little deeper than  #radiusd -x ?
>
>
>Jelle wrote:
>> Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all
>> appear to be broken. To bad, but then again a reason to integrate the
>> N standard with other AP's... :)
>>
>>
>>
>> 2008/11/4 Stephen Bowman <[EMAIL PROTECTED] >
>>
>>
>>
>> > But what do you mean for "fix the nas"? Should I use another
>> brand/model of AP?
>>
>> What I am trying to tell you is are the about of 30 AP's that
>> I am using broken?
>>
>>
>> Yes.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>> 
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unable to authenticate to Open Directory

[tnt]

>I think we're back to what I had been trying to do on my test machines
>now and still can't seem to get working.
>
>When I add "DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-
>Realm := DOMAIN" to users of the first server (I believe that's the
>correct place to put it). I get "rlm_eap: Request is supposed to be
>proxied to Realm DOMAIN.  Not doing EAP." on the first server and the
>proxy server still says " rlm_eap: Identity does not match User-Name,
>setting from EAP Identity."
>

There is a setting proxy_tunneled_request_as_eap in peap section of
eap.conf. Change that to no.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Marinko Tarlac]

Sorry for bothering but does anyone know what's wrong with these nases? 
Is there any way to go a little deeper than  #radiusd -x ?



Jelle wrote:
Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all 
appear to be broken. To bad, but then again a reason to integrate the 
N standard with other AP's... :)




2008/11/4 Stephen Bowman <[EMAIL PROTECTED] >



> But what do you mean for "fix the nas"? Should I use another
brand/model of AP?

What I am trying to tell you is are the about of 30 AP's that
I am using broken?


Yes.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sqlippool symbol error

[Alexandre Chapellon]

I have compiled and installed FR2.1.1 on ubuntu 8.04.
FR starts correctly with no warning but when the server needs to process
the sqlippool module FR crashes with the following:

rlm_sql (myippool1): Reserving sql socket id: 4
[sqlippool1] expand: START TRANSACTION -> START TRANSACTION
freeradius: symbol lookup error:
/usr/lib/freeradius/rlm_sqlippool-2.1.1.so: undefined symbol: rlm_sql_query

I use FR2.1.1 because it is supposed not to need linking against rlm_sql
anymore
What am I missing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unable to authenticate to Open Directory

[Kerry Tobin]

I think we're back to what I had been trying to do on my test machines  
now and still can't seem to get working.


When I add "DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To- 
Realm := DOMAIN" to users of the first server (I believe that's the  
correct place to put it). I get "rlm_eap: Request is supposed to be  
proxied to Realm DOMAIN.  Not doing EAP." on the first server and the  
proxy server still says " rlm_eap: Identity does not match User-Name,  
setting from EAP Identity."


Thanks,

Kerry Tobin


On Nov 4, 2008, at 1:04 PM, [EMAIL PROTECTED] 
 wrote:




Message: 1
Date: Tue, 04 Nov 2008 17:39:50 +0100
From: <[EMAIL PROTECTED]>
Subject: Re: Unable to authenticate to Open Directory
To: "FreeRadius users mailing list"

Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-2


OK, I've tried using a proxy and now it fails on rlm_eap and says the
User-Name doesn't match EAP Identity.  Is there a way to have EAP
processed on the local machine but authentication happen on the
remote?  Is that even the problem?



DEFAULT   FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := DOMAIN

That will proxy only the inner tunnel.

Ivan Kalik
Kalik Informatika ISP



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: EAP - TLS Client Certification Stored Removable Media

[Aydın KOÇAK]

Hello ;
Thank you for your replays...
You are rigth it isn't related radius...
I can do it but it is take a time...

Thank You,
Aydin KOCAK.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap and Stripped-User-Name

[Luke]

Finally found that {mschap:User-Name} will work for me.
Thanks anyway :)

On Mon, Nov 3, 2008 at 5:27 PM, Luke <[EMAIL PROTECTED]> wrote:
> I'm trying to use rlm_ldap to do group lookups for dynamic vlan assignment.
>
> I've got freeradius (version 2.1.1) to connect to my ldap server, but
> when it tries searching, it's not working correctly.
>
> I'm not getting a Stripped-User-Name, and the non-stripped user name
> is coming across as "\5c".
>
> I've been looking around for a couple of hours now, and have yet to
> find out how to make it either
> a) give me a stripped user name or
> b) figure out some way to strip the username myself.
>
> I was trying to use something I had found before where someone was
> using attr_rewrite to manually create the Stripped-User-Name, but it
> wasn't working at all.
>
> The first part was copying User-Name into Stripped-User-Name, and
> since the original username happens to have the string \t in it, it
> was interpreting that as a tab, instead of straight copying the text.
> Then when I tried to do regex replacement on it, the string was in
> this crazy state where it had a bunch of extra spaces in it due to the
> \t being interpreted as a tab.
>
> Can someone help me out with this?  I'm not sure what I'm doing wrong
> that's preventing the Stripped-User-Name from working in the first
> place, or how to work around the fact that the attr_rewrite is not
> directly copying the text into my variable, and is instead
> interpreting it.
>
> Thanks,
> Luke
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WiFI EAP-PEAP with VLAN

[Eric Ying]

some NAS will drop the access-accept or remain port close if the vlan
provide from radius doesn't match the swith's vlan.

eric

On Tue, Nov 4, 2008 at 8:59 AM, Alan DeKok <[EMAIL PROTECTED]>wrote:

> Dajka Tamás wrote:
> > Is it possible to include a VLAN tag in the reply, so that client is
> assigned to the appropirate VLAN based on it's auth group ( so,  if USER_A
> is member of GROUP_A, than it's assigned to VLAN_A)
>
>   Yes.  See your NAS documentation for documentation about what it needs
> to see in the RADIUS response.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Jelle]

Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all appear
to be broken. To bad, but then again a reason to integrate the N standard
with other AP's... :)



2008/11/4 Stephen Bowman <[EMAIL PROTECTED]>

>
>
>> > But what do you mean for "fix the nas"? Should I use another brand/model
>> of AP?
>>
>> What I am trying to tell you is are the about of 30 AP's that I am using
>> broken?
>>
>
> Yes.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP - TLS Client Certification Stored Removable Media

[Alan DeKok]

Aydın KOÇAK wrote:
> Hello All;
> I have a question about EAP - TLS . How can I configure client certification 
> stored from removable media (ex: usb memor, smartcard, etc..).
> I have already used EAP - TLS with client certification stored on Windows 
> (cliet) but i need a solution that user can authenticate when insert his usb 
> memory
> and logout when remove his usb memory ?

  This is an issue for the local OS, not for RADIUS.  See the OS
documentation for how to do this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP - TLS Client Certification Stored Removable Media

[tnt]

>I have a question about EAP - TLS .

No, you don't.

>How can I configure client certification stored from removable media (ex: usb 
>memor, smartcard, etc..).
>I have already used EAP - TLS with client certification stored on Windows 
>(cliet) but i need a solution that user can authenticate when insert his usb 
>memory
>and logout when remove his usb memory ?
>
>My system running with EAP - TLS authentication and LDAP authorization and 
>clients are use 802.1x ...
>

This is implemented in a hospital I work for:

http://www.gemauth.com/

You want something like that. Nothing to do with radius.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WiFI EAP-PEAP with VLAN

[Alan DeKok]

Dajka Tamás wrote:
> Is it possible to include a VLAN tag in the reply, so that client is assigned 
> to the appropirate VLAN based on it's auth group ( so,  if USER_A is member 
> of GROUP_A, than it's assigned to VLAN_A)

  Yes.  See your NAS documentation for documentation about what it needs
to see in the RADIUS response.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: My problem: user supplied CHAP-Password does NOT match local User-Password

[Alan DeKok]

Zhifeng Yang wrote:
> FreeRadius: 1.1.3 (this is the newest stable version I can apt-get for Debian)

  Then install 2.1.1 from the source "tar" file.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add reply attributes to a proxy radius response

[Alan DeKok]

Paul TAVERNIER wrote:
> So, the thing i'd like to do with Freeradius v2.1 is to insert a "ldap"
> authorization in the post_proxy section of my config.

  You can add "ldap.authorize" in the post-proxy section.  It might work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unable to authenticate to Open Directory

[Alan DeKok]

Kerry Tobin wrote:
> OK, I've tried using a proxy and now it fails on rlm_eap and says the
> User-Name doesn't match EAP Identity.  Is there a way to have EAP
> processed on the local machine but authentication happen on the remote? 
> Is that even the problem?

  That makes no sense.  EAP *is* an authentication protocol.

> Kerry Tobin
> 
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf

  You are using a very old version of the server.  I suggest upgrading
to 2.1.1.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap authorization request in a post_proxy section?

[tnt]

>   How should i call the ldap module in the post_proxy section (in
>Freeradius v1 or v2...)?
>
>   It should perhaps be easier to ask a single question rather than in my
>long request posted yesterday...;o)
>
>   In Freeradius v1, i can merge in an access-accept response radius
>attribute to a proxy reply.
>
>radiusd.conf
>
>
>authorize {
>   ...
>   suffix
>   ldap
>   ...
>}
>
>post_proxy {
>   eap
>}
>
>
>proxy.conf
>--
>proxy server {
>   ...
>#
>#  Older versions of the server would pass proxy requests through the
>#  'authorize' sections twice; once when the packet was received
>#  from the NAS, and again after the reply was received from the home
>#  server.  Now that we have a 'post_proxy' section, the replies from
>#  the home server should be sent through that, instead of through
>#  the 'authorize' section again.
>#
>#  However, for backwards compatibility, this behaviour is configurable.
>#  The default configuration is 'yes', for backwards compatibility.
>#  To use ONLY the new 'post_proxy' section, set this value to 'no'.
>#
> post_proxy_authorize = yes
>   ...
>}
>
>realm otp {
> type = radius
> authhost = myproxyradius:1812
> secret = xxx
>}
>
>
>And it works because it parses twice the authorization section (as i
>seemed to understand, sorry i'm french ;o))...a thing that doesn't
>happen in v2.x...
>

I think you should list authorize.ldap to execute ldap from authorize
section.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP - TLS Client Certification Stored Removable Media

[Paul TAVERNIER]

Ayd?n KOÇAK wrote:

Hello All;
I have a question about EAP - TLS . How can I configure client certification 
stored from removable media (ex: usb memor, smartcard, etc..).
I have already used EAP - TLS with client certification stored on Windows 
(cliet) but i need a solution that user can authenticate when insert his usb 
memory
and logout when remove his usb memory ?


it depends on the supplicant used. If you use Windows Supplicant , in 
the wireless configuration tab,


1) select your ssid associated with your EAP-TLS auth,
2) click on "settings" button
3) click on Authentication tab
4) On the EAP Type dropdown list, select "smartcard support" instead of PEAP
5) Click on "settings"
6) Click on the radio button "Use my smartcard"

It work here with Gemalto tokens or Rainbow ikey3000 tokens...It only 
asks the users their PINCode to join wireless lan(You first have to 
install the middleware/driver of your smartcard of course)


Hope this helps
Paul



My system running with EAP - TLS authentication and LDAP authorization and 
clients are use 802.1x ...

Thank You For Your Relation,
Aydin Kocak,
TURKOM.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--

Paul TAVERNIER
Equipe Reseaux-Securite
Division Informatique
Rectorat de ROUEN
Tel: 02.32.08.94.18
Fax: 02.32.08.94.12
Mob: 06.25.45.84.10
"Je suis accablé de tant de riens,
si surchargé de billevesées" (Voltaire)





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unable to authenticate to Open Directory

[tnt]

>OK, I've tried using a proxy and now it fails on rlm_eap and says the
>User-Name doesn't match EAP Identity.  Is there a way to have EAP
>processed on the local machine but authentication happen on the
>remote?  Is that even the problem?
>

DEFAULT   FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := DOMAIN

That will proxy only the inner tunnel.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP - TLS Client Certification Stored Removable Media

[Stephen Bowman]

On Tue, Nov 4, 2008 at 11:18 AM, Aydın KOÇAK <[EMAIL PROTECTED]> wrote:

> Hello All;
> I have a question about EAP - TLS . How can I configure client
> certification stored from removable media (ex: usb memor, smartcard, etc..).
> I have already used EAP - TLS with client certification stored on Windows
> (cliet) but i need a solution that user can authenticate when insert his usb
> memory
> and logout when remove his usb memory ?


This is a question specific to the client OS.  Specifically, you are relying
on functionality provided by middleware (and OS hooks).

Also, let's be clear here, you're talking about a USB *token* not a USB
flash drive.  While similar in technology, very different in many ways.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: user group problems, my logic or freeradius limitation

[tnt]

>The first comment you gave mentioned to put the Etc-Group-Name in the 
>huntgroups file.  This unfortunately does not work as it will only accept 
>system groups (and users do not have accounts for this system).
>
>This option does not scale if I am understanding you right.
>
>I would have to add a section for each user for every huntgroup.  If I have 20 
>administrators and 20 huntgroups I would have to create 400 entries just for 
>them.  With the number of users I would have to deal with this would not scale.
>
>It seems like there should be a easy way to deal with users in more than one 
>group.
>

Use sql.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: user group problems, my logic or freeradius limitation

[Reynolds, Walter]

The first comment you gave mentioned to put the Etc-Group-Name in the 
huntgroups file.  This unfortunately does not work as it will only accept 
system groups (and users do not have accounts for this system).

This option does not scale if I am understanding you right.

I would have to add a section for each user for every huntgroup.  If I have 20 
administrators and 20 huntgroups I would have to create 400 entries just for 
them.  With the number of users I would have to deal with this would not scale.

It seems like there should be a easy way to deal with users in more than one 
group.

>Date: Tue, 04 Nov 2008 14:33:26 +0100
>From: <[EMAIL PROTECTED]>
>Subject: Re: user group problems, my logic or freeradius limitation
>
>Sorry, my brain is like sieve today.
>
>Not DEFAULT but user entries (as I said in the text):
>
>walt   password, hutgroup, group
>fall-through
>
>walt   bpassword, huntgroup, group
>
>Ivan Kalik
>Kalik Informatika ISP

>
> Date: Tue, 04 Nov 2008 14:29:27 +0100
> From: <[EMAIL PROTECTED]>
> Subject: Re: user group problems, my logic or freeradius limitation
> To: "FreeRadius users mailing list"
> 
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=ISO-8859-2
>
> Sorry, you have problem with users in multiple groups. What I posted will
> have no effect. You should create a different huntgroup - add every NAS
> that groups wilab2 and nolab are allowed to connect. Than remove that
> users file entry and add:
>
> DEFAULT   Huntgroup-Name == "wilab2", Etc-Group-Name == "wilab2"
>  Fall-Through = yes
>
> DEFAULT   Huntgroup-Name == "nolab", Etc-Group-Name == "nolab"
>  Fall-Through = yes
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 4/11/2008, "Reynolds, Walter" <[EMAIL PROTECTED]> pi?e:
>
> >I am trying to find a good way to limit who is able to login at specific 
> >NAS's.  I
> know I could add all the allowed user names to the Huntgroups file, but this 
> can
> get tedious as I must do it for each NAS.  So I figured the best way was to 
> use
> groups.  The users are not account holders on the system, so I could not user
> the 'Group' option in huntgroups.  I also do not have a database backend so
> wanted to uses a local file.
> >
> >So in looking I saw that I could do the following:
> >
> >1. modules/etc_group - Define a local file with a group list
> >2. Created the group file referenced in etc_group
> >3. Added a dictionary item for the attribute
> >4. Add the desired NAS to a huntgroup
> >5. Set a policy in the users file to be based on the list.
> >
> >Where I am having a problem is if the user is assigned to more than one
> group.  As you can see from the first debug output from below, if a user is a
> member of the group alone it works fine.  But the second debug shows that if a
> user is a member of more than one group, even if one is the right one, it 
> will not
> work because one of the groups does not match.
> >
> >The reason I need users in more than one group is if they are affiliated with
> more than one department.  Also will need more than one affiliation for 
> support
> to be able to troubleshoot connecting on each NAS.
> >
> >In case it matters, the back end authentication is Kerberos on our production
> service but for this test I just have some local accounts defined in the 
> users file.
> >
> >So, is this a error in my logic/setup or is this a limitation I have with
> Freeradius.  Is there some other way to do this?
> >
> >
> >===
> >
> >/usr/local/etc/raddb/modules/etc_group
> >
> >passwd etc_group {
> >   filename = /usr/local/etc/raddb/group_file
> >   format = "~Etc-Group-Name:*,User-Name"
> >   hashsize = 150
> >   ignorenislike = yes
> >   allowmultiplekeys = yes
> >   delimiter = ":"
> >}
> >
> >
> >
> >/usr/local/etc/raddb/group_file
> >
> >wilab:walt,walter
> >wilab2:walter,walter01
> >nolab:walter01
> >
> >=
> >
> >/usr/local/etc/raddb/dictionary
> >
> >ATTRIBUTE   Etc-Group-Name  3000string
> >
> >=
> >
> >/usr/local/etc/raddb/huntgroups
> >
> >ILABNAS-IP-Address == 10.11.224.36
> >
> >=
> >
> >/usr/local/etc/raddb/users  (added line numbers for the debug)
> >
> >
> >102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-
> Type := Reject
> >103 Fall-Through = no
> >104
> >105 waltCleartext-Password := "walter01"
> >106 walter  Cleartext-Password := "walter01"
> >107 walter01Cleartext-Password := "walter01"
> >
> >
> >---
> >
> >
> >rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111,
> length=131
> >User-Name = "walt"
> >User-Password = "walter01"
> >NAS-IP-Address = 10.11.224.36
> >Service-Type = Login-User
> >Framed-IP-Address = 192.168.135.25
> >Called-Station-Id = "00:07:E9:D1:8F:C2"
> >NAS-Id

EAP - TLS Client Certification Stored Removable Media

[Aydın KOÇAK]

Hello All;
I have a question about EAP - TLS . How can I configure client certification 
stored from removable media (ex: usb memor, smartcard, etc..).
I have already used EAP - TLS with client certification stored on Windows 
(cliet) but i need a solution that user can authenticate when insert his usb 
memory
and logout when remove his usb memory ?

My system running with EAP - TLS authentication and LDAP authorization and 
clients are use 802.1x ...

Thank You For Your Relation,
Aydin Kocak,
TURKOM.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RES: exec program, but post-auth

[Alexandre J. Correa - Onda Internet]

Thanks for answers,

i obtained ip, acctound-id, etc etc from preacct section, adding exec to 
section !! script filter with Acct-Status-Type = Start working fine now !!


Ivan, in it´s first message i didn´t read to try with accouting packets !!

thanks again !!

Regards..

[EMAIL PROTECTED] wrote:
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to 
execute other script AFTER auth OK to get IP address assigned to user.


i´m trying to pass %f to my script but return "?.?.?.?" because at this 
moment, radius not assigned  ip for user...


how i can do this ?




Where is "here"? In what section are you trying to run the script?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  



--
Sds.

Alexandre Jeronimo Correa

Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net

Linux User ID #142329

UNOTEL S/A - http://www.unotel.com.br

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap authorization request in a post_proxy section?

[Paul TAVERNIER]

Hi,

	How should i call the ldap module in the post_proxy section (in 
Freeradius v1 or v2...)?


	It should perhaps be easier to ask a single question rather than in my 
long request posted yesterday...;o)


	In Freeradius v1, i can merge in an access-accept response radius 
attribute to a proxy reply.


radiusd.conf

...
authorize {
...
suffix
ldap
...
}

post_proxy {
eap
}
...

proxy.conf
--
proxy server {
...
#
#  Older versions of the server would pass proxy requests through the
#  'authorize' sections twice; once when the packet was received
#  from the NAS, and again after the reply was received from the home
#  server.  Now that we have a 'post_proxy' section, the replies from
#  the home server should be sent through that, instead of through
#  the 'authorize' section again.
#
#  However, for backwards compatibility, this behaviour is configurable.
#  The default configuration is 'yes', for backwards compatibility.
#  To use ONLY the new 'post_proxy' section, set this value to 'no'.
#
post_proxy_authorize = yes
...
}

realm otp {
type = radius
authhost = myproxyradius:1812
secret = xxx
}


And it works because it parses twice the authorization section (as i 
seemed to understand, sorry i'm french ;o))...a thing that doesn't 
happen in v2.x...



Rgds
Paul

--

Paul TAVERNIER
Equipe Reseaux-Securite
Division Informatique
Rectorat de ROUEN




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unable to authenticate to Open Directory

[Kerry Tobin]

OK, I've tried using a proxy and now it fails on rlm_eap and says the  
User-Name doesn't match EAP Identity.  Is there a way to have EAP  
processed on the local machine but authentication happen on the  
remote?  Is that even the problem?


Kerry Tobin

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /private/etc/raddb/proxy.conf
Config:   including file: /private/etc/raddb/clients.conf
Config:   including file: /private/etc/raddb/snmp.conf
Config:   including file: /private/etc/raddb/eap.conf
Config:   including file: /private/etc/raddb/sql.conf
 main: prefix = "/"
 main: localstatedir = "/private/var"
 main: logdir = "/private/var/log/radius"
 main: libdir = "//lib"
 main: radacctdir = "/private/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/private/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/private/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "//sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded opendirectory
 opendirectory: passwd = "(null)"
Module: Instantiated opendirectory (opendirectory)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/private/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/certificates/Default.key"
 tls: certificate_file = "/etc/certificates/Default.crt"
 tls: CA_file = "/etc/certificates/Default.crt"
 tls: private_key_password = ""
 tls: dh_file = "/private/etc/raddb/certs/dh"
 tls: random_file = "/private/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "mschapv2"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/private/etc/raddb/huntgroups"
 preprocess: hints = "/private/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "su

My problem: user supplied CHAP-Password does NOT match local User-Password

[Zhifeng Yang]

Hello, everybody
I've setup FreeRadius based on MySQL in Debian system. The system passed local 
test, but failed with remote user login request from a Coovachilli portal.

It really confused me, because I always get following log message in FreeRadius 
debug mode:
auth: user supplied CHAP-Password does NOT match local User-Password

I am SURE I input correct password. I wonder if anybody can kindly give me any 
hints to resolve this issue. Here are details about:

OS: Debian version 4.0 r5
FreeRadius: 1.1.3 (this is the newest stable version I can apt-get for Debian)
MySQL server and client 5.0
CoovaChilli: CoovaAP 1.0 beta7d (this is firmware for Linksys box with 
CoovaChilli integrated)

This is item in radcheck table:
+++---+++
| id | UserName   | Attribute | op | Value  |
+++---+++
|  9 | chillispot | User-Password | := | chillispot |

And, this is message I have in FreeRadius log:
---
rad_recv: Access-Request packet from host 192.168.0.130:2085, id=69, length=301
ChilliSpot-Version = "1.0.11"
User-Name = "chillispot"
CHAP-Challenge = 0x51239bfb2d63ea383f908d3f255915cb
CHAP-Password = 0x00edbc2df1249e7552bdf39f05fa465234
NAS-IP-Address = 192.168.0.130
Service-Type = Login-User
Framed-IP-Address = 10.1.0.2
Calling-Station-Id = "00-14-A5-62-AB-2B"
Called-Station-Id = "00-18-39-C6-0D-C0"
NAS-Identifier = "00-18-39-C6-0D-C0"
Acct-Session-Id = "491058fb0001"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova,Coova"
WISPr-Location-Name = "My_HotSpot"
WISPr-Logoff-URL = "http://10.1.0.1:3660/logoff";
Message-Authenticator = 0x103de768642d50fd1afaacaa5780a226
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
  modcall[authorize]: module "preprocess" returns ok for request 12
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 12
  modcall[authorize]: module "mschap" returns noop for request 12
rlm_realm: No '@' in User-Name = "chillispot", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 12
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 12
radius_xlat:  'chillispot'
rlm_sql (sql): sql_set_user escaped user --> 'chillispot'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radcheck   WHERE Username = 'chillispot'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'chillispot' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radreply   WHERE Username = 'chillispot'   ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'chillispot' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 1
  modcall[authorize]: module "sql" returns ok for request 12
modcall: leaving group authorize (returns ok) for request 12
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password does NOT match local User-Password
auth: Failed to validate the user.
-

Thanks in advantage!
Steven Yang

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WiFI EAP-PEAP with VLAN

[Paul TAVERNIER]

Dajka Tamás wrote:

Hi all,

Is it possible to include a VLAN tag in the reply, so that client is assigned 
to the appropirate VLAN based on it's auth group ( so,  if USER_A is member of 
GROUP_A, than it's assigned to VLAN_A)


it seems to be "vendor specific"...For Cisco
Tunnel-Type (064): VLAN
Tunnel-Medium-Type (065): 802
Tunnel-Private-Group-ID (081): { nom du VLAN }



Is this possible? Or should be done elsewhere, than the radius?


You can map a private attrib (LDAP vlan entry for ex) to one of these 
"vendor specific" in your reply.


Rgds
Paul


Thanks,

Tamas

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--

Paul TAVERNIER
Equipe Reseaux-Securite
Division Informatique
Rectorat de ROUEN
Tel: 02.32.08.94.18
Fax: 02.32.08.94.12
Mob: 06.25.45.84.10
"Je suis accablé de tant de riens,
si surchargé de billevesées" (Voltaire)





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Stephen Bowman]

>
> > But what do you mean for "fix the nas"? Should I use another brand/model
> of AP?
>
> What I am trying to tell you is are the about of 30 AP's that I am using
> broken?
>

Yes.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Sergio Belkin]

2008/11/4 Sergio Belkin <[EMAIL PROTECTED]>:
> 2008/11/4 Alan DeKok <[EMAIL PROTECTED]>:
>> Sergio Belkin wrote:
>>>
>>> I think is worthwhile to remark that that problem exists even using
>>> OpewnWRT on Linksys WRT54GL and not using original firmware...
>>
>>  Which may be based on similar code to the original firmware.
>>
>>> Is there a way to at least to minimize those errors? I've heard some
>>> people complains that sometimes try to reconnect and sometimes the
>>> only solution is reboot the AP.
>>
>>  Fix the NAS.  As you noted earlier, this doesn't happen with another NAS.
>>  The conclusion is that the NAS is broken.
>
> But what do you mean for "fix the nas"? Should I use another brand/model of 
> AP?

What I am trying to tell you is are the about of 30 AP's that I am using broken?



>
>
>
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> --
> Open Kairos http://www.openkairos.com
> Watch More TV http://sebelk.blogspot.com
> Sergio Belkin -
>



-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add reply attributes to a proxy radius response

[Paul TAVERNIER]

I built a new lab with Freeradius 1.x, Cisco ASA, RSA-OTP and RSARadius Box.

All is working perfectly...because, Freeradius 1.x is parsing TWICE the 
authorize section (as it is said in the proxy.conf comment, once before 
the proxy request and one after). So it asks twice my LDAP server the 
attributes i need (Class+Framed-IP-Address). And with the second call, 
the Access-Accept contains all the reply attributes i need...


Sending Access-Accept of id 226 to 192.168.1.2:1025
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
==>  Class = 0x646976696e666f
==>  Framed-IP-Address = 1.2.3.4
Finished request 0
Going to the next request


So, the thing i'd like to do with Freeradius v2.1 is to insert a "ldap" 
authorization in the post_proxy section of my config.


and when i insert such a directive, it rejects me...

/etc/freeradius/sites-enabled/default[470]: "LDAP" modules aren't 
allowed in 'post-proxy' sections -- they have no such method.
/etc/freeradius/sites-enabled/default[456]: Errors parsing post-proxy 
section.


Any idea/tip?
Thanks in advance, rgds
Paul.





Paul TAVERNIER wrote:

Hi all,

I run with Freeradius 2.1, CiscoASA and RSASecurid "OTP"+RSARadius.

I set my CiscoASA to authenticate against freeradius. On this 
freeradius server, i created a realm "OTP" which proxy the request to a 
RSARadius (the only one who can ask RSAOTP Securid database). So when i 
authenticate with [EMAIL PROTECTED]/Passcode with my CiscoVPNclient, the 
authentication is successful. No pb. Here's the log:


==(log)
[suffix] Looking up realm "otp" for User-Name = "[EMAIL PROTECTED]"
[suffix] Found realm "otp"
[suffix] Adding Stripped-User-Name = "xx"
[suffix] Adding Realm = "otp"
[suffix] Proxying request from user xx to realm otp
[suffix] Preparing to proxy authentication request to realm "otp"
++[suffix] returns updated
...
rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=4, 
length=85

Class = x53425232434cd5a0c3accfca8fd9efc01180270180038198
Proxy-State = 0x313530
==(end of log)



The second thing i want to do is to "import" the user's "policy 
group" (radiusClass) and its own IP Address (radiusFramedIPAddress). 
Those attributes are located in a LDAP directory server. So i decided to 
add the "ldap" module in the authorization section of my freeradius conf 
files. In the logs, i clearly see that freeradius is doing a great job 
(asking and receiving my ldap attrs)


==(log)
[ldap] performing user authorization for xx
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details

expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=xx)
expand: o=gouv,c=fr -> o=gouv,c=fr
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
...
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=gouv,c=fr, with filter (uid=xx)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
rlm_ldap: radiusClass -> Class = 0x646976696e666f
rlm_ldap: radiusFramedIPAddress -> Framed-IP-Address = 1.2.3.4
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?

[ldap] Setting Auth-Type = LDAP
[ldap] user xxx authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
==(end of log)


My problem is that that finally i get 2 successful auth (i interpret 
it like these sorry...), and Freeradius "chooses" Auth-Type=Accept 
(ProxyRSARadius Response which doesn't contain my class and 
framedipaddress i need to push to my CiscoASA)



==(log)

Found Auth-Type = LDAP
Found Auth-Type = Accept
Warning:  Found 2 auth-types on request for user 'xxx'
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 150 to 192.168.1.2 port 1025
Class = 0x53425232434cd5a0c3accfca8fd9efc0118027018
Finished request 0.
==(end of log)

In other words (sorry for being so long), i would love to 
authenticate againt my OTP RSASecurid boxes and concatenate Radius 
attributes found in a LDAP directory...


Where should i go? post_proxy module?

Any help would be greatly appreciated.

Kind regards,
Paul






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WiFI EAP-PEAP with VLAN

[Dajka Tamás]

Hi all,

Is it possible to include a VLAN tag in the reply, so that client is assigned 
to the appropirate VLAN based on it's auth group ( so,  if USER_A is member of 
GROUP_A, than it's assigned to VLAN_A)

Is this possible? Or should be done elsewhere, than the radius?

Thanks,

Tamas

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Sergio Belkin]

2008/11/4 Alan DeKok <[EMAIL PROTECTED]>:
> Sergio Belkin wrote:
>>
>> I think is worthwhile to remark that that problem exists even using
>> OpewnWRT on Linksys WRT54GL and not using original firmware...
>
>  Which may be based on similar code to the original firmware.
>
>> Is there a way to at least to minimize those errors? I've heard some
>> people complains that sometimes try to reconnect and sometimes the
>> only solution is reboot the AP.
>
>  Fix the NAS.  As you noted earlier, this doesn't happen with another NAS.
>  The conclusion is that the NAS is broken.

But what do you mean for "fix the nas"? Should I use another brand/model of AP?



>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius error: "Discarding conflicting packet"

[Alan DeKok]

Sergio Belkin wrote:

I think is worthwhile to remark that that problem exists even using
OpewnWRT on Linksys WRT54GL and not using original firmware...


  Which may be based on similar code to the original firmware.


Is there a way to at least to minimize those errors? I've heard some
people complains that sometimes try to reconnect and sometimes the
only solution is reboot the AP.


  Fix the NAS.  As you noted earlier, this doesn't happen with another 
NAS.  The conclusion is that the NAS is broken.


  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: user group problems, my logic or freeradius limitation

[tnt]

Sorry, my brain is like sieve today.

Not DEFAULT but user entries (as I said in the text):

walt   password, hutgroup, group
fall-through

walt   bpassword, huntgroup, group

Ivan Kalik
Kalik Informatika ISP


Dana 4/11/2008, "Reynolds, Walter" <[EMAIL PROTECTED]> piše:

>I am trying to find a good way to limit who is able to login at specific 
>NAS's.  I know I could add all the allowed user names to the Huntgroups file, 
>but this can get tedious as I must do it for each NAS.  So I figured the best 
>way was to use groups.  The users are not account holders on the system, so I 
>could not user the 'Group' option in huntgroups.  I also do not have a 
>database backend so wanted to uses a local file.
>
>So in looking I saw that I could do the following:
>
>1. modules/etc_group - Define a local file with a group list
>2. Created the group file referenced in etc_group
>3. Added a dictionary item for the attribute
>4. Add the desired NAS to a huntgroup
>5. Set a policy in the users file to be based on the list.
>
>Where I am having a problem is if the user is assigned to more than one group. 
> As you can see from the first debug output from below, if a user is a member 
>of the group alone it works fine.  But the second debug shows that if a user 
>is a member of more than one group, even if one is the right one, it will not 
>work because one of the groups does not match.
>
>The reason I need users in more than one group is if they are affiliated with 
>more than one department.  Also will need more than one affiliation for 
>support to be able to troubleshoot connecting on each NAS.
>
>In case it matters, the back end authentication is Kerberos on our production 
>service but for this test I just have some local accounts defined in the users 
>file.
>
>So, is this a error in my logic/setup or is this a limitation I have with 
>Freeradius.  Is there some other way to do this?
>
>
>===
>
>/usr/local/etc/raddb/modules/etc_group
>
>passwd etc_group {
>   filename = /usr/local/etc/raddb/group_file
>   format = "~Etc-Group-Name:*,User-Name"
>   hashsize = 150
>   ignorenislike = yes
>   allowmultiplekeys = yes
>   delimiter = ":"
>}
>
>
>
>/usr/local/etc/raddb/group_file
>
>wilab:walt,walter
>wilab2:walter,walter01
>nolab:walter01
>
>=
>
>/usr/local/etc/raddb/dictionary
>
>ATTRIBUTE   Etc-Group-Name  3000string
>
>=
>
>/usr/local/etc/raddb/huntgroups
>
>ILABNAS-IP-Address == 10.11.224.36
>
>=
>
>/usr/local/etc/raddb/users  (added line numbers for the debug)
>
>
>102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type 
> := Reject
>103 Fall-Through = no
>104
>105 waltCleartext-Password := "walter01"
>106 walter  Cleartext-Password := "walter01"
>107 walter01Cleartext-Password := "walter01"
>
>
>---
>
>
>rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, 
>length=131
>User-Name = "walt"
>User-Password = "walter01"
>NAS-IP-Address = 10.11.224.36
>Service-Type = Login-User
>Framed-IP-Address = 192.168.135.25
>Called-Station-Id = "00:07:E9:D1:8F:C2"
>NAS-Identifier = "Bluesocket"
>Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
>NAS-Port-Type = Wireless-802.11
>Tue Nov  4 07:09:21 2008 : Info: +- entering group authorize {...}
>Tue Nov  4 07:09:21 2008 : Info: ++[preprocess] returns ok
>Tue Nov  4 07:09:21 2008 : Info: ++[chap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[mschap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", 
>looking up realm NULL
>Tue Nov  4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
>Tue Nov  4 07:09:21 2008 : Info: ++[suffix] returns noop
>Tue Nov  4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
>Tue Nov  4 07:09:21 2008 : Info: ++[eap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[unix] returns notfound
>Tue Nov  4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to 
>request_items
>Tue Nov  4 07:09:21 2008 : Info: ++[etc_group] returns ok
>Tue Nov  4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
>Tue Nov  4 07:09:21 2008 : Info: ++[files] returns ok
>Tue Nov  4 07:09:21 2008 : Info: ++[expiration] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[logintime] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns updated
>Tue Nov  4 07:09:21 2008 : Info: Found Auth-Type = PAP
>Tue Nov  4 07:09:21 2008 : Info: +- entering group PAP {...}
>Tue Nov  4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
>Tue Nov  4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
>Tue Nov  4 07:09:21 2008 : Info: [pap] User authenticated successfully
>Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns ok
>Tue Nov  4 07:09:21 2008 : Info: +- entering group pos

Re: user group problems, my logic or freeradius limitation

[tnt]

Sorry, you have problem with users in multiple groups. What I posted will
have no effect. You should create a different huntgroup - add every NAS
that groups wilab2 and nolab are allowed to connect. Than remove that
users file entry and add:

DEFAULT   Huntgroup-Name == "wilab2", Etc-Group-Name == "wilab2"
 Fall-Through = yes

DEFAULT   Huntgroup-Name == "nolab", Etc-Group-Name == "nolab"
 Fall-Through = yes

Ivan Kalik
Kalik Informatika ISP


Dana 4/11/2008, "Reynolds, Walter" <[EMAIL PROTECTED]> piše:

>I am trying to find a good way to limit who is able to login at specific 
>NAS's.  I know I could add all the allowed user names to the Huntgroups file, 
>but this can get tedious as I must do it for each NAS.  So I figured the best 
>way was to use groups.  The users are not account holders on the system, so I 
>could not user the 'Group' option in huntgroups.  I also do not have a 
>database backend so wanted to uses a local file.
>
>So in looking I saw that I could do the following:
>
>1. modules/etc_group - Define a local file with a group list
>2. Created the group file referenced in etc_group
>3. Added a dictionary item for the attribute
>4. Add the desired NAS to a huntgroup
>5. Set a policy in the users file to be based on the list.
>
>Where I am having a problem is if the user is assigned to more than one group. 
> As you can see from the first debug output from below, if a user is a member 
>of the group alone it works fine.  But the second debug shows that if a user 
>is a member of more than one group, even if one is the right one, it will not 
>work because one of the groups does not match.
>
>The reason I need users in more than one group is if they are affiliated with 
>more than one department.  Also will need more than one affiliation for 
>support to be able to troubleshoot connecting on each NAS.
>
>In case it matters, the back end authentication is Kerberos on our production 
>service but for this test I just have some local accounts defined in the users 
>file.
>
>So, is this a error in my logic/setup or is this a limitation I have with 
>Freeradius.  Is there some other way to do this?
>
>
>===
>
>/usr/local/etc/raddb/modules/etc_group
>
>passwd etc_group {
>   filename = /usr/local/etc/raddb/group_file
>   format = "~Etc-Group-Name:*,User-Name"
>   hashsize = 150
>   ignorenislike = yes
>   allowmultiplekeys = yes
>   delimiter = ":"
>}
>
>
>
>/usr/local/etc/raddb/group_file
>
>wilab:walt,walter
>wilab2:walter,walter01
>nolab:walter01
>
>=
>
>/usr/local/etc/raddb/dictionary
>
>ATTRIBUTE   Etc-Group-Name  3000string
>
>=
>
>/usr/local/etc/raddb/huntgroups
>
>ILABNAS-IP-Address == 10.11.224.36
>
>=
>
>/usr/local/etc/raddb/users  (added line numbers for the debug)
>
>
>102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type 
> := Reject
>103 Fall-Through = no
>104
>105 waltCleartext-Password := "walter01"
>106 walter  Cleartext-Password := "walter01"
>107 walter01Cleartext-Password := "walter01"
>
>
>---
>
>
>rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, 
>length=131
>User-Name = "walt"
>User-Password = "walter01"
>NAS-IP-Address = 10.11.224.36
>Service-Type = Login-User
>Framed-IP-Address = 192.168.135.25
>Called-Station-Id = "00:07:E9:D1:8F:C2"
>NAS-Identifier = "Bluesocket"
>Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
>NAS-Port-Type = Wireless-802.11
>Tue Nov  4 07:09:21 2008 : Info: +- entering group authorize {...}
>Tue Nov  4 07:09:21 2008 : Info: ++[preprocess] returns ok
>Tue Nov  4 07:09:21 2008 : Info: ++[chap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[mschap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", 
>looking up realm NULL
>Tue Nov  4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
>Tue Nov  4 07:09:21 2008 : Info: ++[suffix] returns noop
>Tue Nov  4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
>Tue Nov  4 07:09:21 2008 : Info: ++[eap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[unix] returns notfound
>Tue Nov  4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to 
>request_items
>Tue Nov  4 07:09:21 2008 : Info: ++[etc_group] returns ok
>Tue Nov  4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
>Tue Nov  4 07:09:21 2008 : Info: ++[files] returns ok
>Tue Nov  4 07:09:21 2008 : Info: ++[expiration] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[logintime] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns updated
>Tue Nov  4 07:09:21 2008 : Info: Found Auth-Type = PAP
>Tue Nov  4 07:09:21 2008 : Info: +- entering group PAP {...}
>Tue Nov  4 07:09:21 2008 : Info: [pap] login attempt with password

Re: user group problems, my logic or freeradius limitation

[tnt]

>/usr/local/etc/raddb/huntgroups
>
>ILABNAS-IP-Address == 10.11.224.36
>

Add the group(s) to huntgroup configuration:

ILAB   NAS-IP-Address == 10.11.12.13
  Etc-Group-Name == "wilab"

Members of other groups will not be able to connect. You can remove:

>102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type 
> := Reject
>103 Fall-Through = no

from the users file.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

user group problems, my logic or freeradius limitation

[Reynolds, Walter]

I am trying to find a good way to limit who is able to login at specific NAS's. 
 I know I could add all the allowed user names to the Huntgroups file, but this 
can get tedious as I must do it for each NAS.  So I figured the best way was to 
use groups.  The users are not account holders on the system, so I could not 
user the 'Group' option in huntgroups.  I also do not have a database backend 
so wanted to uses a local file.

So in looking I saw that I could do the following:

1. modules/etc_group - Define a local file with a group list
2. Created the group file referenced in etc_group
3. Added a dictionary item for the attribute
4. Add the desired NAS to a huntgroup
5. Set a policy in the users file to be based on the list.

Where I am having a problem is if the user is assigned to more than one group.  
As you can see from the first debug output from below, if a user is a member of 
the group alone it works fine.  But the second debug shows that if a user is a 
member of more than one group, even if one is the right one, it will not work 
because one of the groups does not match.

The reason I need users in more than one group is if they are affiliated with 
more than one department.  Also will need more than one affiliation for support 
to be able to troubleshoot connecting on each NAS.

In case it matters, the back end authentication is Kerberos on our production 
service but for this test I just have some local accounts defined in the users 
file.

So, is this a error in my logic/setup or is this a limitation I have with 
Freeradius.  Is there some other way to do this?


===

/usr/local/etc/raddb/modules/etc_group

passwd etc_group {
   filename = /usr/local/etc/raddb/group_file
   format = "~Etc-Group-Name:*,User-Name"
   hashsize = 150
   ignorenislike = yes
   allowmultiplekeys = yes
   delimiter = ":"
}



/usr/local/etc/raddb/group_file

wilab:walt,walter
wilab2:walter,walter01
nolab:walter01

=

/usr/local/etc/raddb/dictionary

ATTRIBUTE   Etc-Group-Name  3000string

=

/usr/local/etc/raddb/huntgroups

ILABNAS-IP-Address == 10.11.224.36

=

/usr/local/etc/raddb/users  (added line numbers for the debug)


102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := 
Reject
103 Fall-Through = no
104
105 waltCleartext-Password := "walter01"
106 walter  Cleartext-Password := "walter01"
107 walter01Cleartext-Password := "walter01"


---


rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, 
length=131
User-Name = "walt"
User-Password = "walter01"
NAS-IP-Address = 10.11.224.36
Service-Type = Login-User
Framed-IP-Address = 192.168.135.25
Called-Station-Id = "00:07:E9:D1:8F:C2"
NAS-Identifier = "Bluesocket"
Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
NAS-Port-Type = Wireless-802.11
Tue Nov  4 07:09:21 2008 : Info: +- entering group authorize {...}
Tue Nov  4 07:09:21 2008 : Info: ++[preprocess] returns ok
Tue Nov  4 07:09:21 2008 : Info: ++[chap] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[mschap] returns noop
Tue Nov  4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking 
up realm NULL
Tue Nov  4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
Tue Nov  4 07:09:21 2008 : Info: ++[suffix] returns noop
Tue Nov  4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
Tue Nov  4 07:09:21 2008 : Info: ++[eap] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[unix] returns notfound
Tue Nov  4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to 
request_items
Tue Nov  4 07:09:21 2008 : Info: ++[etc_group] returns ok
Tue Nov  4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
Tue Nov  4 07:09:21 2008 : Info: ++[files] returns ok
Tue Nov  4 07:09:21 2008 : Info: ++[expiration] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[logintime] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns updated
Tue Nov  4 07:09:21 2008 : Info: Found Auth-Type = PAP
Tue Nov  4 07:09:21 2008 : Info: +- entering group PAP {...}
Tue Nov  4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
Tue Nov  4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
Tue Nov  4 07:09:21 2008 : Info: [pap] User authenticated successfully
Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns ok
Tue Nov  4 07:09:21 2008 : Info: +- entering group post-auth {...}
Tue Nov  4 07:09:21 2008 : Info: ++[exec] returns noop
Sending Access-Accept of id 111 to 10.11.224.36 port 32783
Tue Nov  4 07:09:21 2008 : Info: Finished request 0.


===
rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, 
length=133
User-Name = "walter"
User-Password = "walter01"
NAS-IP-Address = 10.11.224.36

Re: RES: exec program, but post-auth

[tnt]

>Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to 
>execute other script AFTER auth OK to get IP address assigned to user.
>
>i´m trying to pass %f to my script but return "?.?.?.?" because at this 
>moment, radius not assigned  ip for user...
>
>how i can do this ?
>

Where is "here"? In what section are you trying to run the script?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-1.0.5_EAP-TTLS_MSCHAPv2 auth issue

[tnt]

PS. You might need mppe encryption attributes. Enable use_tunneled_reply
in ttls section of eap.conf.

Ivan Kalik
Kalik Informatika ISP


Dana 4/11/2008, "Prasad Parab" <[EMAIL PROTECTED]> piše:

>Hi all,
> Kindly help me with the issue involving freeradius-1.0.5 for
>EAP-TTLS_mschapv2 auth type.
>**
>*SEPUP:*
>**
>*WIN XP (wifi client)   <---> AP <--> freeradius-1.0.5*
>*EAP-TTLS_mschapv2   authenticator eap type = ttls*
>
>
>Attached is the debug log and eap.conf file.
>*But with same setup EAP-TTLS with mschap works*.
>Pls advice if my eap.conf is wrong ??
>
> Regards
>Prasad
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-1.0.5_EAP-TTLS_MSCHAPv2 auth issue

[tnt]

Radius is OK with this:

Sending Access-Accept of id 128 to 192.168.5.199:1033
MS-MPPE-Recv-Key =
0x1c3166a5ac144184d06242bea756adbef7a696dc98522668d12084ca8d9d5a1d
MS-MPPE-Send-Key =
0x0cd28527f22aae46443fe1458e1a67a430502cc3e566fffbbc53e0bfd4c3020b
EAP-Message = 0x03050004
Message-Authenticator = 0x
User-Name = "anonymous"

Ivan Kalik
Kalik Informatika ISP

Dana 4/11/2008, "Prasad Parab" <[EMAIL PROTECTED]> piše:

>Hi all,
> Kindly help me with the issue involving freeradius-1.0.5 for
>EAP-TTLS_mschapv2 auth type.
>**
>*SEPUP:*
>**
>*WIN XP (wifi client)   <---> AP <--> freeradius-1.0.5*
>*EAP-TTLS_mschapv2   authenticator eap type = ttls*
>
>
>Attached is the debug log and eap.conf file.
>*But with same setup EAP-TTLS with mschap works*.
>Pls advice if my eap.conf is wrong ??
>
> Regards
>Prasad
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: exec program, but post-auth

[Adriano - IPinfo]

Ola use:
&{nome do dicionario}
Ex:
&{Call-Station-Id}
-Mensagem original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Em nome de Alexandre J. Correa - Onda Internet
Enviada em: segunda-feira, 3 de novembro de 2008 19:43
Para: FreeRadius users mailing list
Assunto: exec program, but post-auth 

Hello !!

Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to 
execute other script AFTER auth OK to get IP address assigned to user.

i´m trying to pass %f to my script but return "?.?.?.?" because at this 
moment, radius not assigned  ip for user...

how i can do this ?

thanks !!

-- 
Sds.

Alexandre Jeronimo Correa

Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net

Linux User ID #142329

UNOTEL S/A - http://www.unotel.com.br

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-1.0.5_PEAP with EAP-MD5 auth failure

[tnt]

Cleartext password should work with all methods. This looks like a bug to
me. rlm_eap_md5 should complain here if it didn't like the password
etc.:

[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns reject

Ivan Kalik
Kalik Informatika ISP


Dana 4/11/2008, "Prasad Parab" <[EMAIL PROTECTED]> piše:

>HI ALL/IVAN,
>THANKS FOR A PROMPT REPLY.
>AND PLS FIND THE ATTACHED USERS FILE AND LOG ALSO FOR EASY REFERENCE.
>
>REGARDS
>PRASAD
>
>On Mon, Nov 3, 2008 at 5:47 PM,  <[EMAIL PROTECTED]> wrote:
>>>As told, i tried freeradius-2.1.1, but same result.
>>>Actaully my setup involves wifi client supporting PEAP -> EAP-MD5
>>>
>>>   |-> EAP-Token_card
>>>
>>>   l--> EAP-MSCHAPv2
>>>Attached are the conf file eap.conf and debug log file.
>>>
>>>Wifi client is installed on Windows XP _Service pack 2 OS.
>>>SETUP:
>>>wifi client(WINXP)  <-> AP <--->
>>>freeradius-2.1.1 server.
>>>
>>>The setup works with PEAP_EAP-Tokencard and PEAP_EAP-MSCHAPv2
>>>But fails only for PEAP_EAP-MD5.
>>>Is it because of the supplicant (Win XP).
>>
>> Can you post users file entry:
>>
>>>[files] users: Matched entry client at line 96
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: exec program, but post-auth

[tnt]

So radius *is* assigning IP's? Where? If it's ippool/sqlippool list
your exec program after these in post-auth section. If IP's are
assigned by DHCP you have to get it from accounting packets. But that
will work for radius assigned IP's too.

Ivan Kalik
Kalik Informatika ISP


Dana 4/11/2008, "Alexandre J. Correa - Onda Internet"
<[EMAIL PROTECTED]> piše:

>auth are working fine... but i need execute one script after auth OK to 
>get the IP that radius assigned to user, have any idea how i can do this ?!
>
>thanks !!!
>
>
>[EMAIL PROTECTED] wrote:
>>> Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to 
>>> execute other script AFTER auth OK to get IP address assigned to user.
>>>
>>> i´m trying to pass %f to my script but return "?.?.?.?" because at this 
>>> moment, radius not assigned  ip for user...
>>>
>>> how i can do this ?
>>>
>>> 
>>
>> If radius is not assigning IP's NAS will send them in accounting packets.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>   
>
>
>-- 
>Sds.
>
>Alexandre Jeronimo Correa
>
>Onda Internet - http://www.ondainternet.com.br
>OPinguim Hosting - http://www.opinguim.net
>
>Linux User ID #142329
>
>UNOTEL S/A - http://www.unotel.com.br
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html