Re: Unknown module eap
On Sun, 2008-11-16 at 07:55 +0100, Alan DeKok wrote: Craig White wrote: freeradius newbie here...not sure where I went wrong and someone probably can figure this out in a second. You edited the default configuration files and broke it. CentOS 5 (freeradius-1.1.3-1.2.el5) still using default certificates so as not to complicate things too much yet. I really suggest upgrading to 2.1.1. rlm_eap: No such sub-type for default EAP type peap radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1940] Unknown module eap. radiusd.conf[1887] Failed to parse authenticate section. Can someone toss me a bone here? You deleted the peap section from eap.conf. Or, you configured default_eap_type = peap, but without un-commenting the peap section in eap.conf. yup...thanks - the instructions that I was following didn't make it clear for me to do that (uncomment the peap section...duh). I'm sort of working through things one breakage at a time. As for upgrading, duly noted but I don't know what it is that I don't know so I'll stay with the distribution for the time being. I think Red Hat has a newer version on track. Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS client + PAM integration
hi there, We are planning to use FreeRadius Client with PAM. Could you please give me the document/Links/FAQ explaining the integration of FreeRADIUS client with PAM? Thanks Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
On Nov 14 Tim Gustafson wrote:
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
The easiest way to install the latest FreeRADIUS on CentOS I know of is to
visit http://koji.fedoraproject.org/koji/packageinfo?packageID=298, find
the latest source RPM and rebuild it. It's a small amount of work, but
will stop people saying upgrade a lot..
I'm trying to figure out how to configure FreeRADIUS to authenticate
against an OpenLDAP server using MSCHAPv2. I Googled a lot of different
phrases, and came up with some things that were mildly helpful. Right
now, I have FreeRADIUS authenticating against the LDAP server without
using MSCHAPv2, but I'm not understanding how to now activate the
MSCHAPv2 part.
I have it working. You need to check your ldap.attrmap (or whatever you've
set dictionary_mapping to) points at the right LDAP field. I use the
samba schema, so:
checkItem NT-Password sambaNtPassword
Then your debug log should include entries like:
rlm_ldap: sambaNtPassword - NT-Password == 0x
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
..but this is OK, since with mschap before ldap in your authorize{}
block, FreeRADIUS will handle the challenge-response stuff correctly for
MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP
with sufficient privilege to read the NT hash!
HTH
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS client + PAM integration
http://freeradius.org/pam_radius_auth/ Ivan Kalik Kalik Informatika ISP Dana 16/11/2008, Vinay [EMAIL PROTECTED] piše: hi there, We are planning to use FreeRadius Client with PAM. Could you please give me the document/Links/FAQ explaining the integration of FreeRADIUS client with PAM? Thanks Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap and unix return different results
I am trying to use mschap and the following is logged suggesting that ldap authorize succeeds but unix authorize fails but the passwords are the same (aside from the fact that samba hashes the password). I can ssh into the radius server with the user name and password... # getent passwd|grep craigwhite craigwhite:x:1013:1000:Craig White:/home/users/craigwhite:/bin/sh # radtest craigwhite MY_PASSWORD MY_RADIUS_SERVER 0 whatever and on the radius server running 'radiusd -X -f' Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.7:60829, id=45, length=62 User-Name = craigwhite User-Password = MY_PASSWORD NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = craigwhite, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for craigwhite radius_xlat: '(uid=craigwhite)' radius_xlat: 'ou=People,ou=Accounts,o=MY_ORG,c=US' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=admin,o=Mullen,c=US/riod to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,ou=Accounts,o=MY_ORG,c=US, with filter (uid=craigwhite) rlm_ldap: checking if remote access for craigwhite is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [UX ] op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value HASHED_PASSWORD op=21 rlm_ldap: Adding sambaLMPassword as LM-Password, value HASHED_PASSWORD op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user craigwhite authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [craigwhite]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. Obviously this is something to do with the 'users' file configuration which is still at it's default and apparently this is the problem here... DEFAULT Auth-Type = System Fall-Through = 1 What nugget am I missing? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown module eap
Alan DeKok wrote:
Craig White wrote:
freeradius newbie here...not sure where I went wrong and someone
probably can figure this out in a second.
You edited the default configuration files and broke it.
CentOS 5 (freeradius-1.1.3-1.2.el5) still using default certificates so
as not to complicate things too much yet.
I really suggest upgrading to 2.1.1.
You're already running the latest CentOS package which is quite old, yum
update won't get you anywhere. The only way to upgrade is to rpmbuild
from source, never sinply build from source on a CentOS system if you
have a choice. See
http://wiki.freeradius.org/Build#Building_RedHat_packages. There isn't
much documentation on it and that how-to assumes that you already have
everything you need... you must have gcc, rpm-build, and all of the
-devel packages installed otherwise it won't build some modules. Watch
the ./configure output as it builds to see if you're getting warnings
about missing libraries... it may not be missing the library but the
-devel for the library. You can ignore things you don't need like
Oracle, etc. On CentOS system cp -a /usr/src/redhat/ rpmbuild probably
will not work, use mkdir -p
~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} in stead.
Also watch out for SELinux, it breaks things.
rlm_eap: No such sub-type for default EAP type peap
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1940] Unknown module eap.
radiusd.conf[1887] Failed to parse authenticate section.
Can someone toss me a bone here?
You deleted the peap section from eap.conf. Or, you configured
default_eap_type = peap, but without un-commenting the peap section in
eap.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and unix return different results
On Sun, 2008-11-16 at 09:45 -0700, Craig White wrote: I am trying to use mschap and the following is logged suggesting that ldap authorize succeeds but unix authorize fails but the passwords are the same (aside from the fact that samba hashes the password). I can ssh into the radius server with the user name and password... Obviously this is something to do with the 'users' file configuration which is still at it's default and apparently this is the problem here... DEFAULT Auth-Type = System Fall-Through = 1 What nugget am I missing? nevermind... Instead of above, I needed... DEFAULT Auth-Type = LDAP probably obvious to some here...this is pretty cool stuff Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-User?
Sorry for the stupid question, what does Framed-User stand for? I hope not to be stoned to death because of such a question :) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2 server + FreeRADIUS client - something like POD (packet of disconnect)
I use FreeRADIUS v2.0.1 on server side and FreeRADIUS client library v1.1.6 with pptpd/pppd on client side. Is there something like Mpd-drop-user attribute for MPD5? Or I must hangup sessions only by unusual way with 3rd-party client-server apps (for ex., telnet, snmp, etc)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and server certificate
Thanks! I too was thinking on the same lines. Does EAP-GTC work only with Username n Password? Is there anything additional needed? What abt EAP-TTLS with EAP-GTC? Would certificates or anything additional to username and passowrd be required at the client/server side? Any good info on Token card handshake is welcome :) On Fri, Nov 14, 2008 at 9:27 PM, Arran Cudbard-Bell [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Damjan wrote: Just to be sure, all EAP types require the radius server to have a certificate right? and this certificate, i.e. it's parent needs to be installed in the supplicants, right? No, EAP-MD5, EAP-GTC, EAP-SecurID and a few others don't need certificates. - -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkdn+gACgkQcaklux5oVKJ0JACfWkEl1yUFiEjn7Kv8FoxA3sih 3e0AoIJK+K45JP28OhrjE+dBYyc1wjFL =5jnV -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP-MD5 WPA auth failure freeradius-2.1.1
Dear All, I am trying to authenticate using PEAP-MD5 for WPA using a wireless device as follows: Wifi client AP freeradius-2.1.1 (PEAP-EAP-MD5 , WPA ) -- Authenticator --- /usr/local/radius/etc/raddb/users file entry Windows-XP Service pack 2 user: client client Cleartext-Password := test123 Password:test123 Reply-Message = Hello, client Attached are 2 wireshark captures One between wifi-client authenticator Other between authenticator and radius server. It shows auth failure. Can u elaborate as to why this is happenning as user name and password are both correct??? Regards Prasad dro-250i_authenticator_freeradius2.1.1_peap_md5 Description: Binary data dro-250i_supplicant_authebticator_eapol.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
