Re: IP-Assignment with sqlippool based on nas-ip-address
Original-Nachricht
Datum: Fri, 30 Jan 2009 11:51:20 +0100
Von: t...@kalik.net
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: IP-Assignment with sqlippool based on nas-ip-address
Now, the behaviour of the server changed in the way, that the
freeradius reserves only one ip-address per user. if the same user logs in
again on
the same nas (without accounting-stop-packet before), the old ip-address is
freed and the user receives a new one.
That should happen only if IP allocation has expired (see lease-duration
in sqlippool.conf). There is another allocate-find query that issues
random IPs.
Hmmm, maybe there is another problem in my config. I tried two requests within
ten seconds. Attached you'll find the debug. During the second request the
first ip-address is freed and can be used again. The lease-duration has the
standard value of 3600, so this can't be the reason.
This is the table radippool after the second request:
+---+-+--+-+--+--+
| pool_name | framedipaddress | nasipaddress | expiry_time | username |
pool_key |
+---+-+--+-+--+--+
| poolUK| 10.10.10.10 | 10.98.6.95 | 2009-02-02 10:14:32 | peter2 |
|
| poolUK| 10.10.10.11 | | 2009-02-02 09:14:31 | |
0|
+---+-+--+-+--+--+
debug
rad_recv: Access-Request packet from host 10.98.6.95 port 3099, id=194,
length=46
User-Name = peter2
User-Password = peter2
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/10.98.6.95/auth-detail-20090202
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.98.6.95/auth-detail-20090202
[auth_log] expand: %t - Mon Feb 2 09:13:45 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = peter2, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 183
++[files] returns ok
[sql] expand: %{User-Name} - peter2
[sql] sql_set_user escaped user -- 'peter2'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'peter2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'peter2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'peter2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'peter2' ORDER
BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'peter2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'UK' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id
[sql] User found in group UK
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'UK' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'UK' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? No. Shared secret is wrong. Have you retyped it both on radius server and on the NAS? WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! The only other possibility is a broken operating system (crypto libraries are corrupted). But in 99.99% of cases, problem is different shared secret. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
Hi users!! Here i post my freeradius -X
0, for host i486-pc-linux-gnu, built on Nov 14 2008 at 11:57:03
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = 123456
nastype = other
}
client 192.168.0.0/16 {
require_message_authenticator = no
secret = 123456
shortname = 123456
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com
RE: chap authentication and freeradius
THZ Users My problem was that i never configurated the file in site-enable
called default!!!
Very very thz
From: litlle_cra...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: chap authentication and freeradius
Date: Mon, 2 Feb 2009 13:26:10 -0200
Hi users!! Here i post my freeradius -X
0, for host i486-pc-linux-gnu, built on Nov 14 2008 at 11:57:03
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = 123456
nastype = other
}
client 192.168.0.0/16 {
require_message_authenticator = no
secret = 123456
shortname = 123456
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check =
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
t...@kalik.net wrote: Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? No. Shared secret is wrong. Have you retyped it both on radius server and on the NAS? I checked a lot of time but 12345 = 12345 :) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! The only other possibility is a broken operating system (crypto libraries are corrupted). But in 99.99% of cases, problem is different shared secret. I think the problem is in the AP(nas), not in the radius. Sorry, no more questions about it . I think the CISCO 861 router(new) has something problem. I just want to know. now I try to find the 0.01% thank you Gabor Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Hegedus Gabor wrote: t...@kalik.net wrote: Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? No. Shared secret is wrong. Have you retyped it both on radius server and on the NAS? I checked a lot of time but 12345 = 12345 :) Dont you mean test = test ? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius web managment
Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one _ Adelántate a tu futuro. Ingresa ahora a MSN Astrología http://astrologia.latam.msn.com/msnlatam/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [UKLAN] feature request
Hans-Peter Fuchs wrote: Hello Alan, freeradius-2.1.1 created the socket with 'radiusd' as owner and freeradius-2.1.3 throw error: Error: We do not own /var/run/radiusd/radius1.sock because it created it with owner root. This is a bug in 2.1.3 that will be fixed in 2.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Hegedus Gabor wrote:
Hi I have a problem:
I get this message
*invalid Message-Authenticator! (Shared secret is incorrect.) *
But I checked the key and it equals.
The shared secret is wrong.
What is the problem?
clients.conf:
client 192.168.1.10 {
secret = test shortname=blablabla
}
Why are you putting two configurations on the same line? This isn't C
programming, where statements are separated by ';'
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius web managment
did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Permanece actualizado con MSN Noticias. Clic aquí http://noticias.cl.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius web managment
You need to learn basic things before you proceed with installation. Choose two words from your error message and google. You'll see that your username/pass combination is not correct for your database. This doesn't have anything with FR user list. Mr Little Crazzy wrote: did you could configure Daloradius ?? Because i have this error when i try to login *Database connection error* *Error Message*: DB Error: connect failed *Debug*: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com mailto:litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. http://photos.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: http://www.microsoft.com/windows/windowslive/messenger.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius web managment
did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Why don't you ask this on dalo Radius forum? It is highly unlikely that you are suposed to connect to the database as root. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \
I'd like to check if a request that I received from a radius server will be proxied back to that same server resulting in a proxy loop. The way I see things there is no other way to find out to which server the request will be proxied to. Create a table proxy with information form proxy.conf. Use unlang to see if proxy IP matces Client-IP-Address from the request and reject if it does. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschav2 can't get connected
saman saman wrote: Hi..Can anyone help me. I can't get client connect to radius server. any suggestion on how to fix it..appreciated. Here the radius output: ... EAP-Message = 0x0101000501 Your supplicant is sending an empty identity. This isn't permitted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
On Monday 02.02.2009 10:37:59 Alan DeKok wrote:
Matej Vadnjal wrote:
I'm having trouble getting the value of auth_pool of a realm. Realms are
defined as regular expressions matched by suffix module against the
domain portion of users username.
Ok... *why* are you doing that?
if (%{config:realm[%{Realm}].auth_pool} =~ /%{client-shortname}/i) {
reject
}
That's odd. What do you think that configuration does, and why do you
want it to do that?
I have a server that receives requests from radius servers and forwards them
to other radius servers (we are a national top-level radius for eduroam
project).
I'd like to check if a request that I received from a radius server will be
proxied back to that same server resulting in a proxy loop.
The way I see things there is no other way to find out to which server the
request will be proxied to.
My idea is that if I keep the names of servers in clients.conf and server
pools in proxy.conf similar enough, I could compare them with a regexp and if
they match reject the request, preventing a loop.
Is this a bug or a safety feature (preventing some sort of injection
attacks)? I tried all sorts of combination of single quites, double
quotes, no quotes, but to no avail.
Escaping characters is a security feature.
As I suspected. However in my case the value of Realm variable is one of
predefined values in proxy.conf and not supplied by users.
Regards,
Matej Vadnjal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Hegedus Gabor wrote: Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? Perhaps you should believe the answers on this list. and when I try authenticate for NAS(consol), the radius reject because ad_recv: Access-Request packet from host 192.168.1.10 port 1645, id=43, length=78 NAS-IP-Address = 192.168.1.10 NAS-Port-Type = Async User-Name = test User-Password = \335\333TmZî Łx\273\367G\241\350\263\026 (a) the shared secret is wrong (b) the MD5 libraries are completely broken. Choose one. Choosing *another* option means that you are not interested in getting help from this list. what is this password \335\333TmZî Łx\273\367G\241\350\263\026 I don't understand, ti tells chack the shared secret but it is good It means that the shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
I'm afriad, but this won't work in my environment. I will need a different subnetmask. Can you explain why do you think 255.255.255.255 netmask won't work for you. Do you know how that netmask works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
Matej Vadnjal wrote:
I'm having trouble getting the value of auth_pool of a realm. Realms are
defined as regular expressions matched by suffix module against the domain
portion of users username.
Ok... *why* are you doing that?
if (%{config:realm[%{Realm}].auth_pool} =~ /%{client-shortname}/i) {
reject
}
That's odd. What do you think that configuration does, and why do you
want it to do that?
Is this a bug or a safety feature (preventing some sort of injection
attacks)?
I tried all sorts of combination of single quites, double quotes, no quotes,
but to no avail.
Escaping characters is a security feature.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = ale, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
..
What is wrong ???
Your data is in the database and sql isn't enabled in the configuration.
Enable sql in default virtual server (raddb/sites-enabled/default).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius web managment
for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one -- ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. http://photos.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
invalid Message-Authenticator! (Shared secret is incorrect.)
Hi I have a problem:
I get this message
*invalid Message-Authenticator! (Shared secret is incorrect.) *
But I checked the key and it equals.
What is the problem?
clients.conf:
client 192.168.1.10 {
secret = test
shortname=blablabla
}
thx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap authentication and freeradius
Hi, What is wrong ??? well, the debug clearly shows these lines: [chap] login attempt by ale with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [ale] (from client 123456 port 0) so - how have you defined the user 'ale' ? where is their password stored and how have you stored it (ie what attribute did you give it?) in the most basic of cases i'd expect to see some reply like 'ale is in my users file and the entry looks like ale Cleartext-Password := some_random_password ' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tag support in Free Radius
Marlon Duksa wrote: Hi - does anyone know how send taged attributes from FreeRadius. I'm including the tag number with a colon after the attribute but not sure if this is correct (the last two attributes): DEFAULT User-Name =~ ([a-z]+):([0-9]+)[^a-z]+([a-z]+):([0-9]+)$, Auth-Type := Local, User-Password == usrpass Don't set Auth-Type. Use Cleartext-Password :=... , not User-Password ==. See the FAQ for an example. Framed-Pool := 4, ERX-Ingress-Policy-Name := ingressFilter, ERX-Egress-Policy-Name := egressFilter, ERX-CoS-Parameter-Type:1 = basic_sch, ERX-CoS-Parameter-Type:2 += 8m That should work. And this is how the attribute is defined in dictionary: ATTRIBUTE ERX-CoS-Parameter-Type 108 string has_tag Quoting the dictionaries doesn't help. Do you think we don't have access to them? Feb 1 07:41:38 parse_tag_based_vsa: Tag based VSA contains the wrong Tag-character Show a TCPdump or wireshark packet capture. Also, are you sure you're using the latest version of the server? If not, upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
yes that was my problem! I posted it!
To: freeradius-users@lists.freeradius.org
Subject: RE: chap authentication and freeradius
Date: Mon, 2 Feb 2009 17:02:09 +0100
From: t...@kalik.net
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = ale, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
..
What is wrong ???
Your data is in the database and sql isn't enabled in the configuration.
Enable sql in default virtual server (raddb/sites-enabled/default).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Permanece actualizado con MSN Noticias. Clic aquí
http://noticias.cl.msn.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
I think the problem is in the AP(nas), not in the radius. Sorry, no more questions about it . I think the CISCO 861 router(new) has something problem. I would seriously doubt that. Your server would be much bigger suspect. It can't find openSSL either. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Problem
Marcelo Freitas wrote: Hello everybody, I searched the archive but I couldn't find any other topic similar. Can someone help me with the installation of FreeRadius 2.1.3 on my Slackware box ? ... /home/other/freeradius-server-2.1.3/src/main/modules.c:1037: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' Hmm... it looks like some weird libtool issue. I suggest deleting the entire source tree, and re-building from scratch. What OS are you using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radmanager
Orion, do you have a link to radmanager? Thanks .. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschav2 can't get connected
Hi..Can anyone help me. I can't get client connect to radius server.any suggestion on how to fix it..appreciated.Here the radius output:Going to the next request Waking up in 4.9 seconds. User-Name = john NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b State = 0x2e2e1d922d2b04150913ca69285527e1 EAP-Message = 0x020500061900 Message-Authenticator = 0xf3ce12fbfc579d77238be586aeef433a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = john, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0106004f190028cf8fd6b39dddc11a23092d5ac5dbe80d40773189ee2e9a705859d3fcb1ccb0bec3b2d64f501fbac0a2e4d68161a9e646b9dc3e921d54190eaf26d9658df7f216030100040e00 Message-Authenticator = 0x State = 0x2e2e1d922a2804150913ca69285527e1 Finished request 46. Going to the next request Waking up in 4.8 seconds. User-Name = john NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b State = 0x2e2e1d922a2804150913ca69285527e1 EAP-Message = 0x020601401980013616030101061102010017507e2bfc6cace25c10e8a2bc0fe8aa360f2b071b51363de465dacc8f210868470b8d57d54b0c41d3e2fd9b90697768c2e0d01f33df5eba91b2a8e5c7aa40e40af6e1a89b7d0951310271056840ead1d02cbbc8dcddc12dce27ccb5b7112ec5697c966d92b857f14013075bade26248666a8231f125698da53235ad80bb01880423bb7d6b6c0fb4f729959e5876893b795589d81fa384fb3bc426b1b424459af21de01ca8f1e61e4015703ebfc4b5fd9e0bc1fc62fbce7e9dca044805f35def1e7b560b93ba05b5483a2ea950adb72345843c062d1072ee234acc9649afd60c866ef885e1f3490a EAP-Message = 0x4ba37822b0bd1a7ea0cb3b34da4a4f5241eeb3cf84d9d2d414030100010116030100203959736f3c912439ed32a1d40f8039184eceff7a3e7916103b2987864910a40a Message-Authenticator = 0x7563893321cf7c546a720b6d7940d1bf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = john, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x01070031190014030100010116030100206f92b1c2416afc363cc61e8b8b6ca0629a5c9126eed17062e9579417bb5eb047 Message-Authenticator = 0x State = 0x2e2e1d922b2904150913ca69285527e1 Finished request 47. Going to the next request Waking up in 4.8 seconds. Cleaning up request 42 ID 86 with timestamp +565 Cleaning up request 43 ID 88 with timestamp +565 Cleaning up request 44 ID 90 with timestamp +565 Cleaning up request 45 ID 92 with timestamp +565 Cleaning up request 46 ID 94 with timestamp +565 Cleaning up request 47 ID 96 with timestamp +565 Ready to process requests. User-Name = john NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66
Re: radius web managment
I doubt you've configured the database connection for daloradius. In it's management folder, I think there's a file called daloradius.conf (if not search for it) edit it with your database login details and radius DB name. I think its all self explanatory in the file. 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com: did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Alan DeKok wrote:
Hegedus Gabor wrote:
Hi I have a problem:
I get this message
*invalid Message-Authenticator! (Shared secret is incorrect.) *
But I checked the key and it equals.
The shared secret is wrong.
What is the problem?
clients.conf:
client 192.168.1.10 {
secret = test
shortname=blablabla
}
Why are you putting two configurations on the same line? This isn't C
programming, where statements are separated by ';'
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sorry there is enter but i just wrote it wrong...
client 192.168.1.10 {
secret = test
shortname=blablabla
}
Could it be the problem?:
radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27
the packets bridged, the nas can ping the radius server... can the
different mask be a problem?
and when I try authenticate for NAS(consol), the radius reject because
ad_recv: Access-Request packet from host 192.168.1.10 port 1645, id=43,
length=78
NAS-IP-Address = 192.168.1.10
NAS-Port-Type = Async
User-Name = test
User-Password = \335\333TmZî Łx\273\367G\241\350\263\026
NAS-Identifier = ***
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
...
Failed to authenticate the user.
Login incorrect: [test/\335\333TmZî?Łx\273\367G\241\350\263\026] (from
client AP_wireless port 0)
WARNING: Unprintable characters in the password. Double-check the shared
secret on the server and the NAS!
Using Post-Auth-Type Reject
what is this password \335\333TmZî Łx\273\367G\241\350\263\026 I don't
understand, ti tells chack the shared secret but it is good
thank you
Gabor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
That should happen only if IP allocation has expired (see lease-duration in sqlippool.conf). There is another allocate-find query that issues random IPs. Hmmm, maybe there is another problem in my config. I tried two requests within ten seconds. Attached you'll find the debug. During the second request the first ip-address is freed and can be used again. The lease-duration has the standard value of 3600, so this can't be the reason. This is the table radippool after the second request: +---+-+--+-+--+--+ | pool_name | framedipaddress | nasipaddress | expiry_time | username | pool_key | +---+-+--+-+--+--+ | poolUK| 10.10.10.10 | 10.98.6.95 | 2009-02-02 10:14:32 | peter2 | | | poolUK| 10.10.10.11 | | 2009-02-02 09:14:31 | | 0| +---+-+--+-+--+--+ You don't have a pool_key because you are doing radtest requests. Proper request will have NAS-Port or Calling-Station-Id as pool_key. With updated queries user, nas *and* pool_key need to match for IP to be released. Queries in the distribution don't have pool_key so double login will release the older IP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
Matej Vadnjal wrote:
On Monday 02.02.2009 10:37:59 Alan DeKok wrote:
I'd like to check if a request that I received from a radius server will be
proxied back to that same server resulting in a proxy loop.
Hmm... if a server proxies requests to you that it *should* have
handled itself, it is seriously broken.
The way I see things there is no other way to find out to which server the
request will be proxied to.
Put this in pre-proxy:
if (Realm
(%{home_server:ipaddr} == %{client:ipaddr})) {
reject
}
That should work. And no, this isn't well documented.
My idea is that if I keep the names of servers in clients.conf and server
pools in proxy.conf similar enough, I could compare them with a regexp and if
they match reject the request, preventing a loop.
Just check IP's.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmanager
Anybody have Radius Manager copy of download link. If you have please send me. Thanks, Gunza --- On Mon, 2/2/09, Mike Strider mstri...@atmc.net wrote: From: Mike Strider mstri...@atmc.net Subject: radmanager To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Date: Monday, February 2, 2009, 11:30 AM Orion, do you have a link to radmanager? Thanks .. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
On Monday 02.02.2009 12:37:09 Alan DeKok wrote:
Hmm... if a server proxies requests to you that it *should* have
handled itself, it is seriously broken.
It also happens when users mistype their user names. Suppose you have a user:
u...@a.orga.tld. orgA has a radius server that proxies requests for realm
a.orgA.tld to another server, but all other requests go to upstream server
(us).
If our user mistypes their user name as u...@b.orga.tld radius at orgA
forwards that request to our server but we see this as realm *.orgA.tld (orgA
has a lot of sub-domains - we don't want to define all of them separately) so
we send the request back to them.
Put this in pre-proxy:
if (Realm
(%{home_server:ipaddr} == %{client:ipaddr})) {
reject
}
That should work. And no, this isn't well documented.
Great. I did not know about %{home_server:ipaddr}. However there are still two
issues:
- %{client:ipaddr} does not expand to anything on my end but Client-IP-Address
works.
- If I reject in pre-proxy my server crashes. No error message or anything, it
just exits (see attached debug). Is this a bug? I'm using version 2.1.0.
Regards
Matej Vadnjal
ARNES
rad_recv: Access-Request packet from host 10.0.99.110 port 1814, id=200,
length=94
User-Name = @primer.si
Message-Authenticator = 0xc683a697de2b17b81dbad41e7c5bb471
EAP-Message = 0x0202000f01407072696d65722e7369
NAS-IP-Address = 10.0.99.13
NAS-Identifier = 010.000.099.013
Proxy-State = 0x3134
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] Looking up realm primer.si for User-Name = @primer.si
[suffix] Found realm ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$
[suffix] Adding Realm = ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$
[suffix] Proxying request from user to realm
~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$
[suffix] Preparing to proxy authentication request to realm
~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$
++[suffix] returns updated
expand: %{User-Name} - @primer.si
[files] users: Matched entry DEFAULT at line 10
++[files] returns ok
+- entering group pre-proxy {...}
++? if (Realm (%{home_server:ipaddr} == %{Client-IP-Address}))
? Evaluating (Realm ) - TRUE
expand: %{home_server:ipaddr} - 10.0.99.110
expand: %{Client-IP-Address} - 10.0.99.110
? Evaluating (%{home_server:ipaddr} == %{Client-IP-Address}) - TRUE
++? if (Realm (%{home_server:ipaddr} == %{Client-IP-Address})) - TRUE
++- entering if (Realm (%{home_server:ipaddr} == %{Client-IP-Address}))
{...}
+++[reject] returns reject
++- if (Realm (%{home_server:ipaddr} == %{Client-IP-Address})) returns
reject
There was no response configured: rejecting request 0
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - @primer.si
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
There are other solutions around as well to distribute and manage client side certificates. Not cheap, but they do exist. //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
Matej Vadnjal wrote:
Great. I did not know about %{home_server:ipaddr}. However there are still
two
issues:
- %{client:ipaddr} does not expand to anything on my end but
Client-IP-Address
works.
If %{client:ipaddr} doesn't work, it's because there's no ipaddr
entry in the relevant client section.
- If I reject in pre-proxy my server crashes. No error message or anything,
it
just exits (see attached debug). Is this a bug? I'm using version 2.1.0.
That would be a bug. My first suggestion would be to upgrade rather
than trying to track down what's going wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
