date:20090320

Bruno Noronha wrote:
 I issued chmod 777 * in every directory related to freeradius. 

  Don't do that.  Ever.

  The server comes with a default configuration that WORKS.  The only
reason that it doesn't have permission to read those files is because
YOU changed the configuration so that the server doesn't have permission.

  Why are so many people insistent on breaking the working
configuration?  Where else do we need to document DON'T BREAK IT ?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP ntPassword and lmPassword help

Padam J Singh wrote:
 I have a LDAP server which contains ntPassword and lmPassword attributes
 like following:
...
 lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE
 ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67

  Ugh.

 FR 2.1.1 is configured for doing 802.1x authentication. While doing the
 authentication, I obviously get Invalid NT-Password and Invalid
 LM-Password error. The error stems from the fact that the length is
 incorrect because of the additional {ENC} prefix.
 
 Is there some configuration where I can set something so it ignores the
 initial {ENC} while doing the password comparison?

  Edit raddb/dictionary.  Add a new string attribute:

ATTRIBUTE ENC-NT-Password string 3000

  Edit raddb/ldap.attrmap.  Delete the entries containing LM-Password.

  Edit raddb/ldap.attrmap.  Find the entries containing NT-Password, and
change them to ENC-NT-Password.

  Edit raddb/sites-available/default (I presume you're running a recent
version of the server...)  Look for the authorize section.  In it,
look for the ldap module.  Change it to:

authorize {
...

ldap  # leave this here

#  all of this goes on one line 
if (control:ENC-NT-Password  (control:ENC-NT-Password =~ /{ENC}(.*)/) 
{
update control {
NT-Password := %{1}
}
}

...
}

  That should work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

can the modules cause 'Exiting normally'?

2009-03-20 Thread switchport

i write a likely rlm_sql module.
test radius by the below shell, the auth_test file contain 8000 users.
---
#!/bin/bash
i=0
while true
do 
date
time ../radclient -p 16 -q -s -f auth_test 127.0.0.1:1812 auth xx
i=`expr $i \+ 1`
echo $i
done


when tested xk or 1xk cycles, radius can 'Exiting normally' without no detail 
log.
what wrong? 

the test shell echo

3872
Fri Mar 20 09:01:09 CST 2009

   Total approved auths:  8000
 Total denied auths:  0
   Total lost auths:  0

real0m3.344s
user0m0.793s
sys 0m1.245s
3873
Fri Mar 20 09:01:12 CST 2009

   Total approved auths:  8000
 Total denied auths:  0
   Total lost auths:  0

real0m3.352s
user0m0.778s
sys 0m1.266s
3874
Fri Mar 20 09:01:16 CST 2009

   Total approved auths:  8000
 Total denied auths:  0
   Total lost auths:  0

real0m3.359s
user0m0.764s
sys 0m1.277s
3875
Fri Mar 20 09:01:19 CST 2009
radclient: no response from server for ID 195 socket 3

   Total approved auths:  7999
 Total denied auths:  0
   Total lost auths:  1

real0m20.599s
user0m0.836s
sys 0m1.477s
3876
Fri Mar 20 09:01:40 CST 2009
radclient: no response from server for ID 46 socket 3
radclient: no response from server for ID 162 socket 3
radclient: no response from server for ID 132 socket 3
radclient: no response from server for ID 81 socket 3
...
---

radius log show 
-
Fri Mar 20 08:58:03 2009 : Error: Discarding conflicting packet from client 
localhost port 55746 - ID: 32 due to recent request 30648083.
Fri Mar 20 08:58:57 2009 : Error: Discarding conflicting packet from client 
localhost port 54935 - ID: 39 due to recent request 30759434.
Fri Mar 20 08:59:09 2009 : Error: Discarding conflicting packet from client 
localhost port 60967 - ID: 103 due to recent request 30770305.
Fri Mar 20 08:59:43 2009 : Error: Discarding conflicting packet from client 
localhost port 58098 - ID: 131 due to recent request 30839295.
Fri Mar 20 09:00:00 2009 : Error: Discarding conflicting packet from client 
localhost port 55258 - ID: 182 due to recent request 30862096.
Fri Mar 20 09:00:14 2009 : Error: Discarding conflicting packet from client 
localhost port 42660 - ID: 47 due to recent request 30880046.
Fri Mar 20 09:00:44 2009 : Error: Discarding conflicting packet from client 
localhost port 53858 - ID: 222 due to recent request 30932873.
Fri Mar 20 09:01:22 2009 : Error: Discarding conflicting packet from client 
localhost port 44717 - ID: 195 due to recent request 31006705.
Fri Mar 20 09:01:24 2009 : Info: Exiting normally.
-

radiusd.conf
 
thread pool {
start_servers = 8
max_servers = 64
min_spare_servers = 4
max_spare_servers = 12
max_requests_per_server = 0
}
--
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radclient: problem with exit code 0 and 1

2009-03-20 Thread oz


Hello,

Alan DeKok wrote:

  I've committed a fix that will be in the next release of the server.
If you need this functionality, upgrade.


I tried your git repository as described on freeradius.org. I do not understand 
the versioning scheme, but I downloaded the fixed stable tree (upcoming 2.1.5?) 
and built it without 'make install' on my AMD64-Machine. The problem in 
radclient is fixed, thank you Alan!


I just had to append the new dictionary path in my scripts, because the 
dictionaries of my old inst do not work with the new radclient:


./radclient -d /usr/local/src/radiusd/share -f /home/me/radpacket -x 
192.168.X.X:1812 auth secret123


Thanks for your fast help!

oz

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

Sorry but what you said doesn't make any sense to me. The default config
didn't work. How can you explain the same alarms even after changing the
permissions to everyone? The message containing permission denied
remains..It's strange, unless I have forgotten to change permission of a
directory. I was expecting something like unsecure permissions which
didn't happen.

2009/3/20 Alan DeKok al...@deployingradius.com

 Bruno Noronha wrote:
  I issued chmod 777 * in every directory related to freeradius.

   Don't do that.  Ever.

  The server comes with a default configuration that WORKS.  The only
 reason that it doesn't have permission to read those files is because
 YOU changed the configuration so that the server doesn't have permission.

  Why are so many people insistent on breaking the working
 configuration?  Where else do we need to document DON'T BREAK IT ?

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

Sorry but what you said doesn't make any sense to me. The default config
didn't work. How can you explain the same alarms even after changing the
permissions to everyone? The message containing permission denied
remains..It's strange, unless I have forgotten to change permission of a
directory. I was expecting something like unsecure permissions which
didn't happen.


Do you have something like selinux preventing access?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

I do not want visitors to be able to get onto the original service, and I
do not want normal users to get onto the visitor service.

My thoughts are to set up a new virtual server and add an 'if' statement
to look for the visitor user names, and reject or allow as necessary.

something like this in the new virtual server

if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }

and the inverse for the old service.

if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }

Is this syntax correct ? and where do I put it?

What about the service? You probably want:

if( Service-Type == whatever  Stripped-User-Name !=
/visitor[0-9]?[0-9]/i ) {
 reject
}

That goes in authorize section.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

2009-03-20 Thread sollunga


finally i had some luck i guess, now the radius do authentication, but
jradius simulator say's timedout, could be ACS is not passing the
information to simulator i feel. though i am using ACS proxy distributin
table, still simulator is not getting the response back, any clues will be
greatly appreciated sir/mam.

once after this is up, how do i proceed to forward/receive  these info
(username,password, token pass)to be confirmed for the java based
application

i know i am in total confusion mode, but some kind of help will be helpful
for me to look towards right direction..



rlm_jradius: reading attribute: type=1259012097; len=1
rlm_jradius: Released JRadius socket id: 6
++[jradius] returns updated
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[files] users: Matched entry d...@mydomain.com at line 90
[files] expand: Hello, %{User-Name} - Hello, d...@mydomain.com
++[files] returns ok
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by d...@mydomain.com with CHAP password
[chap] Using clear text password hello for user d...@mydomain.com
authentication.
[chap] chap user d...@mydomain.com authenticated succesfully
++[chap] returns ok
Login OK: [...@mydomain.com/CHAP-Password] (from client mydomain port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 2 to 192.168.0.50 port 2773
Reply-Message = Hello, d...@mydomain.com
Proxy-State = 0x434953434f3a30
Finished request 1.
Going to the next request
Waking up in 1.9 seconds.
Cleaning up request 1 ID 2 with timestamp +13
Ready to process requests.




sollunga wrote:
 
 thanks ivan for the quick reply, will get back to you shortly
 
 
 
 sollunga wrote:
 
 i am using Cisco ACS for authenticating my vpn users, now i thought of
 using two factor auth in place against the direct authentication by ACS,
 on this process one of the googling guided me to try proxying the ACS to
 Freeradius and call some scripts to talk to the java application. now by
 making the ACS to do proxying at network configuration, i can see the
 request is flowing to freeradius from ACS, and the freeradius does 
 
 
 [chap] rlm_chap: Attribute User-Name is required for authentication.
 ++[chap] returns invalid
 Failed to authenticate the user.
 Using Post-Auth-Type Reject
 +- entering group REJECT {...}
 [attr_filter.access_reject] expand: %{User-Name} -
 ++[attr_filter.access_reject] returns noop
 Delaying reject of request 27 for 1 seconds
 
 
 
 after a while it says
 
 
 [pap] Found existing Auth-Type, not changing it.
 ++[pap] returns noop
 Found Auth-Type = CHAP
 +- entering group CHAP {...}
 [chap] login attempt by Doe with CHAP password
 [chap] Using clear text password hello for user Doe authentication.
 [chap] chap user Doe authenticated succesfully
 ++[chap] returns ok
 +- entering group post-auth {...}
 ++[exec] returns noop
 Sending Access-Accept of id 63 to
 
 
 i am trying to figure out where could be the issue
 
 once after this process, i need to send the same to a java application
 and get a success status from there and authenticate this user.
 
 could it be possible?
 
 team i am a newbie here, i am just a sys admin, and now trying extend my
 knowledge, please help me.
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Freeradius%2BJava-application-api-call-and-authenticate-tp22449820p22619518.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

I don't think so.I'm using SUSE 11.0, is there any problem with that?

2009/3/20 t...@kalik.net

 Sorry but what you said doesn't make any sense to me. The default config
 didn't work. How can you explain the same alarms even after changing the
 permissions to everyone? The message containing permission denied
 remains..It's strange, unless I have forgotten to change permission of a
 directory. I was expecting something like unsecure permissions which
 didn't happen.
 

 Do you have something like selinux preventing access?

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

modules instance name restrictions

2009-03-20 Thread Thibault Le Meur


Hi,

I recently came up with a small issue concerning modules instances name 
(especially when they set Auth-Type).


* I defined my own pap module with the name 'pap-myorg' and expected it 
to set Auth-Type to PAP-MYORG, but in fact it wasn't setting the 
Auth-Type at all (moreover I saw no notice in the log about not beeing 
able to set the Auth-Type).
* I changed the instance name to 'papmyorg' and now the module sets the 
Auth-Type to PAPMYORG.


I tried to find in the doc where the restrictions on module instances 
names were defined, but didn't found any reference to this. And given 
the fact that some standard modules have specific chars such as '_' or 
'-', I thought there was little constraints.


Is there any module instance naming convention written somewhere in the 
provided documentation (or online)?
Maybe be it could be interresting to have a warning in the radius debug 
log in order to notice the administrator that Auth-Type wasn't set due 
to module naming restrictions?


Best regards,
Thibault



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unlang question

Hi,

I have freeRADIUS 2.0.5 authenticating against LDAP via eap and this has 
been working perfectly since last year. 
Now a I have a new requirement to authenticate another set of users in the 
same LDAP tree onto a different service. 
These users will be visitors to our site and will have the user names 
Visitor1 ... Visitor(nn)

I do not want visitors to be able to get onto the original service, and I 
do not want normal users to get onto the visitor service.

My thoughts are to set up a new virtual server and add an 'if' statement 
to look for the visitor user names, and reject or allow as necessary. 

something like this in the new virtual server

if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }

and the inverse for the old service. 

if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }

Is this syntax correct ? and where do I put it?

Thanks for your time ...regards,

Bruce Richardson



 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

2009-03-20 Thread Arran Cudbard-Bell


On 20/3/09 12:25, t...@kalik.net wrote:

I do not want visitors to be able to get onto the original service, and I
do not want normal users to get onto the visitor service.

My thoughts are to set up a new virtual server and add an 'if' statement
to look for the visitor user names, and reject or allow as necessary.

something like this in the new virtual server

if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }

and the inverse for the old service.

if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }

Is this syntax correct ? and where do I put it?


What about the service? You probably want:



if((%{request:Service-Type} == 'whatever')  
(%{request:Stripped-User-Name} !~

/visitor[0-9]?[0-9]/i)) {
reject
}

I don't think naked attribute names were supported in 2.0.5..




That goes in authorize section.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

2009-03-20 Thread sollunga


try commenting out the eap module in both radiusd.conf and
sites-available/default, inner-tunnel, then try starting radiusd -X



tnt-4 wrote:
 
Sorry but what you said doesn't make any sense to me. The default config
didn't work. How can you explain the same alarms even after changing the
permissions to everyone? The message containing permission denied
remains..It's strange, unless I have forgotten to change permission of a
directory. I was expecting something like unsecure permissions which
didn't happen.

 
 Do you have something like selinux preventing access?
 
 Ivan Kalik
 Kalik Informatika ISP
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 

-- 
View this message in context: 
http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p22619667.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

finally i had some luck i guess, now the radius do authentication, but
jradius simulator say's timedout, could be ACS is not passing the
information to simulator i feel. though i am using ACS proxy distributin
table, still simulator is not getting the response back, any clues will be
greatly appreciated sir/mam.

Debug ACS.


once after this is up, how do i proceed to forward/receive  these info
(username,password, token pass)to be confirmed for the java based
application

jradius module will pass request attributes (all, not just username and
password) to jradius server. You need to read jradius documentation to
see how to process them and configure reply.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

There is nothing related to eap to comment out in these files...
Should I create a certificate? Is it compulsory?

2009/3/20 sollunga sollu...@yahoo.com


 try commenting out the eap module in both radiusd.conf and
 sites-available/default, inner-tunnel, then try starting radiusd -X



 tnt-4 wrote:
 
 Sorry but what you said doesn't make any sense to me. The default config
 didn't work. How can you explain the same alarms even after changing the
 permissions to everyone? The message containing permission denied
 remains..It's strange, unless I have forgotten to change permission of a
 directory. I was expecting something like unsecure permissions which
 didn't happen.
 
 
  Do you have something like selinux preventing access?
 
  Ivan Kalik
  Kalik Informatika ISP
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 

 --
 View this message in context:
 http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p22619667.html
 Sent from the FreeRadius - User mailing list archive at Nabble.com.

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

2009-03-20 Thread A . L . M . Buxey

Hi,
 There is nothing related to eap to comment out in these files...
 Should I create a certificate? Is it compulsory?

hang on - do you actually HAVE any EAP cert/CA files that you are referencing 
in eap.conf?

read eap.conf - see what files it is trying to read (cert, CA , pkcs12, random, 
etc)
and check you actually HAVE those files.  if you have those files, then ensure 
that the 
permissions for the directory and files are suitable for reading - you DONT 
EVER want 777

with 777 i could own your server and take over your infrastructure - you only 
want read
permissions on the files...for the relavant user that the freeradius daemon is 
running as
(usually radiusd)

what does 

id radiusd


give as output?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.

I removed the update control from the authorize in inner-tunnel.

Here's the new log. Thanks for the help.

Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.240.78 port 3083, 
id=11, length=101
Acct-Status-Type = Stop
Acct-Session-Id = 0005
User-Name = testUser
NAS-IP-Address = 192.168.240.78
NAS-Port = 4
Calling-Station-Id = 00-16-D3-30-E5-74
Acct-Delay-Time = 0
Acct-Session-Time = 72
Acct-Authentic = RADIUS
Acct-Terminate-Cause = Lost-Carrier
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 4,Client-IP-Address = 
192.168.240.78,NAS-IP-Address = 192.168.240.78,Acct-Session-Id = 
0005,User-Name = testUser'
rlm_acct_unique: Acct-Unique-Session-ID = 4675a10eb3ec92c2.
++[acct_unique] returns ok
++[files] returns noop
+- entering group accounting
expand: 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - 
/var/log/radius/radacct/192.168.240.78/detail-20090320
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.240.78/detail-20090320
expand: %t - Fri Mar 20 07:52:25 2009
++[detail] returns ok
++[unix] returns ok
expand: /var/log/radius/radutmp - /var/log/radius/radutmp
expand: %{User-Name} - testUser
++[radutmp] returns ok
expand: %{User-Name} - testUser
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 11 to 192.168.240.78 port 3083
Finished request 0.
Cleaning up request 0 ID 11 with timestamp +3
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=235, length=152
Message-Authenticator = 0x7d2d05eba9f44b4f560221d152a604d6
User-Name = testUser
NAS-IP-Address = 192.168.240.78
NAS-Port = 4
NAS-Port-Type = Ethernet
Calling-Station-Id = 00-16-D3-30-E5-74
EAP-Message = 0x0201000d016c6a61636b736f6e
Framed-MTU = 1000
Called-Station-Id = 0001F4-B6-1B-80\0004
NAS-Identifier = HOKDORM_01953_M48
NAS-Port-Id = fe.0.4
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 1 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 235 to 192.168.240.78 port 3085
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x01bfa13001bdb807fc4539ef1278734e
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=236, length=249
Message-Authenticator = 0xae6d806c5e45d7aa21bbaee13239c841
User-Name = testUser
State = 0x01bfa13001bdb807fc4539ef1278734e
NAS-IP-Address = 192.168.240.78
NAS-Port = 4
NAS-Port-Type = Ethernet
Calling-Station-Id = 00-16-D3-30-E5-74
Called-Station-Id = 00-01-F4-B6-1B-80
Framed-MTU = 1000
EAP-Message = 
0x0202005c19001603010051014d030149c3987c0e37eb6c0bac727f1287e3f6cd86
2647f846d214e820432669caf4482600390038003500160013000a00330032002f00
050004001500120009001400110008000600030100
NAS-Identifier = HOKDORM_01953_M48
NAS-Port-Id = fe.0.4
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 2 length 92
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
  rlm_eap_tls:  TLS 1.0 Handshake [length 0051], ClientHello
TLS_accept: SSLv3 read client hello A
  rlm_eap_tls:  TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
  rlm_eap_tls:  TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
  rlm_eap_tls:  TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
  rlm_eap_tls:  TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client

Re: unlang question

 if((%{request:Service-Type} == 'whatever')  
 (%{request:Stripped-User-Name} !~
 /visitor[0-9]?[0-9]/i)) {
reject
 }

 I don't think naked attribute names were supported in 2.0.5..

Thanks Ivan and Arran , in fact there is only one Service-Type (Login-User
).

so I changed my authorize section to ...

authorize {
#
preprocess
prefix
eap {
ok = return
}
ldap
# Just the Visitors please !!
if(%{request:Stripped-User-Name} !~ 
/visitor[0-9]?[0-9]/i) {reject}
expiration
logintime
}

and now radiusd will not start .. 

/usr/local/etc/raddb/sites-enabled/all[182]: EOF reached without closing 
brace for section server starting at line 115
Errors reading /usr/local/etc/raddb/radiusd.conf

I've also tried Ivan's version with the same results. 

Commenting out the 'if' statement fixes the issue, and I can't see any 
missing braces. 
Am I putting it in the wrong place, or is the syntax wrong ?

Bruce


 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

Bruno Noronha wrote:
 Sorry but what you said doesn't make any sense to me. The default config
 didn't work.

  shrug  Then something on *your* system is preventing it from working.

 How can you explain the same alarms even after changing the
 permissions to everyone? 

  I don't.  It's *your* system.  FreeRADIUS isn't generating those
errors.  The OS on your system is telling FreeRADIUS that it can't read
those files.

  If you don't understand how your OS works, then you need to solve that
problem before you spend any more time with FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

2009-03-20 Thread sollunga


http://coova.org/wiki/index.php/JRadius/WithFreeRADIUS
http://coova.org/wordpress/index.php/2007/04/07/integrating-radius-with-your-java-enterprise/

i can find only these two urls for documentation? anywhere else as a
reference?




tnt-4 wrote:
 
finally i had some luck i guess, now the radius do authentication, but
jradius simulator say's timedout, could be ACS is not passing the
information to simulator i feel. though i am using ACS proxy distributin
table, still simulator is not getting the response back, any clues will be
greatly appreciated sir/mam.
 
 Debug ACS.
 

once after this is up, how do i proceed to forward/receive  these info
(username,password, token pass)to be confirmed for the java based
application
 
 jradius module will pass request attributes (all, not just username and
 password) to jradius server. You need to read jradius documentation to
 see how to process them and configure reply.
 
 Ivan Kalik
 Kalik Informatika ISP
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 

-- 
View this message in context: 
http://www.nabble.com/Freeradius%2BJava-application-api-call-and-authenticate-tp22449820p22620632.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Login to Cisco devices through freeradius

2009-03-20 Thread Leighton Man


 

There is nothing related to eap to comment out in these files...
Should I create a certificate? Is it compulsory?


  
Hi,
I've just struggled through all this so it's nice to try and help. Always take 
note of the FIRST error message in the debug. The later ones can be confusing 
if you don't understand what's going on. 
Your problem seems to be that the server can't read the certificate files. If 
they aren't there, it won't be able to. When I compiled freeradius it generated 
test certificates itself (after tweaking the Makefile). Are you using the 
latest version?

You must have certificates to do SSL. They live in the raddb/certs directory.

Regards,

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

Dawg, I have all default installation files. I read eap.conf and it seems to
be okay, I either changed any file, including adding new users! Everything
remains the same...

I know that chmod 777 is not recommended. I did it just to make sure that
what I have isn't a permission issue.

Here is the output for id radiusd command:
uid=108(radiusd) gid=109(radiusd) groups=109(radiusd)

Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be so
simple! Is there any possibility of OS incompatibity with freeRADIUS?

tks!



2009/3/20 a.l.m.bu...@lboro.ac.uk

 Hi,
  There is nothing related to eap to comment out in these files...
  Should I create a certificate? Is it compulsory?

 hang on - do you actually HAVE any EAP cert/CA files that you are
 referencing in eap.conf?

 read eap.conf - see what files it is trying to read (cert, CA , pkcs12,
 random, etc)
 and check you actually HAVE those files.  if you have those files, then
 ensure that the
 permissions for the directory and files are suitable for reading - you DONT
 EVER want 777

 with 777 i could own your server and take over your infrastructure - you
 only want read
 permissions on the files...for the relavant user that the freeradius daemon
 is running as
 (usually radiusd)

 what does

 id radiusd


 give as output?

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

http://coova.org/wiki/index.php/JRadius/WithFreeRADIUS
http://coova.org/wordpress/index.php/2007/04/07/integrating-radius-with-your-java-enterprise/

i can find only these two urls for documentation? anywhere else as a
reference?


Ask them, not us.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

Bruno Noronha wrote:
 Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be
 so simple! Is there any possibility of OS incompatibity with freeRADIUS?

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.

I removed the update control from the authorize in inner-tunnel.

Here's the new log. Thanks for the help.


What now? It works:

Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel)
  PEAP: Tunneled authentication was successful.
  rlm_eap_peap: SUCCESS
..
Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli
00-16-D3-30-E5-74)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 244 to 192.168.240.78 port 3085
MS-MPPE-Recv-Key =
0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6
MS-MPPE-Send-Key =
0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2
EAP-Message = 0x030a0004
Message-Authenticator = 0x
User-Name = testUser
Finished request 10.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

Leighton, tks for help me. I agree with you, the messages are a little bit
confusing for me too.
That's what I thought, problems wich permission. That's why I did chmod 777,
even knowing that it's not recommended. After doing this, the issue
persist...I'm using the newest available version of freeradius.org.

Here follows the output of Makefile.

/etc/raddb/certs/Makefile
/etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found
grep: server.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 17: PASSWORD_SERVER: command not found
grep: ca.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 18: PASSWORD_CA: command not found
grep: client.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 19: PASSWORD_CLIENT: command not found
grep: client.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 21: USER_NAME: command not found
/etc/raddb/certs/Makefile: line 28: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 29: all:: command not found
/etc/raddb/certs/Makefile: line 31: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 32: client:: command not found
/etc/raddb/certs/Makefile: line 34: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 35: ca:: command not found
/etc/raddb/certs/Makefile: line 37: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 38: server:: command not found
/etc/raddb/certs/Makefile: line 45: dh:: command not found
/etc/raddb/certs/Makefile: line 46: DH_KEY_SIZE: command not found

And the outpug of ls -ls on certs directory:

RADIUS:/etc/raddb/certs # ls -l
total 104
-rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem
-rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile
-rwxrwxrwx 1 root root5343 Nov 19 14:20 README
-rwxrwxrwx 1 root radiusd  462 Nov 19 14:20 bootstrap
-rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf
-rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der
-rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key
-rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem
-rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf
-rwxrwxrwx 1 root root 466 Mar 19 15:10 dh
-rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt
-rwxrwxrwx 1 root root  21 Mar 17 10:49 index.txt.attr
-rwxrwxrwx 1 root root   0 Mar 17 10:49 index.txt.old
-rwxrwxrwx 1 root root1024 Mar 19 15:11 random
-rwxrwxrwx 1 root root   3 Mar 17 10:49 serial
-rwxrwxrwx 1 root root   3 Mar 17 10:49 serial.old
-rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf
-rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt
-rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr
-rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key
-rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12
-rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem
-rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions

2009/3/20 Leighton Man l.j@hud.ac.uk




There is nothing related to eap to comment out in these files...
Should I create a certificate? Is it compulsory?



 Hi,
 I've just struggled through all this so it's nice to try and help. Always
 take note of the FIRST error message in the debug. The later ones can be
 confusing if you don't understand what's going on.
 Your problem seems to be that the server can't read the certificate files.
 If they aren't there, it won't be able to. When I compiled freeradius it
 generated test certificates itself (after tweaking the Makefile). Are you
 using the latest version?

 You must have certificates to do SSL. They live in the raddb/certs
 directory.

 Regards,

 Leighton


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

I believe the only thing left is that it needs to return a Filter-Id 
along with the access-accept?

-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net] 
Sent: Friday, March 20, 2009 10:43 AM
To: FreeRadius users mailing list
Subject: RE: Perl/Peap-MSChapV2 Issues

I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.

I removed the update control from the authorize in inner-tunnel.

Here's the new log. Thanks for the help.

What now? It works:

Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel)
  PEAP: Tunneled authentication was successful.
  rlm_eap_peap: SUCCESS
..
Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli
00-16-D3-30-E5-74)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 244 to 192.168.240.78 port 3085
MS-MPPE-Recv-Key =
0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6
MS-MPPE-Send-Key =
0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2
EAP-Message = 0x030a0004
Message-Authenticator = 0x
User-Name = testUser
Finished request 10.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

2009-03-20 Thread A . L . M . Buxey

Hi,

 RADIUS:/etc/raddb/certs # ls -l
 total 104
 -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem
 -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile
 -rwxrwxrwx 1 root root5343 Nov 19 14:20 README
 -rwxrwxrwx 1 root radiusd  462 Nov 19 14:20 bootstrap
 -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf
 -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der
 -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key
 -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem
 -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf
 -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh
 -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt
 -rwxrwxrwx 1 root root  21 Mar 17 10:49 index.txt.attr
 -rwxrwxrwx 1 root root   0 Mar 17 10:49 index.txt.old
 -rwxrwxrwx 1 root root1024 Mar 19 15:11 random
 -rwxrwxrwx 1 root root   3 Mar 17 10:49 serial
 -rwxrwxrwx 1 root root   3 Mar 17 10:49 serial.old
 -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf
 -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt
 -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr
 -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key
 -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12
 -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem
 -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions

chown -R radiusd:radiusd /etc/raddb

chmod -R 755 /etc/raddb/certs

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

I believe the only thing left is that it needs to return a Filter-Id
along with the access-accept?


Is you perl script adding it to $RAD_REPLY? I can't see it in the reply.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

 if((%{request:Service-Type} == 'whatever') 
 (%{request:Stripped-User-Name} !~
 /visitor[0-9]?[0-9]/i)) {
reject
 }

# Just the Visitors please !!
if(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i) {reject}

Don't open and close brackets on the same line. Have a look at Arran's
statement.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.

In the log, it says:

rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student

But shouldn't that show up in the Access-Accept also?

-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net] 
Sent: Friday, March 20, 2009 11:01 AM
To: FreeRadius users mailing list
Subject: RE: Perl/Peap-MSChapV2 Issues

I believe the only thing left is that it needs to return a Filter-Id
along with the access-accept?


Is you perl script adding it to $RAD_REPLY? I can't see it in the reply.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

 Don't open and close brackets on the same line. Have a look at Arran's
 statement.

Ok I tried this ...


if(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i) {
 reject
}

and got this ...

/usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at: 
%{request:Stripped-User-Name} !~

any ideas ?

Bruce


 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

bruce_m_richard...@biscuits.com wrote:
 if(%{request:Stripped-User-Name} !~
 /visitor[0-9]?[0-9]/i) {
  reject
 }
 
 and got this ...
 
 /usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition
 at: %{request:Stripped-User-Name} !~
 
 any ideas ?

$ man unlang

  Everything following the if statement MUST be all on one line of text.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

Bruno Noronha wrote:
 Leighton, tks for help me. I agree with you, the messages are a little
 bit confusing for me too.
 That's what I thought, problems wich permission. That's why I did chmod
 777, even knowing that it's not recommended. After doing this, the issue
 persist...I'm using the newest available version of freeradius.org
 http://freeradius.org.

  For the LAST time: This is not a FreeRADIUS problem.

  Fix your OS so that it lets FreeRADIUS read the configuration files.
 Here follows the output of Makefile.
 
 /etc/raddb/certs/Makefile
 /etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found
 grep: server.cnf: No such file or directory

  Uh... you do know that you can't execute Makefiles like shell scripts?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

 $ man unlang
 
   Everything following the if statement MUST be all on one line of 
text.
 
   Alan DeKok.
 -

Ok thanks, I don't think that is clear on 
http://freeradius.org/radiusd/man/unlang.html . 

I now have ...

if(%{request:Stripped-User-Name} !~ 
/visitor[0-9]?[0-9]/i) {
reject
}

and radiusd will start now. 

Thanks to all

Bruce



 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bandwidth limit

2009-03-20 Thread orion

hi,
if you want to limit the upload/download speed then you must have an entry
on radreply/radgroupreply

insert into radreply
values('','USERNAME','Mikrotik-Rate-Limit',':=','256K/512K');

in this case the upload is 256Kbps and download is 512Kbps

keep in mind that the same USERNAME must be in the radcheck
insert into radcheck
values('','USERNAME','Cleartext-Password',':=','password1234');



2009/3/19 t...@kalik.net

 Thanks Ivan,
 
 Actually I've installed Mikrotik Router OS in single pc and Freeradius +
 Mysql server in other. I want to shape the client bandwidth with mysql
 database. If you have any idea then please send me.
 

 Vendor attributes are just like any other - you put them in radreply or
 radgroupreply.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Modify User-Name to upper Case (rewrite/unlang)

2009-03-20 Thread Eric Martell

Hi,
  I am searching through the forum and did not got a right suggestion. 

I am doing LDAP authentication and getting macaddress as User-Name in the 
following format.

User-Name = 001e.5283.34aa

I want to convert that to  001E528334AA = convert to uppercase.and remove 
the dots.

Is there any function I can use such as, 
 ldap {

   User-Name := User-Name.toUpperCase().replace('.','');

}

Please guide me to the documentation.

Thanks and Regards.
Eric.







  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and mikrotik auth problem pppoe error 691

2009-03-20 Thread orion

i had the same problem when i wanted to authenticate the hotspot`s user with
freeradius.
the solution was to make a static mapping on IP - HOTSPOT - IP BINDINGS

MAC address : THE MAC OF THE SERVER
ADDRESS : THE IP ADDRESS OF THE SERVER
TO ADDRESS : THE SAME AS ABOVE
SERVER : ALL
TYPE : REGULAR or BYPASSED

and than it worked. it was related since the hotspot connections are passed
to the mikrotik`s webproxy ( capture portal/page )

2009/3/19 Fajar A. Nugraha fa...@fajar.net

2009/3/19 Lazar Cherveniakov laz...@mail.bg:
Everything looks fine in IP addresses, but the problem is still the same.

Looks like you got exactly the problem I described. See here :

Mikrotik debug log
01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812

Mikrotik thinks radius IP is 192.168.200.2

radius server ip`s
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8
inet addr:192.168.200.3 Bcast:192.168.200.255
Mask:255.255.255.0
eth0:1Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8
inet addr:192.168.200.2 Bcast:192.168.200.255
Mask:255.255.255.0

... while that IP is secondary IP on the radius server. Do a tcpdump
on radius and you should see that radius replies comes from
192.168.200.3 (which mikrotik discards, because it's not the IP it
sends the request to).

There are several ways to fix this (one of them involves recompiling
freeradius with --with-udpfromto, see

http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F
), but the easiest way is simply change mikrotik's config to use
192.168.200.3 as radius IP address.

Regards,

Fajar

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CHAP authentication issue

2009-03-20 Thread Alan Cooper

I am trying to migrate from a working Freeradius 1.1.3 installation to
a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP
authentication to work. I use the users file to authenticate DSL users
via a Cisco LNS device - chap doesn't think it's getting the password
from the users file in plaintext.

My users file entry looks like this:

# saf1...@lumisondsl2.co.uk ADSL:
saf1975 Cleartext-Password = mypassword, NAS-IP-Address = 193.29.223.253
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 84.19.252.194,
Framed-IP-Netmask = 255.255.255.255,
Cisco-AVPair = ip:dns-servers=212.20.226.130 212.20.226.194,
Cisco-AVPair += ip:route#1=84.19.253.96 255.255.255.224 84.19.252.194,
Cisco-AVPair += ip:route#2=84.19.255.64 255.255.255.224 84.19.252.194,
Cisco-AVPair += ip:route#3=217.30.117.96 255.255.255.248 84.19.252.194

As I'm dealing with multiple domains, I strip out the domain names
coming in from the LNS in proxy.conf.


Can anyone explain why CHAP isn't getting a plaintext password and
what I need to do to resolve? It appears to come through plaintext to
the other 1.1.3 server...

Debug output:-

Ready to process requests.
rad_recv: Access-Request packet from host 193.29.223.253 port 1645,
id=8, length=123
Framed-Protocol = PPP
User-Name = saf1...@lumisondsl2.co.uk
CHAP-Password = 0x015912a2d9f792df9c9b61107520a7967d
NAS-Port-Type = Virtual
NAS-Port = 2208
NAS-Port-Id = Uniq-Sess-ID2208
Connect-Info = 1696000
Service-Type = Framed-User
NAS-IP-Address = 193.29.223.253
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] Looking up realm lumisondsl2.co.uk for User-Name =
saf1...@lumisondsl2.co.uk
[suffix] Found realm DEFAULT
[suffix] Adding Stripped-User-Name = saf1975
[suffix] Adding Realm = DEFAULT
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
[files] users: Matched entry DEFAULT at line 22474
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by saf1975 with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Login incorrect (rlm_chap: Clear text password not available):
[saf1...@lumisondsl2.co.uk/CHAP-Password] (from client dsl-gw port
2208)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
saf1...@lumisondsl2.co.uk
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 8 to 193.29.223.253 port 1645
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dear everyone..

2009-03-20 Thread Luciano Afranllie

On Thu, Mar 19, 2009 at 6:20 AM,  a.l.m.bu...@lboro.ac.uk wrote:
 Hi,
 iam a new bie freeradius user, i have a duty from my lecture to build a 
 hotspot captive portal using chillispot and freeradius. now i make it, 
 chilispot and freeradius working well on ubuntu machine, but the problem is 
 my lecture want me to do stress test on the radius server to make sure that 
 the system is still working well in any condition..

 i still confused how to perform the stress test...anyone help me 
 please..thank you for your attentionsorry for bad english :D

 there are a couple of scripts supplied with the server to allow
 benchmarking which hit the server fast and hard. run a couple
 of those whilst eg flood pinging the system.  but 'any condition'
 is hardly any kind of scientific or useful phrase. for example,
 is the system working well if half the packets get lost? does

if you want to test what happen under network problem scenarios you
can try netem or nistnet

http://www.linuxfoundation.org/en/Net:Netem
http://snad.ncsl.nist.gov/nistnet/

Regards
Luciano

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP authentication issue

Alan Cooper wrote:
 I am trying to migrate from a working Freeradius 1.1.3 installation to
 a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP
 authentication to work. I use the users file to authenticate DSL users
 via a Cisco LNS device - chap doesn't think it's getting the password
 from the users file in plaintext.
 
 My users file entry looks like this:
 
 # saf1...@lumisondsl2.co.uk ADSL:
 saf1975 Cleartext-Password = mypassword, NAS-IP-Address = 193.29.223.253

  Use Cleartext-Password :=

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.

In the log, it says:

rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student

But shouldn't that show up in the Access-Accept also?

You probably need to set use_tunneled_reply to yes in peap section of
eap.conf. This is slightly older server version which doesn't show
tunneled reply so can't be sure.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

Yep, that was it. Thanks so much for your help!

-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net] 
Sent: Friday, March 20, 2009 3:08 PM
To: FreeRadius users mailing list
Subject: RE: Perl/Peap-MSChapV2 Issues

Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.

In the log, it says:

rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student

But shouldn't that show up in the Access-Accept also?

You probably need to set use_tunneled_reply to yes in peap section of
eap.conf. This is slightly older server version which doesn't show
tunneled reply so can't be sure.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius