rlm_sql errors
Hi everyone, I use freeradius (FreeRADIUS Version 1.1.4, with security changes through 1.1.7, for host apple.com, built on Sep 23 2007 at 22:52:08) on Mac OS X Server 10.5.6. My problem is that I get messages that I do not understand in the log file It looks like this: Thu Jan 29 16:10:41 2009 : Auth: rlm_opendirectory: User is authorized. Thu Jan 29 16:10:41 2009 : Auth: Login OK: [vorname_nachname/User-Password attribute>] (from client Cisco 4402 port 29 cli 00-17- F2-E8-74-76) Thu Jan 29 16:10:42 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #1 Thu Jan 29 16:10:42 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:10:42 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:10:42 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - (null) Thu Jan 29 16:10:48 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #0 Thu Jan 29 16:10:48 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:10:48 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:10:48 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - (null) Thu Jan 29 16:13:44 2009 : Error: rlm_radutmp: Logout entry for NAS Cisco 4402 port 29 has wrong ID Thu Jan 29 16:13:44 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #4 Thu Jan 29 16:13:44 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:13:44 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:13:44 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - (null) Thu Jan 29 16:13:50 2009 : Error: rlm_radutmp: Logout entry for NAS Cisco 4402 port 29 has wrong ID Thu Jan 29 16:13:50 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #3 Thu Jan 29 16:13:50 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:13:50 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:13:50 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - (null) Could someone please tell me what this means? What consequences does this have? What can I do to make this baby running right? Thanks Qrt- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply message to rejected users
i'm trying to display reply message to users whos passwords get rejected. so I setup the group and added my test user there. then i went to groupreply table and added reply message there. Now when I do my testing is password is ok the message is displayed BUT if password is incorrect the message is not displayed. I'm sure i did something wrong. So the question is: how do i display message to the user if their username gets rejected by any reason? thanks for help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
I have attached new schema and queries for mysql sqlippool. These should work with both 4 and 5 MySQL versions (I have done some manual testing on both; 4 on Linux and 5 on Windows). In version 5 (at least the Windows one I have tested on) CURRENT_TIMESTAMP defaults to '-00-00 00:00:00' instead of current date. This has no impact on how queries work. It might have been fixed in later MySQL verions (this is 5.0.18). I am not sure if I have done diff from the correct files so I included both patches and files. Ivan Kalik Kalik Informatika ISP --- ippool.sql 2009-01-29 22:33:12.0 +0100 +++ ippooln.sql 2009-01-29 22:39:22.0 +0100 @@ -8,7 +8,7 @@ nasipaddress varchar(15) NOT NULL default '', calledstationid VARCHAR(30) NOT NULL, callingstationid VARCHAR(30) NOT NULL, - expiry_time DATETIME NULL default NULL, + expiry_time TIMESTAMP NOT NULL default CURRENT_TIMESTAMP, username varchar(64) NOT NULL default '', pool_key varchar(30) NOT NULL, PRIMARY KEY (id) ippooln.sql Description: Binary data --- ippool.conf 2009-01-29 19:13:12.0 +0100 +++ ippooln.conf2009-01-29 23:29:32.0 +0100 @@ -8,7 +8,7 @@ # allocate-clear = "UPDATE ${ippool_table} \ # SET nasipaddress = '', pool_key = 0, \ # callingstationid = '', username = '', \ -# expiry_time = NULL \ +# expiry_time = NOW() - INTERVAL 1 SECOND \ # WHERE pool_key = '${pool-key}'" ## This series of queries allocates an IP address @@ -19,8 +19,8 @@ allocate-clear = "UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, \ callingstationid = '', username = '', \ - expiry_time = NULL \ - WHERE expiry_time <= NOW() - INTERVAL 1 SECOND + expiry_time = NOW() - INTERVAL 1 SECOND \ + WHERE pool_key = '${pool-key}' \ AND nasipaddress = '%{Nas-IP-Address}'" @@ -39,7 +39,7 @@ # ## use this query instead # allocate-find = "SELECT framedipaddress FROM ${ippool_table} \ # WHERE pool_name = '%{control:Pool-Name}' \ -# AND expiry_time =s NULL \ +# AND expiry_time < NOW() \ # ORDER BY RAND() \ # LIMIT 1 \ # FOR UPDATE" @@ -59,21 +59,21 @@ SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \ callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', \ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ - WHERE framedipaddress = '%I' AND expiry_time = NULL" + WHERE framedipaddress = '%I'" -## This series of queries frees an IP number when an accounting +## This query updates lease duration for an IP address when an accounting ## START record arrives start-update = "UPDATE ${ippool_table} \ SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'" -## This series of queries frees an IP number when an accounting +## This query frees an IP number when an accounting ## STOP record arrives stop-clear = "UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \ - expiry_time = NULL \ + expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ @@ -81,7 +81,7 @@ -## This series of queries frees an IP number when an accounting +## This query updates lease duration for an IP address when an accounting ## ALIVE record arrives alive-update = "UPDATE ${ippool_table} \ SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ @@ -92,18 +92,18 @@ -## This series of queries frees the IP numbers allocate to a +## This query frees the IP numbers allocated to a ## NAS when an accounting ON record arrives on-clear = "UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \ - expiry_time = NULL \ + expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE nasipaddress = '%{Nas-IP-Address}'" -## This series of queries frees the IP numbers allocate to a +## This query frees the IP numbers allocated to a ## NAS when an accounting OFF record arrives off-clear = "UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \ - expiry_time = NULL \ + expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE nasipaddress = '%{Nas-IP-Address}'" ippooln.conf Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>> >>> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time >> >>> column with "-00-00 00:00:00" (that's what MySQL thinks null >> >>> datetime is - it will match IS NULL). And in that previous query >> replace >> >>> = NULL with = '-00-00 00:00:00'. >> >>> >> >>> If this is so, sqlippool schema will need to be changed. >> >> >> >> This works. Yes, i think the schema really needs a update. >> > >> > As always, patches are welcome. >> > >> >> It probably needs just a change from NULL to '-00-00 00:00:00' for >> the expiry_time default value in ippool.sql. >> >> expiry_time IS NULL will match if value is '-00-00 00:00:00'. I >> will fix the queries to use MySQL null value (-00-00 00:00:00) and >> not NULL, since NULL doesn't work in > > >Yes, that should work... > I am afraid it won't. NULL and '-00-00 00:00:00' are treated differently in 4.x and 5.x MySQL versions. You can make it work for one but not the other. I have a different idea - scrap NULL and use now() as default. I'll see what needs to be changed for queries to work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter prior to prxy
Ugh! My fault i placed it in pre-acct instead of pre-proxy :p Le 29.01.2009 10:01, Alexandre Chapellon a écrit : > Hello, > > I want to remove all attributes from packets to proxy except some of > them i do say are allowed... > > I thought the following would do the job in the pre-proxy section, but > when i check what the freeradius proxies (using tcpdump) i see the > filter just filters nothing > > DEFAULT > Acct-Status-Type =* ANY, > User-Name =* ANY, > Framed-IP-Address =* ANY, > Qos-Policy-Metering =* ANY, > Ip_Address_Pool_Name =* ANY, > Class =* ANY > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attribute filter prior to prxy
Hello, I want to remove all attributes from packets to proxy except some of them i do say are allowed... I thought the following would do the job in the pre-proxy section, but when i check what the freeradius proxies (using tcpdump) i see the filter just filters nothing DEFAULT Acct-Status-Type =* ANY, User-Name =* ANY, Framed-IP-Address =* ANY, Qos-Policy-Metering =* ANY, Ip_Address_Pool_Name =* ANY, Class =* ANY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
On Thu, Jan 29, 2009 at 12:52 PM, Matt Causey wrote: > I am running FreeRadius at my company on a WLAN - using SSL key > material issued by our internal certificate authority. All is well. > > However a pretty big limitation of this security architecture is of > course getting the SSL key material onto the devices. In our case - > the devices are SIP phones with no wired ethernet connection. I know > there are other sites with similar issues. > > I would like to hear some ideas on what folks are doing to manage SSL > key material on devices. This would include initial key provisioning > and re-keying when certs expire. Presently ours expire every 90 days. > > Thoughts? You can check and may be take some ideas from wimax forum guys. Go to www.wimaxforum.org. Register and login. Go to Network Working Group and check for OTA Provisioning and Network Architecture (stage 2 and 3) specifications. Regards Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
wow! it's working great!!! Tests with two instances for now are working - thanks a lot! i'm must do more tests but it seems this is the way! regards! Lukasz 2009/1/29 : >>i'm not splitting user name from realm (well i don't know), below is >>an example with NT-Domain expand: (not working host/host.domain.local >>eap/peap but works ppp authorization from all domains User-name is >>DOMAIN\\user and domain is correctly expanded it works also with >>OTHERDOMAIN\\otheruser - another trusted ads domain) >> >> >>server inner-tunnel { >>+- entering group authorize >>++[chap] returns noop >>++[mschap] returns noop >>++[unix] returns notfound >>rlm_realm: No '@' in User-Name = "host/somehost.domain.local", >>looking up realm NULL >>rlm_realm: No such realm "NULL" >>++[suffix] returns noop >>++[control] returns noop >> rlm_eap: EAP packet type response id 9 length 89 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >>++[eap] returns updated >>++[files] returns noop >>++[expiration] returns noop >>++[logintime] returns noop >>++[pap] returns noop >> rad_check_password: Found Auth-Type EAP >>auth: type "EAP" >>+- entering group authenticate >> rlm_eap: Request found, released from the list >> rlm_eap: EAP/mschapv2 >> rlm_eap: processing type mschapv2 >>+- entering group MS-CHAP >> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. >> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with >>NT-Password >> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ >> expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- >> here >> mschap2: fa >> expand: --challenge=%{mschap:Challenge:-00} -> >> --challenge=19601d7be2fx >> expand: --nt-response=%{mschap:NT-Response:-00} -> >>--nt-response=3a04766fxxxbfaedba4977c0xxx >>Exec-Program output: Logon failure (0xc06d) >>Exec-Program-Wait: plaintext: Logon failure (0xc06d) >>Exec-Program: returned: 1 >> rlm_mschap: External script failed. >> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect >>++[mschap] returns reject >> >> >>and here is an example without NT-Domain expand for ntlm_auth (it is >>working well for only "domain.local" and "DOMAIN\\user" but not for >>thrusted OTHERDOMAIN\\otheruser ): >> >> >>server inner-tunnel { >>+- entering group authorize >>++[chap] returns noop >>++[mschap] returns noop >>++[unix] returns notfound >>rlm_realm: No '@' in User-Name = "host/somehost.domain.local", >>looking up realm NULL >>rlm_realm: No such realm "NULL" >>++[suffix] returns noop >>++[control] returns noop >> rlm_eap: EAP packet type response id 7 length 89 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >>++[eap] returns updated >>++[files] returns noop >>++[expiration] returns noop >>++[logintime] returns noop >>++[pap] returns noop >> rad_check_password: Found Auth-Type EAP >>auth: type "EAP" >>+- entering group authenticate >> rlm_eap: Request found, released from the list >> rlm_eap: EAP/mschapv2 >> rlm_eap: processing type mschapv2 >>+- entering group MS-CHAP >> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. >> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with >>NT-Password >> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ >> mschap2: 96 >> expand: --challenge=%{mschap:Challenge:-00} -> >> --challenge=2dff1a169cx >> expand: --nt-response=%{mschap:NT-Response:-00} -> >>--nt-response=7fa7664801defd917c241937bd4xxx >>Exec-Program output: NT_KEY: 7C54FDDBA668A77 >>Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxx >>Exec-Program: returned: 0 >>rlm_mschap: adding MS-CHAPv2 MPPE keys >>++[mschap] returns ok >> > > OK. So you need two mschap instances one for NT format (DOMAIN\\user > type - with NT-Domain in ntlm_auth) and one for IPASS > (host/somehost.domain.local type - without) format. Use unlang to detect > the delimiter and switch the correct instance replacing mschap in > authorize and inside Auth-Type MSCHAP. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- .''`. O.R.Z.E.H.: Obedient Robotic Zealous Exploration Humanoid : :' : '98 linux registered | [FoxGame | ---] team translator | Amiga 2000 user `. `'` [nagios plugin | udev aic9xx] relaser | 220v active user `- http://www.goldenline.pl/lukasz-sitko3 | http://www.linkedin.com/in/lukaszsitko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> >>> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time > >>> column with "-00-00 00:00:00" (that's what MySQL thinks null > >>> datetime is - it will match IS NULL). And in that previous query > replace > >>> = NULL with = '-00-00 00:00:00'. > >>> > >>> If this is so, sqlippool schema will need to be changed. > >> > >> This works. Yes, i think the schema really needs a update. > > > > As always, patches are welcome. > > > > It probably needs just a change from NULL to '-00-00 00:00:00' for > the expiry_time default value in ippool.sql. > > expiry_time IS NULL will match if value is '-00-00 00:00:00'. I > will fix the queries to use MySQL null value (-00-00 00:00:00) and > not NULL, since NULL doesn't work in Yes, that should work... There is another problem with the mysql-configuration. In the file ippool.conf there is the following part: - ## This series of queries allocates an IP address ## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port ## then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}' ## from the WHERE clause) allocate-clear = "UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, \ callingstationid = '', username = '', \ expiry_time IS NULL \ WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'" after the line "WHERE expiry_time <= NOW() - INTERVAL 1 SECOND" there is the "\" missing. This will cause an error, if you start the server. -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> >Is there another possibility to reassign the same ip-address to the user > again? > > Not while first connection is still active. That can't possibly work. > NAS will reject such IP. > > Are you trying to create a multilink? That is NAS, not radius capability. > > Ivan Kalik > Kalik Informatika ISP > > Ok, i will check that with our NAS. At the moment i am only testing with radtest. But thanks a lot so far for all the help! -- NUR NOCH BIS 31.01.! GMX FreeDSL - Telefonanschluss + DSL für nur 16,37 EURO/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql errors
Hi everyone, I use freeradius (FreeRADIUS Version 1.1.4, with security changes through 1.1.7, for host apple.com, built on Sep 23 2007 at 22:52:08) on Mac OS X Server 10.5.6. My problem is that I get messages that I do not understand in the log file It looks like this: Thu Jan 29 16:10:41 2009 : Auth: rlm_opendirectory: User is authorized. Thu Jan 29 16:10:41 2009 : Auth: Login OK: [vorname_nachname/User-Password attribute>] (from client Cisco 4402 port 29 cli 00-17- F2-E8-74-76) Thu Jan 29 16:10:42 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #1 Thu Jan 29 16:10:42 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:10:42 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:10:42 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - (null) Thu Jan 29 16:10:48 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #0 Thu Jan 29 16:10:48 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:10:48 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:10:48 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - (null) Thu Jan 29 16:13:44 2009 : Error: rlm_radutmp: Logout entry for NAS Cisco 4402 port 29 has wrong ID Thu Jan 29 16:13:44 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #4 Thu Jan 29 16:13:44 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:13:44 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:13:44 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - (null) Thu Jan 29 16:13:50 2009 : Error: rlm_radutmp: Logout entry for NAS Cisco 4402 port 29 has wrong ID Thu Jan 29 16:13:50 2009 : Info: rlm_sql_sqlite: Opening sqlite database for #3 Thu Jan 29 16:13:50 2009 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Thu Jan 29 16:13:50 2009 : Error: rlm_sql (sql): failed after re- connect Thu Jan 29 16:13:50 2009 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - (null) Could someone please tell me what this means? What consequences does this have? What can I do to make this baby running right? Thanks Qrt- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP SP3 an EAP-TLS partly solution (SOLVED)
Alexandros Gougousoudis wrote: Hi, just to give an update on my efforts to make XP SP3 work with EAP-TLS. Machine based EAP-TLS authentification works for WIRED connections fine, as I wrote in the last mail. BUT that doesn't mean that it works for wireless connections. :-) Before SP3 there wasn't a problem with that, with this alphaversion of service pack, it's not working. First of all, the things you need to do with the network-adapters profiles, using the netsh command aren't working in XP with wlan profiles, simply because the netsh command doesn't know "netsh wlan ..." (you get an error), Vista knows that context, XP SP3 not. So there is a Freeware utility zwlancfg here http://www.engl.co.uk/products/zwlancfg/index.html Get that and you can export and import the wlan profiles. But setting the authentification to machine as with wired connections, won't work. You always get a "no certificate found" error (the cert which is ok for wired connections!) and no connection. If the tool zwlancfg is setting up the connection manually, you get an "illegal authmode" error. So you need to have setup the connection to an machineOrUser authmode. It seems there is no machine authmode in XP SP3 anymore. As written by MS here: http://msdn.microsoft.com/en-us/library/ms706279.aspx "This element is optional. When authMode is not specified in a profile, a value of |machineOrUser| is used. *Windows XP with SP3 and Wireless LAN API for Windows XP with SP2: *This element will be ignored if it is present in a profile" But stop! It's not that easy. :-) Because it's Microsoft, it always works a little, but never 100%. If no user is logged in (= Loginscreen), the connection is established (seen in the Radius log). If a user logs in, the connection is dropped and you get a "no cert" error. If the machine cert is included in the users context, using the cert-mgr, the connection is again established. So I have to install the machine cert for each user, which will login into the computer. And, hey, did I say that machine based EAP-TLS auth via WLAN worked in SP2, despite the MS information? It's definately not an Freeradius problem, but most people will look here to solve the problem. After a lot of googleing I found, that I must be the only one with that combination and problems. So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista! I'll post my solution here either. If someone likes to give me a hint, I'll be happy. cu Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have been seeing the SAME thing, in a way, from my one XP home client (My laptop came with Vista, and I didn't care to move off it) and one day the WLAN connected into my Wireless network, next day it didn't. I suspected it was XP SP 3 but didn't dig too much into it, as wired worked. I tested the setup last night, and in short what I was seeing from my Radius (In debug mode: radiusd -X) was that the EAP-TLS was established, the user name was passed (but didn't match the proper realm, so that was discarded) and radius sent back a radius-challenge to my WAP, and then onto the client, and nothing ever came back. a few minutes later, I would get a Radius access request and repeat it, over and over and over. I get prompted for the proper certs, and so forth after tinkering with it for a little bit, but it still hasn't' connected. Frustrating problem that I haven't seen a solution to yet, which is similar to this problem, though slightly different. ~Seann smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Provisioning for EAP-TLS Networks
I am running FreeRadius at my company on a WLAN - using SSL key material issued by our internal certificate authority. All is well. However a pretty big limitation of this security architecture is of course getting the SSL key material onto the devices. In our case - the devices are SIP phones with no wired ethernet connection. I know there are other sites with similar issues. I would like to hear some ideas on what folks are doing to manage SSL key material on devices. This would include initial key provisioning and re-keying when certs expire. Presently ours expire every 90 days. Thoughts? -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>Is there another possibility to reassign the same ip-address to the user again? Not while first connection is still active. That can't possibly work. NAS will reject such IP. Are you trying to create a multilink? That is NAS, not radius capability. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-Id Check Erroring
>> Try SELECT * FROM radcheck WHERE value='00-1C-B3-B1-3E-07' and see if >> that line gets listed. You might have white space around it. It should >> match. >> >> Ivan Kalik >> Kalik Informatika ISP > >That correctly returns it: >7 eric1328 Calling-Station-Id == 00-1C-B3-B1-3E-07 > >I've tried many things. Do you have any other ideas? No. I am using this check (on phone numbers, not macs) on newly signed users - and it works. It doesn't work when phone company sends shortened caller ID etc. I can't see any reason why it doesn't match in your case. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP SP3 an EAP-TLS partly solution (SOLVED)
Hi, just to give an update on my efforts to make XP SP3 work with EAP-TLS. Machine based EAP-TLS authentification works for WIRED connections fine, as I wrote in the last mail. BUT that doesn't mean that it works for wireless connections. :-) Before SP3 there wasn't a problem with that, with this alphaversion of service pack, it's not working. First of all, the things you need to do with the network-adapters profiles, using the netsh command aren't working in XP with wlan profiles, simply because the netsh command doesn't know "netsh wlan ..." (you get an error), Vista knows that context, XP SP3 not. So there is a Freeware utility zwlancfg here http://www.engl.co.uk/products/zwlancfg/index.html Get that and you can export and import the wlan profiles. But setting the authentification to machine as with wired connections, won't work. You always get a "no certificate found" error (the cert which is ok for wired connections!) and no connection. If the tool zwlancfg is setting up the connection manually, you get an "illegal authmode" error. So you need to have setup the connection to an machineOrUser authmode. It seems there is no machine authmode in XP SP3 anymore. As written by MS here: http://msdn.microsoft.com/en-us/library/ms706279.aspx "This element is optional. When authMode is not specified in a profile, a value of |machineOrUser| is used. *Windows XP with SP3 and Wireless LAN API for Windows XP with SP2: *This element will be ignored if it is present in a profile" But stop! It's not that easy. :-) Because it's Microsoft, it always works a little, but never 100%. If no user is logged in (= Loginscreen), the connection is established (seen in the Radius log). If a user logs in, the connection is dropped and you get a "no cert" error. If the machine cert is included in the users context, using the cert-mgr, the connection is again established. So I have to install the machine cert for each user, which will login into the computer. And, hey, did I say that machine based EAP-TLS auth via WLAN worked in SP2, despite the MS information? It's definately not an Freeradius problem, but most people will look here to solve the problem. After a lot of googleing I found, that I must be the only one with that combination and problems. So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista! I'll post my solution here either. If someone likes to give me a hint, I'll be happy. cu Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-Id Check Erroring
> Try SELECT * FROM radcheck WHERE value='00-1C-B3-B1-3E-07' and see if > that line gets listed. You might have white space around it. It should > match. > > Ivan Kalik > Kalik Informatika ISP That correctly returns it: 7 eric1328 Calling-Station-Id == 00-1C-B3-B1-3E-07 I've tried many things. Do you have any other ideas? I have 2.1.3-1.fc10 installed on Fedora 10. I'm using a hosted MySQL DB at the moment, from my web hosting co. Thanks! Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
>>> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time >>> column with "-00-00 00:00:00" (that's what MySQL thinks null >>> datetime is - it will match IS NULL). And in that previous query replace >>> = NULL with = '-00-00 00:00:00'. >>> >>> If this is so, sqlippool schema will need to be changed. >> >> This works. Yes, i think the schema really needs a update. > > As always, patches are welcome. > It probably needs just a change from NULL to '-00-00 00:00:00' for the expiry_time default value in ippool.sql. expiry_time IS NULL will match if value is '-00-00 00:00:00'. I will fix the queries to use MySQL null value (-00-00 00:00:00) and not NULL, since NULL doesn't work in http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> > i have another question: when does the server free an ip-address? i > tested a login with the same username within one minute and the server > reserved > two different ip-addresses. i thought, that the server will use the same > ip-address for the second login, but the server doesn't. > > > > Which behaviour is the right one? > > The server frees IP's when accounting stop packets are received. This > is the correct behavior. > ok, i understand this. :-) Is there another possibility to reassign the same ip-address to the user again? Thanks Sebastian -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [UKLAN] feature request
Hello Alan, freeradius-2.1.1 created the socket with 'radiusd' as owner and freeradius-2.1.3 throw error: Error: We do not own /var/run/radiusd/radius1.sock because it created it with owner root. Am Donnerstag, den 29.01.2009, 14:19 +0100 schrieb Alan DeKok: > Hans-Peter Fuchs wrote: > > today I upgraded from freeradius-2.1.1 to 2.1.3 and stumbled because > > freeradius does not erase the socket file in /var/run/radiusd. > > What kind of "stumble"? > > The socket file isn't erased automatically when the server exits. If > something *forces* the server to exit quickly, then the socket file > cannot be deleted by the server. > > So there are cases where it will always be around after the server exits. > > Alan DeKok. -- Mit freundlichen Grüßen Hans-Peter Fuchs Hans-Peter Fuchs - RRZK Zimmer 20 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner identity in accounting logs
Hello all, Am Mittwoch, den 28.01.2009, 11:06 + schrieb Jonathan Gazeley: > Alan DeKok wrote: > > > > Update the reply. In the "inner-tunnel" server, "post-auth" section, add: > > > > ... > > update outer.reply { > > User-Name = "%{User-Name}" > > } > > ... > > > Done this, doesn't seem to work. I guess the NAS doesn't accept it. > > > > Tell the NAS which User-Name you want to see in the accounting > > packets. Most NASes support this feature. > > > When you say "Most NASes", do you know if that includes Cisco WiSMs? Do > you know if there is any magic I need to apply on the WiSMs? I couldn't > see anything particularly relevant in the documentation. > Our wism accepts this. Cisco does not document these feature, but claims to obey the rfc's. > Thanks, > Jonathan > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen Hans-Peter Fuchs Hans-Peter Fuchs - RRZK Zimmer 20 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: feature request
Hans-Peter Fuchs wrote: > today I upgraded from freeradius-2.1.1 to 2.1.3 and stumbled because > freeradius does not erase the socket file in /var/run/radiusd. What kind of "stumble"? The socket file isn't erased automatically when the server exits. If something *forces* the server to exit quickly, then the socket file cannot be deleted by the server. So there are cases where it will always be around after the server exits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
feature request
Hello Alan, today I upgraded from freeradius-2.1.1 to 2.1.3 and stumbled because freeradius does not erase the socket file in /var/run/radiusd. -- Mit freundlichen Grüßen Hans-Peter Fuchs Hans-Peter Fuchs - RRZK Zimmer 20 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
Sebastian Heil wrote: >> Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time >> column with "-00-00 00:00:00" (that's what MySQL thinks null >> datetime is - it will match IS NULL). And in that previous query replace >> = NULL with = '-00-00 00:00:00'. >> >> If this is so, sqlippool schema will need to be changed. > > This works. Yes, i think the schema really needs a update. As always, patches are welcome. > i have another question: when does the server free an ip-address? i tested a > login with the same username within one minute and the server reserved two > different ip-addresses. i thought, that the server will use the same > ip-address for the second login, but the server doesn't. > > Which behaviour is the right one? The server frees IP's when accounting stop packets are received. This is the correct behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
> > Hm, does it "see" NULL greater than now()? Replace NULL in expiry_time > column with "-00-00 00:00:00" (that's what MySQL thinks null > datetime is - it will match IS NULL). And in that previous query replace > = NULL with = '-00-00 00:00:00'. > > If this is so, sqlippool schema will need to be changed. This works. Yes, i think the schema really needs a update. i have another question: when does the server free an ip-address? i tested a login with the same username within one minute and the server reserved two different ip-addresses. i thought, that the server will use the same ip-address for the second login, but the server doesn't. Which behaviour is the right one? -- NUR NOCH BIS 31.01.! GMX FreeDSL - Telefonanschluss + DSL für nur 16,37 EURO/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hosts restriction with FreeRadius and OpenLDAP
>I'm setting up a freeradius configuration for authenticating users on a >number of technologies (pix, nokia, ...). Users accounts are stored in a >backend OpenLDAP. > >I'm willing to allow users to authenticate to specific machines, that I >would like to choose and administrer from the accounts on the LDAP server >(in a centralized manner). > >Is this possible, and how could I implement it? Create a huntgroup with IPs of the machines from which administartors can log in. Then add to users file: DEFAULT Ldap-Group = admin_group,Huntgroup-Name != whatever, Auth-Type := Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
>i'm not splitting user name from realm (well i don't know), below is >an example with NT-Domain expand: (not working host/host.domain.local >eap/peap but works ppp authorization from all domains User-name is >DOMAIN\\user and domain is correctly expanded it works also with >OTHERDOMAIN\\otheruser - another trusted ads domain) > > >server inner-tunnel { >+- entering group authorize >++[chap] returns noop >++[mschap] returns noop >++[unix] returns notfound >rlm_realm: No '@' in User-Name = "host/somehost.domain.local", >looking up realm NULL >rlm_realm: No such realm "NULL" >++[suffix] returns noop >++[control] returns noop > rlm_eap: EAP packet type response id 9 length 89 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >++[eap] returns updated >++[files] returns noop >++[expiration] returns noop >++[logintime] returns noop >++[pap] returns noop > rad_check_password: Found Auth-Type EAP >auth: type "EAP" >+- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 >+- entering group MS-CHAP > rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. > rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with >NT-Password > expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ > expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- > here > mschap2: fa > expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=19601d7be2fx > expand: --nt-response=%{mschap:NT-Response:-00} -> >--nt-response=3a04766fxxxbfaedba4977c0xxx >Exec-Program output: Logon failure (0xc06d) >Exec-Program-Wait: plaintext: Logon failure (0xc06d) >Exec-Program: returned: 1 > rlm_mschap: External script failed. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect >++[mschap] returns reject > > >and here is an example without NT-Domain expand for ntlm_auth (it is >working well for only "domain.local" and "DOMAIN\\user" but not for >thrusted OTHERDOMAIN\\otheruser ): > > >server inner-tunnel { >+- entering group authorize >++[chap] returns noop >++[mschap] returns noop >++[unix] returns notfound >rlm_realm: No '@' in User-Name = "host/somehost.domain.local", >looking up realm NULL >rlm_realm: No such realm "NULL" >++[suffix] returns noop >++[control] returns noop > rlm_eap: EAP packet type response id 7 length 89 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >++[eap] returns updated >++[files] returns noop >++[expiration] returns noop >++[logintime] returns noop >++[pap] returns noop > rad_check_password: Found Auth-Type EAP >auth: type "EAP" >+- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 >+- entering group MS-CHAP > rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. > rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with >NT-Password > expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ > mschap2: 96 > expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=2dff1a169cx > expand: --nt-response=%{mschap:NT-Response:-00} -> >--nt-response=7fa7664801defd917c241937bd4xxx >Exec-Program output: NT_KEY: 7C54FDDBA668A77 >Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxx >Exec-Program: returned: 0 >rlm_mschap: adding MS-CHAPv2 MPPE keys >++[mschap] returns ok > OK. So you need two mschap instances one for NT format (DOMAIN\\user type - with NT-Domain in ntlm_auth) and one for IPASS (host/somehost.domain.local type - without) format. Use unlang to detect the delimiter and switch the correct instance replacing mschap in authorize and inside Auth-Type MSCHAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hosts restriction with FreeRadius and OpenLDAP
Hello everybody, I'm setting up a freeradius configuration for authenticating users on a number of technologies (pix, nokia, ...). Users accounts are stored in a backend OpenLDAP. I'm willing to allow users to authenticate to specific machines, that I would like to choose and administrer from the accounts on the LDAP server (in a centralized manner). Is this possible, and how could I implement it? Thx for help, -- View this message in context: http://www.nabble.com/Hosts-restriction-with-FreeRadius-and-OpenLDAP-tp21726215p21726215.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication ads peap domainname
thanks for reply i'm not splitting user name from realm (well i don't know), below is an example with NT-Domain expand: (not working host/host.domain.local eap/peap but works ppp authorization from all domains User-name is DOMAIN\\user and domain is correctly expanded it works also with OTHERDOMAIN\\otheruser - another trusted ads domain) server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 9 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here mschap2: fa expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3a04766fxxxbfaedba4977c0xxx Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject and here is an example without NT-Domain expand for ntlm_auth (it is working well for only "domain.local" and "DOMAIN\\user" but not for thrusted OTHERDOMAIN\\otheruser ): server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ mschap2: 96 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7fa7664801defd917c241937bd4xxx Exec-Program output: NT_KEY: 7C54FDDBA668A77 Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxx Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok thanks for help! Lukasz 2009/1/28 : >>i know about this expand but it's expanding to only first section of >>domain (eg. domain.com mschap expand gives only "domain") >>i'm wondering it is possible to get to work correct expand beceause >>sometimes radius must authorize users from other thrusted domains. >> > > Can you post an example. If you are splitting the User-Name with > something from the realm module (suffix, ntdomain etc.) you get > Stripped-User-Name and Realm. Perhaps %{Realm} would work for you. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-Id Check Erroring
>> >When I try to do MAC auth, it shows No User, though it works fine when >> I >> >remove the Calling-Station-Id check item from MySQL. Debug shows >> quotes >> >around MAC.I put MAC in database with and without quotes and still >> errors. >> > >> >> No quotes. >> >> >Any ideas? >> >> Log into your database and post here the result of this query: >> >> >-> SELECT id, username, attribute, value, op FROM radcheck >> >WHERE username = 'eric1328' ORDER BY id >> >> Ivan Kalik >> Kalik Informatika ISP > >Here's the result, Ivan: > >5 eric1328 Cleartext-Password PASSWORD := >7 eric1328 Calling-Station-Id 00-1C-B3-B1-3E-07 == > >Thanks! > Try SELECT * FROM radcheck WHERE value='00-1C-B3-B1-3E-07' and see if that line gets listed. You might have white space around it. It should match. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ Re: eap-ttls failing]
It's fine. Send it direct. Ivan Kalik Kalik Informatika ISP Dana 28/1/2009, "Josh Hiner" piše: >t...@kalik.net wrote: >>> list. I would think that what I am doing is fairly popular? Why are more >>> people not complaining? This is too bad and if true, very poor. >>> >>> >> >> Can you post the eapol.log and wzctrace.log for the same attempt. I'll >> dig through that and see if I can find what is going on. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >Ivan, can I send the email directly to your email address. >lists.freeradius.org is rejecting my email because the body of the >message exceeds 100k (it is 536k with the log attachments). It says it >is waiting for a moderator to approve the post but its been about 8 >hours with no approval. > >Let me know, and thanks for your help! > >-josh >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge authentication via both LDAP and SecurID
Thanks Alan for the quick responses. We will look for other solutions in the meantime. Thanks, Amy _ It's simple! Sell your car for just $40 http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641&_t=762955845&_r=tig_OCT07&_m=EXT- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html