Re: Login to Cisco devices through freeradius
Bruno Noronha wrote: I issued chmod 777 * in every directory related to freeradius. Don't do that. Ever. The server comes with a default configuration that WORKS. The only reason that it doesn't have permission to read those files is because YOU changed the configuration so that the server doesn't have permission. Why are so many people insistent on breaking the working configuration? Where else do we need to document DON'T BREAK IT ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP ntPassword and lmPassword help
Padam J Singh wrote: I have a LDAP server which contains ntPassword and lmPassword attributes like following: ... lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67 Ugh. FR 2.1.1 is configured for doing 802.1x authentication. While doing the authentication, I obviously get Invalid NT-Password and Invalid LM-Password error. The error stems from the fact that the length is incorrect because of the additional {ENC} prefix. Is there some configuration where I can set something so it ignores the initial {ENC} while doing the password comparison? Edit raddb/dictionary. Add a new string attribute: ATTRIBUTE ENC-NT-Password string 3000 Edit raddb/ldap.attrmap. Delete the entries containing LM-Password. Edit raddb/ldap.attrmap. Find the entries containing NT-Password, and change them to ENC-NT-Password. Edit raddb/sites-available/default (I presume you're running a recent version of the server...) Look for the authorize section. In it, look for the ldap module. Change it to: authorize { ... ldap # leave this here # all of this goes on one line if (control:ENC-NT-Password (control:ENC-NT-Password =~ /{ENC}(.*)/) { update control { NT-Password := %{1} } } ... } That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can the modules cause 'Exiting normally'?
i write a likely rlm_sql module. test radius by the below shell, the auth_test file contain 8000 users. --- #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done when tested xk or 1xk cycles, radius can 'Exiting normally' without no detail log. what wrong? the test shell echo 3872 Fri Mar 20 09:01:09 CST 2009 Total approved auths: 8000 Total denied auths: 0 Total lost auths: 0 real0m3.344s user0m0.793s sys 0m1.245s 3873 Fri Mar 20 09:01:12 CST 2009 Total approved auths: 8000 Total denied auths: 0 Total lost auths: 0 real0m3.352s user0m0.778s sys 0m1.266s 3874 Fri Mar 20 09:01:16 CST 2009 Total approved auths: 8000 Total denied auths: 0 Total lost auths: 0 real0m3.359s user0m0.764s sys 0m1.277s 3875 Fri Mar 20 09:01:19 CST 2009 radclient: no response from server for ID 195 socket 3 Total approved auths: 7999 Total denied auths: 0 Total lost auths: 1 real0m20.599s user0m0.836s sys 0m1.477s 3876 Fri Mar 20 09:01:40 CST 2009 radclient: no response from server for ID 46 socket 3 radclient: no response from server for ID 162 socket 3 radclient: no response from server for ID 132 socket 3 radclient: no response from server for ID 81 socket 3 ... --- radius log show - Fri Mar 20 08:58:03 2009 : Error: Discarding conflicting packet from client localhost port 55746 - ID: 32 due to recent request 30648083. Fri Mar 20 08:58:57 2009 : Error: Discarding conflicting packet from client localhost port 54935 - ID: 39 due to recent request 30759434. Fri Mar 20 08:59:09 2009 : Error: Discarding conflicting packet from client localhost port 60967 - ID: 103 due to recent request 30770305. Fri Mar 20 08:59:43 2009 : Error: Discarding conflicting packet from client localhost port 58098 - ID: 131 due to recent request 30839295. Fri Mar 20 09:00:00 2009 : Error: Discarding conflicting packet from client localhost port 55258 - ID: 182 due to recent request 30862096. Fri Mar 20 09:00:14 2009 : Error: Discarding conflicting packet from client localhost port 42660 - ID: 47 due to recent request 30880046. Fri Mar 20 09:00:44 2009 : Error: Discarding conflicting packet from client localhost port 53858 - ID: 222 due to recent request 30932873. Fri Mar 20 09:01:22 2009 : Error: Discarding conflicting packet from client localhost port 44717 - ID: 195 due to recent request 31006705. Fri Mar 20 09:01:24 2009 : Info: Exiting normally. - radiusd.conf thread pool { start_servers = 8 max_servers = 64 min_spare_servers = 4 max_spare_servers = 12 max_requests_per_server = 0 } -- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: problem with exit code 0 and 1
Hello, Alan DeKok wrote: I've committed a fix that will be in the next release of the server. If you need this functionality, upgrade. I tried your git repository as described on freeradius.org. I do not understand the versioning scheme, but I downloaded the fixed stable tree (upcoming 2.1.5?) and built it without 'make install' on my AMD64-Machine. The problem in radclient is fixed, thank you Alan! I just had to append the new dictionary path in my scripts, because the dictionaries of my old inst do not work with the new radclient: ./radclient -d /usr/local/src/radiusd/share -f /home/me/radpacket -x 192.168.X.X:1812 auth secret123 Thanks for your fast help! oz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. 2009/3/20 Alan DeKok al...@deployingradius.com Bruno Noronha wrote: I issued chmod 777 * in every directory related to freeradius. Don't do that. Ever. The server comes with a default configuration that WORKS. The only reason that it doesn't have permission to read those files is because YOU changed the configuration so that the server doesn't have permission. Why are so many people insistent on breaking the working configuration? Where else do we need to document DON'T BREAK IT ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. Do you have something like selinux preventing access? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service. My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary. something like this in the new virtual server if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } and the inverse for the old service. if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject } Is this syntax correct ? and where do I put it? What about the service? You probably want: if( Service-Type == whatever Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } That goes in authorize section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Java application api call and authenticate
finally i had some luck i guess, now the radius do authentication, but jradius simulator say's timedout, could be ACS is not passing the information to simulator i feel. though i am using ACS proxy distributin table, still simulator is not getting the response back, any clues will be greatly appreciated sir/mam. once after this is up, how do i proceed to forward/receive these info (username,password, token pass)to be confirmed for the java based application i know i am in total confusion mode, but some kind of help will be helpful for me to look towards right direction.. rlm_jradius: reading attribute: type=1259012097; len=1 rlm_jradius: Released JRadius socket id: 6 ++[jradius] returns updated ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok [files] users: Matched entry d...@mydomain.com at line 90 [files] expand: Hello, %{User-Name} - Hello, d...@mydomain.com ++[files] returns ok Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by d...@mydomain.com with CHAP password [chap] Using clear text password hello for user d...@mydomain.com authentication. [chap] chap user d...@mydomain.com authenticated succesfully ++[chap] returns ok Login OK: [...@mydomain.com/CHAP-Password] (from client mydomain port 0) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 2 to 192.168.0.50 port 2773 Reply-Message = Hello, d...@mydomain.com Proxy-State = 0x434953434f3a30 Finished request 1. Going to the next request Waking up in 1.9 seconds. Cleaning up request 1 ID 2 with timestamp +13 Ready to process requests. sollunga wrote: thanks ivan for the quick reply, will get back to you shortly sollunga wrote: i am using Cisco ACS for authenticating my vpn users, now i thought of using two factor auth in place against the direct authentication by ACS, on this process one of the googling guided me to try proxying the ACS to Freeradius and call some scripts to talk to the java application. now by making the ACS to do proxying at network configuration, i can see the request is flowing to freeradius from ACS, and the freeradius does [chap] rlm_chap: Attribute User-Name is required for authentication. ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - ++[attr_filter.access_reject] returns noop Delaying reject of request 27 for 1 seconds after a while it says [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by Doe with CHAP password [chap] Using clear text password hello for user Doe authentication. [chap] chap user Doe authenticated succesfully ++[chap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 63 to i am trying to figure out where could be the issue once after this process, i need to send the same to a java application and get a success status from there and authenticate this user. could it be possible? team i am a newbie here, i am just a sys admin, and now trying extend my knowledge, please help me. -- View this message in context: http://www.nabble.com/Freeradius%2BJava-application-api-call-and-authenticate-tp22449820p22619518.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
I don't think so.I'm using SUSE 11.0, is there any problem with that? 2009/3/20 t...@kalik.net Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. Do you have something like selinux preventing access? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules instance name restrictions
Hi, I recently came up with a small issue concerning modules instances name (especially when they set Auth-Type). * I defined my own pap module with the name 'pap-myorg' and expected it to set Auth-Type to PAP-MYORG, but in fact it wasn't setting the Auth-Type at all (moreover I saw no notice in the log about not beeing able to set the Auth-Type). * I changed the instance name to 'papmyorg' and now the module sets the Auth-Type to PAPMYORG. I tried to find in the doc where the restrictions on module instances names were defined, but didn't found any reference to this. And given the fact that some standard modules have specific chars such as '_' or '-', I thought there was little constraints. Is there any module instance naming convention written somewhere in the provided documentation (or online)? Maybe be it could be interresting to have a warning in the radius debug log in order to notice the administrator that Auth-Type wasn't set due to module naming restrictions? Best regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Hi, I have freeRADIUS 2.0.5 authenticating against LDAP via eap and this has been working perfectly since last year. Now a I have a new requirement to authenticate another set of users in the same LDAP tree onto a different service. These users will be visitors to our site and will have the user names Visitor1 ... Visitor(nn) I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service. My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary. something like this in the new virtual server if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } and the inverse for the old service. if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject } Is this syntax correct ? and where do I put it? Thanks for your time ...regards, Bruce Richardson Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
On 20/3/09 12:25, t...@kalik.net wrote: I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service. My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary. something like this in the new virtual server if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } and the inverse for the old service. if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject } Is this syntax correct ? and where do I put it? What about the service? You probably want: if((%{request:Service-Type} == 'whatever') (%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i)) { reject } I don't think naked attribute names were supported in 2.0.5.. That goes in authorize section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
try commenting out the eap module in both radiusd.conf and sites-available/default, inner-tunnel, then try starting radiusd -X tnt-4 wrote: Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. Do you have something like selinux preventing access? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p22619667.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Java application api call and authenticate
finally i had some luck i guess, now the radius do authentication, but jradius simulator say's timedout, could be ACS is not passing the information to simulator i feel. though i am using ACS proxy distributin table, still simulator is not getting the response back, any clues will be greatly appreciated sir/mam. Debug ACS. once after this is up, how do i proceed to forward/receive these info (username,password, token pass)to be confirmed for the java based application jradius module will pass request attributes (all, not just username and password) to jradius server. You need to read jradius documentation to see how to process them and configure reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? 2009/3/20 sollunga sollu...@yahoo.com try commenting out the eap module in both radiusd.conf and sites-available/default, inner-tunnel, then try starting radiusd -X tnt-4 wrote: Sorry but what you said doesn't make any sense to me. The default config didn't work. How can you explain the same alarms even after changing the permissions to everyone? The message containing permission denied remains..It's strange, unless I have forgotten to change permission of a directory. I was expecting something like unsecure permissions which didn't happen. Do you have something like selinux preventing access? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p22619667.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Hi, There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? hang on - do you actually HAVE any EAP cert/CA files that you are referencing in eap.conf? read eap.conf - see what files it is trying to read (cert, CA , pkcs12, random, etc) and check you actually HAVE those files. if you have those files, then ensure that the permissions for the directory and files are suitable for reading - you DONT EVER want 777 with 777 i could own your server and take over your infrastructure - you only want read permissions on the files...for the relavant user that the freeradius daemon is running as (usually radiusd) what does id radiusd give as output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
I removed the DEFAULT Auth-Type = Perl since you said it wasn't use. I removed the update control from the authorize in inner-tunnel. Here's the new log. Thanks for the help. Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.240.78 port 3083, id=11, length=101 Acct-Status-Type = Stop Acct-Session-Id = 0005 User-Name = testUser NAS-IP-Address = 192.168.240.78 NAS-Port = 4 Calling-Station-Id = 00-16-D3-30-E5-74 Acct-Delay-Time = 0 Acct-Session-Time = 72 Acct-Authentic = RADIUS Acct-Terminate-Cause = Lost-Carrier +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 4,Client-IP-Address = 192.168.240.78,NAS-IP-Address = 192.168.240.78,Acct-Session-Id = 0005,User-Name = testUser' rlm_acct_unique: Acct-Unique-Session-ID = 4675a10eb3ec92c2. ++[acct_unique] returns ok ++[files] returns noop +- entering group accounting expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/192.168.240.78/detail-20090320 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.240.78/detail-20090320 expand: %t - Fri Mar 20 07:52:25 2009 ++[detail] returns ok ++[unix] returns ok expand: /var/log/radius/radutmp - /var/log/radius/radutmp expand: %{User-Name} - testUser ++[radutmp] returns ok expand: %{User-Name} - testUser attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 11 to 192.168.240.78 port 3083 Finished request 0. Cleaning up request 0 ID 11 with timestamp +3 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=235, length=152 Message-Authenticator = 0x7d2d05eba9f44b4f560221d152a604d6 User-Name = testUser NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = 00-16-D3-30-E5-74 EAP-Message = 0x0201000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = 0001F4-B6-1B-80\0004 NAS-Identifier = HOKDORM_01953_M48 NAS-Port-Id = fe.0.4 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 235 to 192.168.240.78 port 3085 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x01bfa13001bdb807fc4539ef1278734e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=236, length=249 Message-Authenticator = 0xae6d806c5e45d7aa21bbaee13239c841 User-Name = testUser State = 0x01bfa13001bdb807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = 00-16-D3-30-E5-74 Called-Station-Id = 00-01-F4-B6-1B-80 Framed-MTU = 1000 EAP-Message = 0x0202005c19001603010051014d030149c3987c0e37eb6c0bac727f1287e3f6cd86 2647f846d214e820432669caf4482600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = HOKDORM_01953_M48 NAS-Port-Id = fe.0.4 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client
Re: unlang question
if((%{request:Service-Type} == 'whatever') (%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i)) { reject } I don't think naked attribute names were supported in 2.0.5.. Thanks Ivan and Arran , in fact there is only one Service-Type (Login-User ). so I changed my authorize section to ... authorize { # preprocess prefix eap { ok = return } ldap # Just the Visitors please !! if(%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i) {reject} expiration logintime } and now radiusd will not start .. /usr/local/etc/raddb/sites-enabled/all[182]: EOF reached without closing brace for section server starting at line 115 Errors reading /usr/local/etc/raddb/radiusd.conf I've also tried Ivan's version with the same results. Commenting out the 'if' statement fixes the issue, and I can't see any missing braces. Am I putting it in the wrong place, or is the syntax wrong ? Bruce Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Bruno Noronha wrote: Sorry but what you said doesn't make any sense to me. The default config didn't work. shrug Then something on *your* system is preventing it from working. How can you explain the same alarms even after changing the permissions to everyone? I don't. It's *your* system. FreeRADIUS isn't generating those errors. The OS on your system is telling FreeRADIUS that it can't read those files. If you don't understand how your OS works, then you need to solve that problem before you spend any more time with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Java application api call and authenticate
http://coova.org/wiki/index.php/JRadius/WithFreeRADIUS http://coova.org/wordpress/index.php/2007/04/07/integrating-radius-with-your-java-enterprise/ i can find only these two urls for documentation? anywhere else as a reference? tnt-4 wrote: finally i had some luck i guess, now the radius do authentication, but jradius simulator say's timedout, could be ACS is not passing the information to simulator i feel. though i am using ACS proxy distributin table, still simulator is not getting the response back, any clues will be greatly appreciated sir/mam. Debug ACS. once after this is up, how do i proceed to forward/receive these info (username,password, token pass)to be confirmed for the java based application jradius module will pass request attributes (all, not just username and password) to jradius server. You need to read jradius documentation to see how to process them and configure reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius%2BJava-application-api-call-and-authenticate-tp22449820p22620632.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Login to Cisco devices through freeradius
There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? Hi, I've just struggled through all this so it's nice to try and help. Always take note of the FIRST error message in the debug. The later ones can be confusing if you don't understand what's going on. Your problem seems to be that the server can't read the certificate files. If they aren't there, it won't be able to. When I compiled freeradius it generated test certificates itself (after tweaking the Makefile). Are you using the latest version? You must have certificates to do SSL. They live in the raddb/certs directory. Regards, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Dawg, I have all default installation files. I read eap.conf and it seems to be okay, I either changed any file, including adding new users! Everything remains the same... I know that chmod 777 is not recommended. I did it just to make sure that what I have isn't a permission issue. Here is the output for id radiusd command: uid=108(radiusd) gid=109(radiusd) groups=109(radiusd) Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be so simple! Is there any possibility of OS incompatibity with freeRADIUS? tks! 2009/3/20 a.l.m.bu...@lboro.ac.uk Hi, There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? hang on - do you actually HAVE any EAP cert/CA files that you are referencing in eap.conf? read eap.conf - see what files it is trying to read (cert, CA , pkcs12, random, etc) and check you actually HAVE those files. if you have those files, then ensure that the permissions for the directory and files are suitable for reading - you DONT EVER want 777 with 777 i could own your server and take over your infrastructure - you only want read permissions on the files...for the relavant user that the freeradius daemon is running as (usually radiusd) what does id radiusd give as output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Java application api call and authenticate
http://coova.org/wiki/index.php/JRadius/WithFreeRADIUS http://coova.org/wordpress/index.php/2007/04/07/integrating-radius-with-your-java-enterprise/ i can find only these two urls for documentation? anywhere else as a reference? Ask them, not us. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Bruno Noronha wrote: Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be so simple! Is there any possibility of OS incompatibity with freeRADIUS? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
I removed the DEFAULT Auth-Type = Perl since you said it wasn't use. I removed the update control from the authorize in inner-tunnel. Here's the new log. Thanks for the help. What now? It works: Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS .. Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 244 to 192.168.240.78 port 3085 MS-MPPE-Recv-Key = 0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6 MS-MPPE-Send-Key = 0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = testUser Finished request 10. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Leighton, tks for help me. I agree with you, the messages are a little bit confusing for me too. That's what I thought, problems wich permission. That's why I did chmod 777, even knowing that it's not recommended. After doing this, the issue persist...I'm using the newest available version of freeradius.org. Here follows the output of Makefile. /etc/raddb/certs/Makefile /etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found grep: server.cnf: No such file or directory /etc/raddb/certs/Makefile: line 17: PASSWORD_SERVER: command not found grep: ca.cnf: No such file or directory /etc/raddb/certs/Makefile: line 18: PASSWORD_CA: command not found grep: client.cnf: No such file or directory /etc/raddb/certs/Makefile: line 19: PASSWORD_CLIENT: command not found grep: client.cnf: No such file or directory /etc/raddb/certs/Makefile: line 21: USER_NAME: command not found /etc/raddb/certs/Makefile: line 28: .PHONY:: command not found /etc/raddb/certs/Makefile: line 29: all:: command not found /etc/raddb/certs/Makefile: line 31: .PHONY:: command not found /etc/raddb/certs/Makefile: line 32: client:: command not found /etc/raddb/certs/Makefile: line 34: .PHONY:: command not found /etc/raddb/certs/Makefile: line 35: ca:: command not found /etc/raddb/certs/Makefile: line 37: .PHONY:: command not found /etc/raddb/certs/Makefile: line 38: server:: command not found /etc/raddb/certs/Makefile: line 45: dh:: command not found /etc/raddb/certs/Makefile: line 46: DH_KEY_SIZE: command not found And the outpug of ls -ls on certs directory: RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions 2009/3/20 Leighton Man l.j@hud.ac.uk There is nothing related to eap to comment out in these files... Should I create a certificate? Is it compulsory? Hi, I've just struggled through all this so it's nice to try and help. Always take note of the FIRST error message in the debug. The later ones can be confusing if you don't understand what's going on. Your problem seems to be that the server can't read the certificate files. If they aren't there, it won't be able to. When I compiled freeradius it generated test certificates itself (after tweaking the Makefile). Are you using the latest version? You must have certificates to do SSL. They live in the raddb/certs directory. Regards, Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
I believe the only thing left is that it needs to return a Filter-Id along with the access-accept? -Original Message- From: t...@kalik.net [mailto:t...@kalik.net] Sent: Friday, March 20, 2009 10:43 AM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues I removed the DEFAULT Auth-Type = Perl since you said it wasn't use. I removed the update control from the authorize in inner-tunnel. Here's the new log. Thanks for the help. What now? It works: Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS .. Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 244 to 192.168.240.78 port 3085 MS-MPPE-Recv-Key = 0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6 MS-MPPE-Send-Key = 0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = testUser Finished request 10. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Hi, RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions chown -R radiusd:radiusd /etc/raddb chmod -R 755 /etc/raddb/certs alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
I believe the only thing left is that it needs to return a Filter-Id along with the access-accept? Is you perl script adding it to $RAD_REPLY? I can't see it in the reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
if((%{request:Service-Type} == 'whatever') (%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i)) { reject } # Just the Visitors please !! if(%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i) {reject} Don't open and close brackets on the same line. Have a look at Arran's statement. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script. In the log, it says: rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student But shouldn't that show up in the Access-Accept also? -Original Message- From: t...@kalik.net [mailto:t...@kalik.net] Sent: Friday, March 20, 2009 11:01 AM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues I believe the only thing left is that it needs to return a Filter-Id along with the access-accept? Is you perl script adding it to $RAD_REPLY? I can't see it in the reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Don't open and close brackets on the same line. Have a look at Arran's statement. Ok I tried this ... if(%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i) { reject } and got this ... /usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at: %{request:Stripped-User-Name} !~ any ideas ? Bruce Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
bruce_m_richard...@biscuits.com wrote: if(%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i) { reject } and got this ... /usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at: %{request:Stripped-User-Name} !~ any ideas ? $ man unlang Everything following the if statement MUST be all on one line of text. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Bruno Noronha wrote: Leighton, tks for help me. I agree with you, the messages are a little bit confusing for me too. That's what I thought, problems wich permission. That's why I did chmod 777, even knowing that it's not recommended. After doing this, the issue persist...I'm using the newest available version of freeradius.org http://freeradius.org. For the LAST time: This is not a FreeRADIUS problem. Fix your OS so that it lets FreeRADIUS read the configuration files. Here follows the output of Makefile. /etc/raddb/certs/Makefile /etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found grep: server.cnf: No such file or directory Uh... you do know that you can't execute Makefiles like shell scripts? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
$ man unlang Everything following the if statement MUST be all on one line of text. Alan DeKok. - Ok thanks, I don't think that is clear on http://freeradius.org/radiusd/man/unlang.html . I now have ... if(%{request:Stripped-User-Name} !~ /visitor[0-9]?[0-9]/i) { reject } and radiusd will start now. Thanks to all Bruce Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth limit
hi, if you want to limit the upload/download speed then you must have an entry on radreply/radgroupreply insert into radreply values('','USERNAME','Mikrotik-Rate-Limit',':=','256K/512K'); in this case the upload is 256Kbps and download is 512Kbps keep in mind that the same USERNAME must be in the radcheck insert into radcheck values('','USERNAME','Cleartext-Password',':=','password1234'); 2009/3/19 t...@kalik.net Thanks Ivan, Actually I've installed Mikrotik Router OS in single pc and Freeradius + Mysql server in other. I want to shape the client bandwidth with mysql database. If you have any idea then please send me. Vendor attributes are just like any other - you put them in radreply or radgroupreply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modify User-Name to upper Case (rewrite/unlang)
Hi, I am searching through the forum and did not got a right suggestion. I am doing LDAP authentication and getting macaddress as User-Name in the following format. User-Name = 001e.5283.34aa I want to convert that to 001E528334AA = convert to uppercase.and remove the dots. Is there any function I can use such as, ldap { User-Name := User-Name.toUpperCase().replace('.',''); } Please guide me to the documentation. Thanks and Regards. Eric. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
i had the same problem when i wanted to authenticate the hotspot`s user with freeradius. the solution was to make a static mapping on IP - HOTSPOT - IP BINDINGS MAC address : THE MAC OF THE SERVER ADDRESS : THE IP ADDRESS OF THE SERVER TO ADDRESS : THE SAME AS ABOVE SERVER : ALL TYPE : REGULAR or BYPASSED and than it worked. it was related since the hotspot connections are passed to the mikrotik`s webproxy ( capture portal/page ) 2009/3/19 Fajar A. Nugraha fa...@fajar.net 2009/3/19 Lazar Cherveniakov laz...@mail.bg: Everything looks fine in IP addresses, but the problem is still the same. Looks like you got exactly the problem I described. See here : Mikrotik debug log 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 Mikrotik thinks radius IP is 192.168.200.2 radius server ip`s # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.3 Bcast:192.168.200.255 Mask:255.255.255.0 eth0:1Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.2 Bcast:192.168.200.255 Mask:255.255.255.0 ... while that IP is secondary IP on the radius server. Do a tcpdump on radius and you should see that radius replies comes from 192.168.200.3 (which mikrotik discards, because it's not the IP it sends the request to). There are several ways to fix this (one of them involves recompiling freeradius with --with-udpfromto, see http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F ), but the easiest way is simply change mikrotik's config to use 192.168.200.3 as radius IP address. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP authentication issue
I am trying to migrate from a working Freeradius 1.1.3 installation to a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP authentication to work. I use the users file to authenticate DSL users via a Cisco LNS device - chap doesn't think it's getting the password from the users file in plaintext. My users file entry looks like this: # saf1...@lumisondsl2.co.uk ADSL: saf1975 Cleartext-Password = mypassword, NAS-IP-Address = 193.29.223.253 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 84.19.252.194, Framed-IP-Netmask = 255.255.255.255, Cisco-AVPair = ip:dns-servers=212.20.226.130 212.20.226.194, Cisco-AVPair += ip:route#1=84.19.253.96 255.255.255.224 84.19.252.194, Cisco-AVPair += ip:route#2=84.19.255.64 255.255.255.224 84.19.252.194, Cisco-AVPair += ip:route#3=217.30.117.96 255.255.255.248 84.19.252.194 As I'm dealing with multiple domains, I strip out the domain names coming in from the LNS in proxy.conf. Can anyone explain why CHAP isn't getting a plaintext password and what I need to do to resolve? It appears to come through plaintext to the other 1.1.3 server... Debug output:- Ready to process requests. rad_recv: Access-Request packet from host 193.29.223.253 port 1645, id=8, length=123 Framed-Protocol = PPP User-Name = saf1...@lumisondsl2.co.uk CHAP-Password = 0x015912a2d9f792df9c9b61107520a7967d NAS-Port-Type = Virtual NAS-Port = 2208 NAS-Port-Id = Uniq-Sess-ID2208 Connect-Info = 1696000 Service-Type = Framed-User NAS-IP-Address = 193.29.223.253 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] Looking up realm lumisondsl2.co.uk for User-Name = saf1...@lumisondsl2.co.uk [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = saf1975 [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' [files] users: Matched entry DEFAULT at line 22474 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by saf1975 with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [saf1...@lumisondsl2.co.uk/CHAP-Password] (from client dsl-gw port 2208) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - saf1...@lumisondsl2.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 8 to 193.29.223.253 port 1645 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dear everyone..
On Thu, Mar 19, 2009 at 6:20 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, iam a new bie freeradius user, i have a duty from my lecture to build a hotspot captive portal using chillispot and freeradius. now i make it, chilispot and freeradius working well on ubuntu machine, but the problem is my lecture want me to do stress test on the radius server to make sure that the system is still working well in any condition.. i still confused how to perform the stress test...anyone help me please..thank you for your attentionsorry for bad english :D there are a couple of scripts supplied with the server to allow benchmarking which hit the server fast and hard. run a couple of those whilst eg flood pinging the system. but 'any condition' is hardly any kind of scientific or useful phrase. for example, is the system working well if half the packets get lost? does if you want to test what happen under network problem scenarios you can try netem or nistnet http://www.linuxfoundation.org/en/Net:Netem http://snad.ncsl.nist.gov/nistnet/ Regards Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP authentication issue
Alan Cooper wrote: I am trying to migrate from a working Freeradius 1.1.3 installation to a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP authentication to work. I use the users file to authenticate DSL users via a Cisco LNS device - chap doesn't think it's getting the password from the users file in plaintext. My users file entry looks like this: # saf1...@lumisondsl2.co.uk ADSL: saf1975 Cleartext-Password = mypassword, NAS-IP-Address = 193.29.223.253 Use Cleartext-Password := Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script. In the log, it says: rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student But shouldn't that show up in the Access-Accept also? You probably need to set use_tunneled_reply to yes in peap section of eap.conf. This is slightly older server version which doesn't show tunneled reply so can't be sure. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
Yep, that was it. Thanks so much for your help! -Original Message- From: t...@kalik.net [mailto:t...@kalik.net] Sent: Friday, March 20, 2009 3:08 PM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script. In the log, it says: rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student But shouldn't that show up in the Access-Accept also? You probably need to set use_tunneled_reply to yes in peap section of eap.conf. This is slightly older server version which doesn't show tunneled reply so can't be sure. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Thanks man, this commands solved my problem!! Bruno 2009/3/20 a.l.m.bu...@lboro.ac.uk Hi, RADIUS:/etc/raddb/certs # ls -l total 104 -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile -rwxrwxrwx 1 root root5343 Nov 19 14:20 README -rwxrwxrwx 1 root radiusd 462 Nov 19 14:20 bootstrap -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt -rwxrwxrwx 1 root root 21 Mar 17 10:49 index.txt.attr -rwxrwxrwx 1 root root 0 Mar 17 10:49 index.txt.old -rwxrwxrwx 1 root root1024 Mar 19 15:11 random -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial -rwxrwxrwx 1 root root 3 Mar 17 10:49 serial.old -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12 -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions chown -R radiusd:radiusd /etc/raddb chmod -R 755 /etc/raddb/certs alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allow PEAP and TTLS, but reject TLS
I'm using Freeradius 2.1.1. My setup has been successfully authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny TLS in the EAP negotiation, although the users will still have client certificates. I don't know how to reject TLS without breaking PEAP/TTLS. Those methods require the TLS block, which must then have the CA cert to validate the server certificate, and the server continues to use that to validate user certs. Problem: PEAP is my default EAP-type, but the client can nak it and choose EAP-TLS instead. I saw this comment in eap.conf: If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration item (referring to CA_file) Unfortunately, this is not literally true. It sounded like a simple way to use the TLS block only to enable PEAP and TTLS, but if the CA cert is in certificate_file and the CA_file configuration item is deleted, EAP-TLS is still permitted as an authentication method. Note: I have read all the comments in this file, not just the one I quoted. If someone knows a way to do this, I would appreciate the knowledge. I suppose I would be willing to restrict the EAP-type only PEAP (or only TTLS) if that is the only way to reject EAP-TLS. Thank you. -- usaweb...@fastmail.fm -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP authentication issue
On Fri, Mar 20, 2009 at 6:57 PM, Alan DeKok al...@deployingradius.com wrote: My users file entry looks like this: # saf1...@lumisondsl2.co.uk ADSL: saf1975 Cleartext-Password = mypassword, NAS-IP-Address = 193.29.223.253 Use Cleartext-Password := Many thanks Alan - I will try this over the weekend. Can you indulge my curiousity and point out (or point me at the docs that explain) what changed? As someone who has to dip in now again to keep a RADIUS platform operational, I'm finding the docs a bit bewildering and the differences in configs between versions difficult to locate and understand. Kind Regards, Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
a.l.m.bu...@lboro.ac.uk wrote: chown -R radiusd:radiusd /etc/raddb chmod -R 755 /etc/raddb/certs Yuck - marking data files executable. I'd start with: find /etc/raddb/certs -type d -exec chmod 755 {} \; find /etc/raddb/certs \! -type d -exec chmod 644 {} \; and fix any program file that should be 755 -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html