Re: IP-Assignment with sqlippool based on nas-ip-address
Original-Nachricht Datum: Fri, 30 Jan 2009 11:51:20 +0100 Von: t...@kalik.net An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: IP-Assignment with sqlippool based on nas-ip-address Now, the behaviour of the server changed in the way, that the freeradius reserves only one ip-address per user. if the same user logs in again on the same nas (without accounting-stop-packet before), the old ip-address is freed and the user receives a new one. That should happen only if IP allocation has expired (see lease-duration in sqlippool.conf). There is another allocate-find query that issues random IPs. Hmmm, maybe there is another problem in my config. I tried two requests within ten seconds. Attached you'll find the debug. During the second request the first ip-address is freed and can be used again. The lease-duration has the standard value of 3600, so this can't be the reason. This is the table radippool after the second request: +---+-+--+-+--+--+ | pool_name | framedipaddress | nasipaddress | expiry_time | username | pool_key | +---+-+--+-+--+--+ | poolUK| 10.10.10.10 | 10.98.6.95 | 2009-02-02 10:14:32 | peter2 | | | poolUK| 10.10.10.11 | | 2009-02-02 09:14:31 | | 0| +---+-+--+-+--+--+ debug rad_recv: Access-Request packet from host 10.98.6.95 port 3099, id=194, length=46 User-Name = peter2 User-Password = peter2 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/10.98.6.95/auth-detail-20090202 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.98.6.95/auth-detail-20090202 [auth_log] expand: %t - Mon Feb 2 09:13:45 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = peter2, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 183 ++[files] returns ok [sql] expand: %{User-Name} - peter2 [sql] sql_set_user escaped user -- 'peter2' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'peter2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'peter2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'peter2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'peter2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'peter2' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'peter2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id [sql] User found in group UK [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'UK' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'UK' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? No. Shared secret is wrong. Have you retyped it both on radius server and on the NAS? WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! The only other possibility is a broken operating system (crypto libraries are corrupted). But in 99.99% of cases, problem is different shared secret. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
Hi users!! Here i post my freeradius -X 0, for host i486-pc-linux-gnu, built on Nov 14 2008 at 11:57:03 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = 123456 nastype = other } client 192.168.0.0/16 { require_message_authenticator = no secret = 123456 shortname = 123456 } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com
RE: chap authentication and freeradius
THZ Users My problem was that i never configurated the file in site-enable called default!!! Very very thz From: litlle_cra...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: chap authentication and freeradius Date: Mon, 2 Feb 2009 13:26:10 -0200 Hi users!! Here i post my freeradius -X 0, for host i486-pc-linux-gnu, built on Nov 14 2008 at 11:57:03 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = 123456 nastype = other } client 192.168.0.0/16 { require_message_authenticator = no secret = 123456 shortname = 123456 } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check =
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
t...@kalik.net wrote: Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? No. Shared secret is wrong. Have you retyped it both on radius server and on the NAS? I checked a lot of time but 12345 = 12345 :) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! The only other possibility is a broken operating system (crypto libraries are corrupted). But in 99.99% of cases, problem is different shared secret. I think the problem is in the AP(nas), not in the radius. Sorry, no more questions about it . I think the CISCO 861 router(new) has something problem. I just want to know. now I try to find the 0.01% thank you Gabor Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Hegedus Gabor wrote: t...@kalik.net wrote: Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? No. Shared secret is wrong. Have you retyped it both on radius server and on the NAS? I checked a lot of time but 12345 = 12345 :) Dont you mean test = test ? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius web managment
Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one _ Adelántate a tu futuro. Ingresa ahora a MSN Astrología http://astrologia.latam.msn.com/msnlatam/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [UKLAN] feature request
Hans-Peter Fuchs wrote: Hello Alan, freeradius-2.1.1 created the socket with 'radiusd' as owner and freeradius-2.1.3 throw error: Error: We do not own /var/run/radiusd/radius1.sock because it created it with owner root. This is a bug in 2.1.3 that will be fixed in 2.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Hegedus Gabor wrote: Hi I have a problem: I get this message *invalid Message-Authenticator! (Shared secret is incorrect.) * But I checked the key and it equals. The shared secret is wrong. What is the problem? clients.conf: client 192.168.1.10 { secret = test shortname=blablabla } Why are you putting two configurations on the same line? This isn't C programming, where statements are separated by ';' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius web managment
did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Permanece actualizado con MSN Noticias. Clic aquí http://noticias.cl.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius web managment
You need to learn basic things before you proceed with installation. Choose two words from your error message and google. You'll see that your username/pass combination is not correct for your database. This doesn't have anything with FR user list. Mr Little Crazzy wrote: did you could configure Daloradius ?? Because i have this error when i try to login *Database connection error* *Error Message*: DB Error: connect failed *Debug*: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com mailto:litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. http://photos.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: http://www.microsoft.com/windows/windowslive/messenger.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius web managment
did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Why don't you ask this on dalo Radius forum? It is highly unlikely that you are suposed to connect to the database as root. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \
I'd like to check if a request that I received from a radius server will be proxied back to that same server resulting in a proxy loop. The way I see things there is no other way to find out to which server the request will be proxied to. Create a table proxy with information form proxy.conf. Use unlang to see if proxy IP matces Client-IP-Address from the request and reject if it does. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschav2 can't get connected
saman saman wrote: Hi..Can anyone help me. I can't get client connect to radius server. any suggestion on how to fix it..appreciated. Here the radius output: ... EAP-Message = 0x0101000501 Your supplicant is sending an empty identity. This isn't permitted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
On Monday 02.02.2009 10:37:59 Alan DeKok wrote: Matej Vadnjal wrote: I'm having trouble getting the value of auth_pool of a realm. Realms are defined as regular expressions matched by suffix module against the domain portion of users username. Ok... *why* are you doing that? if (%{config:realm[%{Realm}].auth_pool} =~ /%{client-shortname}/i) { reject } That's odd. What do you think that configuration does, and why do you want it to do that? I have a server that receives requests from radius servers and forwards them to other radius servers (we are a national top-level radius for eduroam project). I'd like to check if a request that I received from a radius server will be proxied back to that same server resulting in a proxy loop. The way I see things there is no other way to find out to which server the request will be proxied to. My idea is that if I keep the names of servers in clients.conf and server pools in proxy.conf similar enough, I could compare them with a regexp and if they match reject the request, preventing a loop. Is this a bug or a safety feature (preventing some sort of injection attacks)? I tried all sorts of combination of single quites, double quotes, no quotes, but to no avail. Escaping characters is a security feature. As I suspected. However in my case the value of Realm variable is one of predefined values in proxy.conf and not supplied by users. Regards, Matej Vadnjal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Hegedus Gabor wrote: Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? Perhaps you should believe the answers on this list. and when I try authenticate for NAS(consol), the radius reject because ad_recv: Access-Request packet from host 192.168.1.10 port 1645, id=43, length=78 NAS-IP-Address = 192.168.1.10 NAS-Port-Type = Async User-Name = test User-Password = \335\333TmZî Łx\273\367G\241\350\263\026 (a) the shared secret is wrong (b) the MD5 libraries are completely broken. Choose one. Choosing *another* option means that you are not interested in getting help from this list. what is this password \335\333TmZî Łx\273\367G\241\350\263\026 I don't understand, ti tells chack the shared secret but it is good It means that the shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
I'm afriad, but this won't work in my environment. I will need a different subnetmask. Can you explain why do you think 255.255.255.255 netmask won't work for you. Do you know how that netmask works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
Matej Vadnjal wrote: I'm having trouble getting the value of auth_pool of a realm. Realms are defined as regular expressions matched by suffix module against the domain portion of users username. Ok... *why* are you doing that? if (%{config:realm[%{Realm}].auth_pool} =~ /%{client-shortname}/i) { reject } That's odd. What do you think that configuration does, and why do you want it to do that? Is this a bug or a safety feature (preventing some sort of injection attacks)? I tried all sorts of combination of single quites, double quotes, no quotes, but to no avail. Escaping characters is a security feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
+- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = ale, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop .. What is wrong ??? Your data is in the database and sql isn't enabled in the configuration. Enable sql in default virtual server (raddb/sites-enabled/default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius web managment
for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one -- ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. http://photos.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
invalid Message-Authenticator! (Shared secret is incorrect.)
Hi I have a problem: I get this message *invalid Message-Authenticator! (Shared secret is incorrect.) * But I checked the key and it equals. What is the problem? clients.conf: client 192.168.1.10 { secret = test shortname=blablabla } thx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap authentication and freeradius
Hi, What is wrong ??? well, the debug clearly shows these lines: [chap] login attempt by ale with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [ale] (from client 123456 port 0) so - how have you defined the user 'ale' ? where is their password stored and how have you stored it (ie what attribute did you give it?) in the most basic of cases i'd expect to see some reply like 'ale is in my users file and the entry looks like ale Cleartext-Password := some_random_password ' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tag support in Free Radius
Marlon Duksa wrote: Hi - does anyone know how send taged attributes from FreeRadius. I'm including the tag number with a colon after the attribute but not sure if this is correct (the last two attributes): DEFAULT User-Name =~ ([a-z]+):([0-9]+)[^a-z]+([a-z]+):([0-9]+)$, Auth-Type := Local, User-Password == usrpass Don't set Auth-Type. Use Cleartext-Password :=... , not User-Password ==. See the FAQ for an example. Framed-Pool := 4, ERX-Ingress-Policy-Name := ingressFilter, ERX-Egress-Policy-Name := egressFilter, ERX-CoS-Parameter-Type:1 = basic_sch, ERX-CoS-Parameter-Type:2 += 8m That should work. And this is how the attribute is defined in dictionary: ATTRIBUTE ERX-CoS-Parameter-Type 108 string has_tag Quoting the dictionaries doesn't help. Do you think we don't have access to them? Feb 1 07:41:38 parse_tag_based_vsa: Tag based VSA contains the wrong Tag-character Show a TCPdump or wireshark packet capture. Also, are you sure you're using the latest version of the server? If not, upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap authentication and freeradius
yes that was my problem! I posted it! To: freeradius-users@lists.freeradius.org Subject: RE: chap authentication and freeradius Date: Mon, 2 Feb 2009 17:02:09 +0100 From: t...@kalik.net +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = ale, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop .. What is wrong ??? Your data is in the database and sql isn't enabled in the configuration. Enable sql in default virtual server (raddb/sites-enabled/default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Permanece actualizado con MSN Noticias. Clic aquí http://noticias.cl.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
I think the problem is in the AP(nas), not in the radius. Sorry, no more questions about it . I think the CISCO 861 router(new) has something problem. I would seriously doubt that. Your server would be much bigger suspect. It can't find openSSL either. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Problem
Marcelo Freitas wrote: Hello everybody, I searched the archive but I couldn't find any other topic similar. Can someone help me with the installation of FreeRadius 2.1.3 on my Slackware box ? ... /home/other/freeradius-server-2.1.3/src/main/modules.c:1037: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' Hmm... it looks like some weird libtool issue. I suggest deleting the entire source tree, and re-building from scratch. What OS are you using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radmanager
Orion, do you have a link to radmanager? Thanks .. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschav2 can't get connected
Hi..Can anyone help me. I can't get client connect to radius server.any suggestion on how to fix it..appreciated.Here the radius output:Going to the next request Waking up in 4.9 seconds. User-Name = john NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b State = 0x2e2e1d922d2b04150913ca69285527e1 EAP-Message = 0x020500061900 Message-Authenticator = 0xf3ce12fbfc579d77238be586aeef433a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = john, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0106004f190028cf8fd6b39dddc11a23092d5ac5dbe80d40773189ee2e9a705859d3fcb1ccb0bec3b2d64f501fbac0a2e4d68161a9e646b9dc3e921d54190eaf26d9658df7f216030100040e00 Message-Authenticator = 0x State = 0x2e2e1d922a2804150913ca69285527e1 Finished request 46. Going to the next request Waking up in 4.8 seconds. User-Name = john NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b State = 0x2e2e1d922a2804150913ca69285527e1 EAP-Message = 0x020601401980013616030101061102010017507e2bfc6cace25c10e8a2bc0fe8aa360f2b071b51363de465dacc8f210868470b8d57d54b0c41d3e2fd9b90697768c2e0d01f33df5eba91b2a8e5c7aa40e40af6e1a89b7d0951310271056840ead1d02cbbc8dcddc12dce27ccb5b7112ec5697c966d92b857f14013075bade26248666a8231f125698da53235ad80bb01880423bb7d6b6c0fb4f729959e5876893b795589d81fa384fb3bc426b1b424459af21de01ca8f1e61e4015703ebfc4b5fd9e0bc1fc62fbce7e9dca044805f35def1e7b560b93ba05b5483a2ea950adb72345843c062d1072ee234acc9649afd60c866ef885e1f3490a EAP-Message = 0x4ba37822b0bd1a7ea0cb3b34da4a4f5241eeb3cf84d9d2d414030100010116030100203959736f3c912439ed32a1d40f8039184eceff7a3e7916103b2987864910a40a Message-Authenticator = 0x7563893321cf7c546a720b6d7940d1bf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = john, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x01070031190014030100010116030100206f92b1c2416afc363cc61e8b8b6ca0629a5c9126eed17062e9579417bb5eb047 Message-Authenticator = 0x State = 0x2e2e1d922b2904150913ca69285527e1 Finished request 47. Going to the next request Waking up in 4.8 seconds. Cleaning up request 42 ID 86 with timestamp +565 Cleaning up request 43 ID 88 with timestamp +565 Cleaning up request 44 ID 90 with timestamp +565 Cleaning up request 45 ID 92 with timestamp +565 Cleaning up request 46 ID 94 with timestamp +565 Cleaning up request 47 ID 96 with timestamp +565 Ready to process requests. User-Name = john NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66
Re: radius web managment
I doubt you've configured the database connection for daloradius. In it's management folder, I think there's a file called daloradius.conf (if not search for it) edit it with your database login details and radius DB name. I think its all self explanatory in the file. 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com: did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid Message-Authenticator! (Shared secret is incorrect.)
Alan DeKok wrote: Hegedus Gabor wrote: Hi I have a problem: I get this message *invalid Message-Authenticator! (Shared secret is incorrect.) * But I checked the key and it equals. The shared secret is wrong. What is the problem? clients.conf: client 192.168.1.10 { secret = test shortname=blablabla } Why are you putting two configurations on the same line? This isn't C programming, where statements are separated by ';' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html sorry there is enter but i just wrote it wrong... client 192.168.1.10 { secret = test shortname=blablabla } Could it be the problem?: radius server is in 10.10.10.0/24 and the nas is in the 192.168.1.1/27 the packets bridged, the nas can ping the radius server... can the different mask be a problem? and when I try authenticate for NAS(consol), the radius reject because ad_recv: Access-Request packet from host 192.168.1.10 port 1645, id=43, length=78 NAS-IP-Address = 192.168.1.10 NAS-Port-Type = Async User-Name = test User-Password = \335\333TmZî Łx\273\367G\241\350\263\026 NAS-Identifier = *** +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ... Failed to authenticate the user. Login incorrect: [test/\335\333TmZî?Łx\273\367G\241\350\263\026] (from client AP_wireless port 0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject what is this password \335\333TmZî Łx\273\367G\241\350\263\026 I don't understand, ti tells chack the shared secret but it is good thank you Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP-Assignment with sqlippool based on nas-ip-address
That should happen only if IP allocation has expired (see lease-duration in sqlippool.conf). There is another allocate-find query that issues random IPs. Hmmm, maybe there is another problem in my config. I tried two requests within ten seconds. Attached you'll find the debug. During the second request the first ip-address is freed and can be used again. The lease-duration has the standard value of 3600, so this can't be the reason. This is the table radippool after the second request: +---+-+--+-+--+--+ | pool_name | framedipaddress | nasipaddress | expiry_time | username | pool_key | +---+-+--+-+--+--+ | poolUK| 10.10.10.10 | 10.98.6.95 | 2009-02-02 10:14:32 | peter2 | | | poolUK| 10.10.10.11 | | 2009-02-02 09:14:31 | | 0| +---+-+--+-+--+--+ You don't have a pool_key because you are doing radtest requests. Proper request will have NAS-Port or Calling-Station-Id as pool_key. With updated queries user, nas *and* pool_key need to match for IP to be released. Queries in the distribution don't have pool_key so double login will release the older IP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
Matej Vadnjal wrote: On Monday 02.02.2009 10:37:59 Alan DeKok wrote: I'd like to check if a request that I received from a radius server will be proxied back to that same server resulting in a proxy loop. Hmm... if a server proxies requests to you that it *should* have handled itself, it is seriously broken. The way I see things there is no other way to find out to which server the request will be proxied to. Put this in pre-proxy: if (Realm (%{home_server:ipaddr} == %{client:ipaddr})) { reject } That should work. And no, this isn't well documented. My idea is that if I keep the names of servers in clients.conf and server pools in proxy.conf similar enough, I could compare them with a regexp and if they match reject the request, preventing a loop. Just check IP's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmanager
Anybody have Radius Manager copy of download link. If you have please send me. Thanks, Gunza --- On Mon, 2/2/09, Mike Strider mstri...@atmc.net wrote: From: Mike Strider mstri...@atmc.net Subject: radmanager To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Date: Monday, February 2, 2009, 11:30 AM Orion, do you have a link to radmanager? Thanks .. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
On Monday 02.02.2009 12:37:09 Alan DeKok wrote: Hmm... if a server proxies requests to you that it *should* have handled itself, it is seriously broken. It also happens when users mistype their user names. Suppose you have a user: u...@a.orga.tld. orgA has a radius server that proxies requests for realm a.orgA.tld to another server, but all other requests go to upstream server (us). If our user mistypes their user name as u...@b.orga.tld radius at orgA forwards that request to our server but we see this as realm *.orgA.tld (orgA has a lot of sub-domains - we don't want to define all of them separately) so we send the request back to them. Put this in pre-proxy: if (Realm (%{home_server:ipaddr} == %{client:ipaddr})) { reject } That should work. And no, this isn't well documented. Great. I did not know about %{home_server:ipaddr}. However there are still two issues: - %{client:ipaddr} does not expand to anything on my end but Client-IP-Address works. - If I reject in pre-proxy my server crashes. No error message or anything, it just exits (see attached debug). Is this a bug? I'm using version 2.1.0. Regards Matej Vadnjal ARNES rad_recv: Access-Request packet from host 10.0.99.110 port 1814, id=200, length=94 User-Name = @primer.si Message-Authenticator = 0xc683a697de2b17b81dbad41e7c5bb471 EAP-Message = 0x0202000f01407072696d65722e7369 NAS-IP-Address = 10.0.99.13 NAS-Identifier = 010.000.099.013 Proxy-State = 0x3134 +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm primer.si for User-Name = @primer.si [suffix] Found realm ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$ [suffix] Adding Realm = ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$ [suffix] Proxying request from user to realm ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$ [suffix] Preparing to proxy authentication request to realm ~^(idp\.primer\.si|.*\.idp\.primer\.si|primer\.si)$ ++[suffix] returns updated expand: %{User-Name} - @primer.si [files] users: Matched entry DEFAULT at line 10 ++[files] returns ok +- entering group pre-proxy {...} ++? if (Realm (%{home_server:ipaddr} == %{Client-IP-Address})) ? Evaluating (Realm ) - TRUE expand: %{home_server:ipaddr} - 10.0.99.110 expand: %{Client-IP-Address} - 10.0.99.110 ? Evaluating (%{home_server:ipaddr} == %{Client-IP-Address}) - TRUE ++? if (Realm (%{home_server:ipaddr} == %{Client-IP-Address})) - TRUE ++- entering if (Realm (%{home_server:ipaddr} == %{Client-IP-Address})) {...} +++[reject] returns reject ++- if (Realm (%{home_server:ipaddr} == %{Client-IP-Address})) returns reject There was no response configured: rejecting request 0 Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - @primer.si attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
There are other solutions around as well to distribute and manage client side certificates. Not cheap, but they do exist. //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
Matej Vadnjal wrote: Great. I did not know about %{home_server:ipaddr}. However there are still two issues: - %{client:ipaddr} does not expand to anything on my end but Client-IP-Address works. If %{client:ipaddr} doesn't work, it's because there's no ipaddr entry in the relevant client section. - If I reject in pre-proxy my server crashes. No error message or anything, it just exits (see attached debug). Is this a bug? I'm using version 2.1.0. That would be a bug. My first suggestion would be to upgrade rather than trying to track down what's going wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html