Wimax + Freeradius
Hello Freeradius-users, We are trying to implement AAA service for WIMAX project and have some problems. Freeradius ver 2.1.3 is installed on Gentoo. The schema is this CPE WASN9770 GW RADIUS At the moment problem is the following [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for 1...@wimax.tj with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect The test user is listed in users. But as far as I understood radius is not using users to authenticate anyone. Please help. Full debug is here http://217.11.185.178:8080/eap.log Maxim Vinnichenko. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wimax + Freeradius
We are trying to implement AAA service for WIMAX project and have
some problems.
Freeradius ver 2.1.3 is installed on Gentoo. The schema is this
CPE WASN9770 GW RADIUS
At the moment problem is the following
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for 1...@wimax.tj with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
The test user is listed in users.
Is he?
server inner-tunnel {
+- entering group authorize {...}
...
++[files] returns noop
...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module-Success-Message / Module-Failure-Message
Hi all, Excuse me, but I don't know how to reply to an older archived message on this list. On the 3th of April 2008 Alan DeKok replied to the message with the same subject as this mail with the following: Are they legacy attributes ? They don't seem to be being populated. Be really nice if they were populate with the nice new shiny Login OK / Login Fail messages... Login OK: [ac221/* (from client hp-e-engg1-1-dev-8021x-sw1.net.susx.ac.uk port 1 cli 0080c8396796) That's relatively easy to do. Alan DeKok. My Question is, if this is relatively easy, how can I achieve this? I'm really interested in storing the 'Module-Failure-Message' (or an equivalent which explains why a request has been rejected) in my database for further use. Johan van de Laar The Network Factory - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Wimax + Freeradius
Hello Ivan,
Monday, May 18, 2009, 2:09:39 PM, you wrote:
We are trying to implement AAA service for WIMAX project and have
some problems.
Freeradius ver 2.1.3 is installed on Gentoo. The schema is this
CPE WASN9770 GW RADIUS
At the moment problem is the following
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for 1...@wimax.tj with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
The test user is listed in users.
Is he?
server inner-tunnel {
+- entering group authorize {...}
...
++[files] returns noop
...
Thank you for you answer. I've changed test user and now the server
sends access-accept but CPE still doesn't connect.
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 47 to 10.155.11.20 port 10001
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Framed-MTU = 1500
MS-MPPE-Recv-Key =
0xc7aba316325d0182e2d6fe42f5592cbef7f5039843cc2166245465ba9d3fb62f
MS-MPPE-Send-Key =
0x526fc822f641a56a7fcc024b2cbd5891072192621baf10d2d1efbc52e448127e
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = 123
Finished request 7.
Going to the next request
Full log is here
http://217.11.185.178:8080/eap2.log
Ivan Kalik
Kalik Informatika ISP
--
Винниченко Максим
Отдел IP телефонии
__
ООО Babilon - T, Таджикистан,
г. Душанбе, п-кт Сомони 8.
Офис: (992 44) 600 00 83
Мобильный: (992 918) 62 37 22
Эл. почта: ma...@babilon-t.tj
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: /etc/freeradius/certs/README I've never understood why people think it's useful to post documentation from the server on this list. Do you think we haven't seen it? and something happend: ( I think key information is TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) but uncle google find as many diferent answers as peple having this problem) It means that you're running a server that is YEARS out of date. Why not use a more recent version? log freeradius -X: Sending Access-Challenge of id 115 to 192.168.5.206 port 1812 EAP-Message = 0x010b00350d80002b1403010001011603010020735b6dedb59fdb27811198c86a86bb2fdf2e96ce8f59031cc76f36b80bf1d04c Message-Authenticator = 0x State = 0x9f4e794b784914b1f67ff19696408712 Finished request 9 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 111 with timestamp 416c8b35 This is in the FAQ. Go read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wimax + Freeradius
Maxim Vinnichenko wrote: Thank you for you answer. I've changed test user and now the server sends access-accept but CPE still doesn't connect. Some NAS equipment will ignore Access-Accept if it doesn't contain the right magic. The exact definition of this magic is usually found buried in a footnote on page 400 out of 800 of the vendor documentation. Go look at the NAS logs, and see if there is any useful messages. If not, call the NAS vendor, and tell them that their product is defective. FreeRADIUS works with WiMAX equipment from Nokia, Cisco and Motorola. (That I've seen.) Other vendors known to have problems include Alvarion. They don't seem to care that their equipment doesn't work, and they haven't answered any of my messages about it. The only solution is to point out publicly that Alvarion is *not* following the WiMAX specs, and therefore people should buy *real* WiMAX equipment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module-Success-Message / Module-Failure-Message
Laar van de, Johan, TNF wrote: My Question is, if this is relatively easy, how can I achieve this? The log messages can be changed via source code edits. This *could* be made configurable, but that also requires source code edits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
John Dennis wrote: It is critical to note for RHEL customers the updated RPMS are considered tech preview and do not come with any official RHEL support. If they want support for *any* version of the server, it's available. See http://networkradius.com But that's specific to FreeRADIUS, and not to the entire RHEL package. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Wimax + Freeradius
Hello Alan, Monday, May 18, 2009, 4:03:42 PM, you wrote: Maxim Vinnichenko wrote: Thank you for you answer. I've changed test user and now the server sends access-accept but CPE still doesn't connect. Some NAS equipment will ignore Access-Accept if it doesn't contain the right magic. The exact definition of this magic is usually found buried in a footnote on page 400 out of 800 of the vendor documentation. Go look at the NAS logs, and see if there is any useful messages. If not, call the NAS vendor, and tell them that their product is defective. FreeRADIUS works with WiMAX equipment from Nokia, Cisco and Motorola. (That I've seen.) Other vendors known to have problems include Alvarion. They don't seem to care that their equipment doesn't work, and they haven't answered any of my messages about it. The only solution is to point out publicly that Alvarion is *not* following the WiMAX specs, and therefore people should buy *real* WiMAX equipment. Alan DeKok. Thank You very much. Vendor forces us to buy theirs unique TRIAS server aka radius. :) That costs several hundred thousands. Anyway thanks to all of you for help. -- Винниченко Максим Отдел IP телефонии __ ООО Babilon - T, Таджикистан, г. Душанбе, п-кт Сомони 8. Офис: (992 44) 600 00 83 Мобильный: (992 918) 62 37 22 Эл. почта: ma...@babilon-t.tj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wimax + Freeradius
Maxim Vinnichenko wrote: Thank You very much. Vendor forces us to buy theirs unique TRIAS server aka radius. :) That costs several hundred thousands. Dollars? Odds are that their product is less functional than FreeRADIUS. It would likely be cheaper to figure out what the problem is, and to make FreeRADIUS inter-operate with the vendor. And what the vendor *really* meant is that they do *not* implement the standards, and they don't care. Why not buy equipment from a vendor that is interested in making *useful* products? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Server Version 2.1.6 has been released
The following is the change log. Thanks to everyone for testing the
pre releases.
FreeRADIUS 2.1.6 Mon May 18 10:00:00 CEST 2009; , urgency=medium
Feature improvements
* radclient exits with 0 on successful (accept / ack), and 1
otherwise (no response / reject)
* Added support for %{sql:UPDATE ..}, and insert/delete
Patch from Arran Cudbard-Bell
* Added sample do not respond policy. See raddb/policy.conf
and raddb/sites-available/do_not_respond
* Cleanups to Suse spec file from Norbert Wegener
* New VSAs for Juniper from Bjorn Mork
* Include more RFC dictionaries in the default install
* More documentation for the WiMAX module
* Added chase_referrals and rebind configuration to
rlm_ldap.
This helps with Active Directory. See raddb/modules/ldap
* Don't load pre/post-proxy if proxying is disabled.
* Added %{md5:...}, which returns MD5 hash in hex.
* Added configurable retry_interval and poll_interval
for detail listeners.
* Added delete_mppe_keys configuration option to rlm_wimax.
Apparently some WiMAX clients misbehave when they see those
keys.
* Added experimental rlm_ruby from
http://github.com/Antti/freeradius-server/tree/master
* Add Tunnel attributes to ldap.attrmap
* Enable virtual servers to be reloaded on HUP. For now, only
the authorize, authenticate, etc. processing sections are
reloaded. Clients and listen sections are NOT reloaded.
* Updated radwatch script to be more robust. See
scripts/radwatch
* Added certificate compatibility notes in raddb/certs/README,
for compatibility with different operating systems. (i.e.
Windows)
Bug fixes
* Minor changes to allow building without VQP.
* Minor fixes from John Center
* Fixed raddebug example
* Don't crash when deleting attributes via unlang
* Be friendlier to very fast clients
* Updated the detail listener so that it only polls once,
and not many times in a row, leaking memory each time...
* Update comparison for Packet-Src-IP-Address (etc.) so that
the operators other than '==' work.
* Did autoconf magic to work around weird libtool bug
* Make rlm_perl keep tags for tagged attributes in more
situations
* Update UID checking for radmin
* Added include_length field for TTLS. It's needed for RFC
compliance, but not (apparently) for interoperability.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Module-Success-Message / Module-Failure-Message
Ok, but there is no other variable available which can be used within a sql query in the Post-Auth section? Thanks. Johan van de Laar -Oorspronkelijk bericht- Van: freeradius-users-bounces+johan.van.de.laar=tnf...@lists.freeradius.org [mailto:freeradius-users-bounces+johan.van.de.laar=tnf...@lists.freeradius.org] Namens Alan DeKok Verzonden: maandag 18 mei 2009 13:05 Aan: FreeRadius users mailing list Onderwerp: Re: Module-Success-Message / Module-Failure-Message Laar van de, Johan, TNF wrote: My Question is, if this is relatively easy, how can I achieve this? The log messages can be changed via source code edits. This *could* be made configurable, but that also requires source code edits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
duplicate Identity received, freeradius behaviour?
Hi, I've noticed that on our radius server logs lots of EAP state variable not found, after some packet dump analysis (also -Xf) I've noticed that one of the cases that this happened was when some EAP Identity packets are duplicated during parallel authentications (I mean, when at least one session already began from the same client, and we're receiving duplicate ). I've noticed that these duplicate packets come with just a little difference which is the Proxy-State, the duplicate packets then, in my opinion could be caused by some bad proxying implementation (client EAP Identity passing through 2 or more proxies?), or even bad load balancing. Also, we did an upgrade of one of the two proxies connected to our home radius server and somehow noticed that the amount of EAP state errors was lower in the old version (1.1.7) than in the newer (2.1.3) (although its hard to confirm that). I've tried to compare the code from 1.1.7 and 2.1.3 and didn't come to a clear conclusion if its there any special treatment to duplicate proxied packets between 1.1.7 and 2.1.3 (while proxying). Thanks for your time. Jean F. Mousinho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free radius configure as pre-paid billing system
Hi , Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: question about windows users (Alan DeKok) 2. Re: Wimax + Freeradius (Alan DeKok) 3. Re: Module-Success-Message / Module-Failure-Message (Alan DeKok) 4. Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS) (Alan DeKok) 5. Re[2]: Wimax + Freeradius (Maxim Vinnichenko) 6. Re: Wimax + Freeradius (Alan DeKok) 7. FreeRADIUS Server Version 2.1.6 has been released (Alan DeKok) 8. RE: Module-Success-Message / Module-Failure-Message (Laar van de, Johan, TNF) 9. duplicate Identity received, freeradius behaviour? (Jean F. Mousinho) -- Message: 1 Date: Mon, 18 May 2009 12:57:38 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: question about windows users To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4a113f22.8060...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Bartosz Chodzinski wrote: /etc/freeradius/certs/README I've never understood why people think it's useful to post documentation from the server on this list. Do you think we haven't seen it? and something happend: ( I think key information is TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) but uncle google find as many diferent answers as peple having this problem) It means that you're running a server that is YEARS out of date. Why not use a more recent version? log freeradius -X: Sending Access-Challenge of id 115 to 192.168.5.206 port 1812 EAP-Message = 0x010b00350d80002b1403010001011603010020735b6dedb59fdb27811198c86a86bb2fdf2e96ce8f59031cc76f36b80bf1d04c Message-Authenticator = 0x State = 0x9f4e794b784914b1f67ff19696408712 Finished request 9 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 111 with timestamp 416c8b35 This is in the FAQ. Go read it. Alan DeKok. -- Message: 2 Date: Mon, 18 May 2009 13:03:42 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: Wimax + Freeradius To: ma...@babilon-t.tj, FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4a11408e.6060...@deployingradius.com Content-Type: text/plain; charset=UTF-8 Maxim Vinnichenko wrote: Thank you for you answer. I've changed test user and now the server sends access-accept but CPE still doesn't connect. Some NAS equipment will ignore Access-Accept if it doesn't contain the right magic. The exact definition of this magic is usually found buried in a footnote on page 400 out of 800 of the vendor documentation. Go look at the NAS logs, and see if there is any useful messages. If not, call the NAS vendor, and tell them that their product is defective. FreeRADIUS works with WiMAX equipment from Nokia, Cisco and Motorola. (That I've seen.) Other vendors known to have problems include Alvarion. They don't seem to care that their equipment doesn't work, and they haven't answered any of my messages about it. The only solution is to point out publicly that Alvarion is *not* following the WiMAX specs, and therefore people should buy *real* WiMAX equipment. Alan DeKok. -- Message: 3 Date: Mon, 18 May 2009 13:04:35 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: Module-Success-Message / Module-Failure-Message To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4a1140c3.5070...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Laar van de, Johan, TNF wrote: My Question is, if this is relatively easy, how can I achieve this? The log messages can be changed via source code edits. This *could* be made configurable, but that also requires source code edits. Alan DeKok. -- Message: 4 Date: Mon, 18 May 2009 13:06:22 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4a11412e.1030...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 John Dennis wrote: It is critical to note for RHEL customers the updated RPMS are considered tech preview and
Re: Freeradius-Users Digest, Vol 49, Issue 75(Free radius configure as pre-paid billing system)
/list/users.html End of Freeradius-Users Digest, Vol 49, Issue 74 I want to configure for pre-paid billing system in free radius , please let me what are necessary module need to configure. ?Regards, Sachidananda Sahoo From: freeradius-users-requ...@lists.freeradius.org freeradius-users-requ...@lists.freeradius.org To: freeradius-users@lists.freeradius.org Sent: Monday, May 18, 2009 6:55:29 PM Subject: Freeradius-Users Digest, Vol 49, Issue 74 -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090518/9d91823f/attachment.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 49, Issue 75 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS Server Version 2.1.6 has been released
Can I just check, as I can't seen anything about it in the changelog and the wiki page for it appears to be the same as before - What is the rlm_perl behaviour with the new version of FreeRADIUS? As I recall rlm_perl no longer handles its own threading. One of the issues for several people introduced with the previous version of FreeRADIUS was there only ever being a single perl thread, which was a bottleneck, where the desired functionality was 1 perl thread (or process, if compiled with multiplicity instead of threading) per radius thread. I'm also assuming multiplicity takes preference, as our system installed with 2.1.4 had perl installed with both, and our radius process starts up at 200M but doesn't grow in the way you'd expect if we had a memory leak in our perl. I can't think what's taking up all that memory if it's not multiple perl processes. The same code on a system with perl compiled without threading or multiplicity only takes 16M. Thanks for the update, the radwatch script in particular will be very useful for us :) -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
ok (you guys propably hate me :) but please could you still give me the
answers as you did before)
but back to the subject:
I did like you said,
I installed 2.0.4 version (compiled using suggestions from:
http://www.fatofthelan.com/articles/articles.php?pid=27
http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html)
Next, I make a one change in eap.conf
default_eap_type = peap #was md5
and I add my switch-client to clients.conf
#cd /etc/freeradius/certs
#rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
I edited:
ca.cnf, client.cnf, server.cnf and I change line in everyone
default_bits= 1024 #was 2048
next:
#make ca ca.der dh random server client
Then I make the copy of ca.der and client.p12 to Windows, both of them are
installed in CA and Personal directory
And two things:
first one:
when I open properites of client certificate on XP using mmc-certificates
console I have the information that Windows doesnt have enough information
to verify this certificate You have proper private key to this
certificate (it is non-english system so its translation but I think
translation is ok)
second one:
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 18 2009
at 12:50:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 192.168.5.0/24 {
require_message_authenticator = no
secret = windows
shortname = private-network-2
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
Re: question about windows users
I installed 2.0.4 version (compiled using suggestions from: http://www.fatofthelan.com/articles/articles.php?pid=27 http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html) If you downloaded current version, you wouldn't need to ask. You have to change makefile, so client certificates are signed by the ca and not server certificate. MS introduced that glitch post XP SP2. second one: rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=138, length=147 ... User-Name = u...@example.com ... rlm_realm: Found realm example.com rlm_realm: Adding Stripped-User-Name = user rlm_realm: Adding Realm = example.com rlm_realm: Proxying request from user user to realm example.com ... Sending Access-Request of id 188 to 127.0.0.1 port 1812 ... User-Name = user ... rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. You can't strip the username in EAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Common error on sql_counter on Ver 2.1.5
Hi all, I recently installed freeradius Ver. 2.1.5 and I'm trying to configure it to work as a previous installation of Ver. 1.1.x. I'm stuck at sql counter module. On 1.1.x I use the common sessioncounter counter with sql module, but with 2.1.5 I got the message rlm_sqlcounter: Could not find Check item value pair. I believe the configurations are indentical for both versions of freeradius, but I'm obviously missing something. Can someone help me to find where can be the error? I think it's a trivial one, but I'm stuck since 3 days. Thank You for interest. Mauro Iorio BEGIN:VCARD VERSION:2.1 N:Iorio;Mauro;;Ing. FN:Ing. Mauro Iorio (m.io...@smartsoft.it) TEL;WORK;VOICE:+39 (081) 5196606 TEL;CELL;VOICE:+39 3336334993 TEL;WORK;FAX:+39 (081) 5198939 ADR;WORK:;;Via Petrarca, 78;San Vitaliano;NA;80030;Italia LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Via Petrarca, 78=0D=0ASan Vitaliano, NA 80030=0D=0AItalia URL;WORK:http://www.smartsoft.it EMAIL;PREF;INTERNET:m.io...@smartsoft.it REV:20080923T101808Z END:VCARD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius configure as pre-paid billing system
I want to configure for pre-paid billing system in free radius , please let me what are necessary module need to configure. Counter or sqlcounter depending on how you do accounting. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Common error on sql_counter on Ver 2.1.5
I recently installed freeradius Ver. 2.1.5 and I'm trying to configure it to work as a previous installation of Ver. 1.1.x. I'm stuck at sql counter module. On 1.1.x I use the common sessioncounter counter with sql module, but with 2.1.5 I got the message rlm_sqlcounter: Could not find Check item value pair. User entry didn't match. Post the debug (radiusd -X) and the user entry. You wouldn't be using User-Password as the password attribute? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hi, ok (you guys propably hate me :) but please could you still give me the answers as you did before) but back to the subject: I did like you said, I installed 2.0.4 version (compiled using suggestions from: http://www.fatofthelan.com/articles/articles.php?pid=27 http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html) you are using an old version, you are using random 3rd party instructions of dubious dates and knowledge. first one: when I open properites of client certificate on XP using mmc-certificates console I have the information that Windows doesnt have enough information to verify this certificate You have proper private key to this certificate (it is non-english system so its translation but I think translation is ok) this means you didnt install the CA - ensure you've added it to the trusted CA list in the system - use the certificate MMC Snapin. second one: original packet has this: User-Name = u...@example.com this is then proxied to the system handling example.com: rlm_realm: Looking up realm example.com for User-Name = u...@example.com rlm_realm: Found realm example.com rlm_realm: Adding Stripped-User-Name = user rlm_realm: Adding Realm = example.com rlm_realm: Proxying request from user user to realm example.com rlm_realm: Preparing to proxy authentication request to realm example.com ++[suffix] returns updated ..which then says this: rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: duplicate Identity received, freeradius behaviour?
Jean F. Mousinho wrote: I've noticed that on our radius server logs lots of EAP state variable not found, after some packet dump analysis (also -Xf) I've noticed that one of the cases that this happened was when some EAP Identity packets are duplicated during parallel authentications (I mean, when at least one session already began from the same client, and we're receiving duplicate ). Your NAS (wireless AP) is broken. It should NOT be sending new RADIUS packets for EAP re-transmissions. I've noticed that these duplicate packets come with just a little difference which is the Proxy-State, the duplicate packets then, in my opinion could be caused by some bad proxying implementation (client EAP Identity passing through 2 or more proxies?), or even bad load balancing. The Proxy-State attribute is different, *and* the RADIUS Id is different. Because they are two independent authentication sessions. Also, we did an upgrade of one of the two proxies connected to our home radius server and somehow noticed that the amount of EAP state errors was lower in the old version (1.1.7) than in the newer (2.1.3) (although its hard to confirm that). I've tried to compare the code from 1.1.7 and 2.1.3 and didn't come to a clear conclusion if its there any special treatment to duplicate proxied packets between 1.1.7 and 2.1.3 (while proxying). Both versions treat *duplicate* packets identically. However, if the packets are *not* duplicate, both treat the packets as independent authentication sessions. Odds are that your NAS is sending *two* RADIUS authentications. i.e. *two* sessions for *one* user. It's broken. Throw it out, and buy one that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Server Version 2.1.6 has been released
Meyers, Dan wrote: Can I just check, as I can't seen anything about it in the changelog and the wiki page for it appears to be the same as before - What is the rlm_perl behaviour with the new version of FreeRADIUS? It's the same as 2.1.4. I'm also assuming multiplicity takes preference, as our system installed with 2.1.4 had perl installed with both, and our radius process starts up at 200M but doesn't grow in the way you'd expect if we had a memory leak in our perl. I can't think what's taking up all that memory if it's not multiple perl processes. The same code on a system with perl compiled without threading or multiplicity only takes 16M. Yes. We'll take a look at that for 2.1.7. Barring that, grab a copy of 2.1.6, and replace src/modules/rlm_perl with a copy from a previous version. Re-build, and install. You'll get the Perl that you like, along with the rest of the fixes in 2.1.6. The fixes features in 2.1.6 are worth taking the time to do that. Thanks for the update, the radwatch script in particular will be very useful for us :) And lots more. Wait for 2.1.7, there are some interesting features going in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Server Version 2.1.6 has been released
Alan DeKok wrote: And lots more. Wait for 2.1.7, there are some interesting features going in. Hi, I hope having the Nas-identifier available to dymanic clients virtual server is considered interesting!! :-) Thanks for a fantastic product Alan! Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Common error on sql_counter on Ver 2.1.5
User entry didn't match. Post the debug (radiusd -X) and the user entry.
You wouldn't be using User-Password as the password attribute?
From radcheck table
Id UsernameAttribute Value op
7216mauro Passwordflower ==
From usergroup table
Id UsernameGroupName
14194 mauro 60
From radgroupcheck table
ID GroupName Attribute Value op
2 60 Max-All-Session 3600:=
radreply table is empty as it was with 1.1.x
Command line user for testing
radclient 192.168.4.203:1812 auth abcdefgh -f radius.packet -t 5000
radius.packet file
User-Name = mauro
User-Password = mauropwd
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-ID = 00-03-9D-4A-0A-0A
Below there is the debug (radiusd -X) output:
Thanks,
Mauro.
-
debug (radiusd -X) output:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.4.203 port 47750, id=224,
length=76
User-Name = mauro
User-Password = mauropwd
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = 00-03-9D-4A-0A-0A
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[sql] expand: %{User-Name} - mauro
[sql] sql_set_user escaped user -- 'mauro'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, UserName, Attribute, Value, op FROM
UtentiAutorizzati
WHERE UserName = '%{SQL-User-Name}' AND MACADDWAN = '%{Called-Station-Id}'
AND
(CheckOnLine - UtentiConnessi) 0 AND DataScadenza GetDate() - SELECT
id, Us
erName, Attribute, Value, op FROM UtentiAutorizzati WHERE UserName = 'mauro'
AND
MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine - UtentiConnessi) 0 AND
Data
Scadenza GetDate()
query: SELECT id, UserName, Attribute, Value, op FROM UtentiAutorizzati
WHERE U
serName = 'mauro' AND MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine -
UtentiC
onnessi) 0 AND DataScadenza GetDate()
WARNING: Found User-Password ==
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See man rlm_pap for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Userna
me = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op
FRO
M radreply WHERE Username = 'mauro' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'ma
uro' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[sessioncounter] returns noop
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 224 to 192.168.4.203 port 47750
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 224 with timestamp +194
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Common error on sql_counter on Ver 2.1.5
User entry didn't match. Post the debug (radiusd -X) and the user entry. You wouldn't be using User-Password as the password attribute? From radcheck table IdUsernameAttribute Value op 7216 mauro Passwordflower == Even worse. Password has been obsolite for at least 5 years. - debug (radiusd -X) output: ... !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' ... You didn't notice any of that? How much bigger should the warnings be? Did you bother looking into users file/FAQ/SQL howto to see how user entries should look like? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Common error on sql_counter on Ver 2.1.5
Am 18.05.2009 um 18:15 schrieb Mauro Iorio - Smart Soft s.r.l.: User entry didn't match. Post the debug (radiusd -X) and the user entry. You wouldn't be using User-Password as the password attribute? From radcheck table Id UsernameAttribute Value op 7216mauro Passwordflower == Try to assign ( := ) the password, not to compare ( == ) it. Also probably Password is not the right attribute name. Try to use Cleartext-Password ... From usergroup table [...] !! !! !!! !!!Replacing User-Password in config items with Cleartext- Password. !!! !! !! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User- Password. !!! !! !! !!! ... as the log is asking. [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Common error on sql_counter on Ver 2.1.5
[sql] expand: %{User-Name} - mauro
[sql] sql_set_user escaped user -- 'mauro'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, UserName, Attribute, Value, op FROM
UtentiAutorizzati
WHERE UserName = '%{SQL-User-Name}' AND MACADDWAN =
'%{Called-Station-Id}'
AND
(CheckOnLine - UtentiConnessi) 0 AND DataScadenza GetDate() - SELECT
id, Us
erName, Attribute, Value, op FROM UtentiAutorizzati WHERE UserName =
'mauro'
AND
MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine - UtentiConnessi) 0
AND
Data
Scadenza GetDate()
query: SELECT id, UserName, Attribute, Value, op FROM UtentiAutorizzati
WHERE U
serName = 'mauro' AND MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine -
UtentiC
onnessi) 0 AND DataScadenza GetDate()
WARNING: Found User-Password ==
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See man rlm_pap for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Userna
me = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op
FRO
M radreply WHERE Username = 'mauro' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username
=
'ma
uro' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
PS. You have either disabled group checking or removed group membership
query.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewriting User-Name in pre-proxy
Im currently using freeradius 2.1.4
I need to lookup a username in a dbm and rewrite it before sending off
the proxy request.
I have achieved this by using the below method. But I was wondering if
there was a better way.
It would seem that invoking perl with every auth request might be bad.
Thanks in advance!
-William
In: /etc/raddb/dictionary
ATTRIBUTE My-Local-String 3000 string
In: sites-available/default
pre-proxy {
rewrite
update proxy-request {
User-Name := %{proxy-request:My-Local-String}
}
}
In: /etc/raddb/modules/rewrite
exec rewrite {
wait = yes
program = /etc/raddb/rewriteusername.pl %{User-Name} %{Stripped-
User-Name} %{Realm}
input_pairs = proxy-request
output_pairs = proxy-request
shell_escape = yes
}
In: /etc/raddb/rewriteusername.pl
#!/usr/bin/perl
use strict;
use DB_File;
my %h;
tie %h, DB_File, /etc/raddb/rewritemap.db, O_RDONLY, 0444, $DB_HASH
or die Cannot open file rewritemap.db: $!\n;
my $fuser = $ARGV[0];
my $suser = $ARGV[1];
my $realm = $ARGV[2];
if($realm eq foobee.net) {
if($h{$suser}) {
print My-Local-String= . $h{$suser};
} else {
print My-Local-String=$suser;
}
} else {
print My-Local-String=$suser;
}
exit 0;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFE configure script report
Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFE configure script report
What about redirecting the output to a file that you can hunt through?For those of us that forget to set our terminals to infinite lines! $./configure 21 | tee ~/configure.log Glen On Mon, May 18, 2009 at 16:30, Damjan gdam...@mail.net.mk wrote: Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFE configure script report
Hi, Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. i guess you are asking this after seeing similar feature in other software? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFE configure script report
Damjan wrote: Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. Sure. Send a patch to configure.in. Or, look at Make.inc after configure is done. It will have a list of 20-30 modules. There is really few good solutions here. If the list of modules is printed all on one line, it will wrap across 4-5 lines, and be unreadable. If it's listed one module per line, it will likely fill the terminal window, and cause the earlier modules to scroll off of the top. I would suggest simple re-directing the output of configure to a file, and then grep'ing that for what you need. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
