Re: Password conflict between Radius Server and Machine account
I am really sorry Ivan. I am very new to radius and have not gone in depth. Thanks a lot. I can see the expected behavior after commenting unix in authorize :) Regards, Dhandapani Ivan Kalik wrote: And I couldn't find the 'authorize' config file anywhere in my server. Oh, dear. How are you going to use the server when you don't know even the most basic things about it? Authorize is a section in the default virtual server (raddb/sites-enabled/default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Password-conflict-between-Radius-Server-and-Machine-account-tp24055968p24067553.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Hi, I still suggest: abcUser-Password == test that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use logging
I have setup a custom module to do auth and acct. In debug mode everything appears correct, and responses appear correct. When I don't have radius running in debug mode, responses still appear correct, but if auth fails due to simultaneous use, radius is logging 'Auth: Login OK'. Authentication was successful, but the auth request failed due to simultaneous use, so it should be logging a failure I would think. Any idea what I might be doing wrong? If simultaneous checking rejected the user you will have an entry like: Multiple logins (max 1) : [username] in radius.log. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
use_tunneled_reply has no effect
I have searched through the maillinglist archive regarding this matter.
There was one thread similar to the problem I'm facing with: Have the
outer-tunnel reply with the user-name specified in the inner-tunnel;
thus instead of anonym...@some.realm
From this thread:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/msg00576.html
In eap.conf:
ttls {
use_tunneled_reply = yes
virtual_server = inner-tunnel
}
In users:
DEFAULT
User-Name = %{User-Name},
Fall-Through = no
Running radiusd in debug mode, the User-Name attribute remained
unchanged through out the request session.
Best regards,
Xiwen
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunneled_reply has no effect
I have searched through the maillinglist archive regarding this matter.
There was one thread similar to the problem I'm facing with: Have the
outer-tunnel reply with the user-name specified in the inner-tunnel;
thus instead of anonym...@some.realm
From this thread:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/msg00576.html
In eap.conf:
ttls {
use_tunneled_reply = yes
virtual_server = inner-tunnel
}
In users:
DEFAULT
User-Name = %{User-Name},
Fall-Through = no
Running radiusd in debug mode, the User-Name attribute remained
unchanged through out the request session.
This is already present in post-auth in latest version (after a lengthy
explanation):
#update outer.reply {
# User-Name = %{request:User-Name}
#}
Just remove comments.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
Ok i have done what you guys have said, which is to not use sql for nas's. I deleted the table and changed the readclient line in sql.conf to 'no'. I have checked radiusd.conf and it has the line $INCLUDE sites-enabled at the end of the file. I have also checked in sites-enabled in the default file any sql sections commented out are open. I am still getting the same No authenticate method (Auth-Type) configuration found for the request: Rejecting the user message. When looking at the debug it doesn't look like its loading up any virtual servers? Is there any other sections that i need to change? Radiusd -X: linux-6pfg:/home/james # radiusd -X FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec 3 2008 at 10:47:13 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including configuration file /etc/raddb/sites-enabled group = radiusd user = radiusd Check permissions. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
Hi,
have checked radiusd.conf and it has the line $INCLUDE sites-enabled at the
wrong.
$INCLUDE ${confdir}/sites-enabled/
and then make sure you have some files in there (usually
symlinks to the files in sites-available directory)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunneled_reply has no effect
On Wed, Jun 17, 2009 at 10:48:07AM +0100, Ivan Kalik wrote:
This is already present in post-auth in latest version (after a lengthy
explanation):
#update outer.reply {
# User-Name = %{request:User-Name}
#}
After uncommenting that in inner-tunnel, I see local users authenticated
by the LOCAL auth called outer.reply. But this is not the case for
external users(Realm handled by external proxy).
The latter is what I really want: being able to see which external user
is authenticating. As we are not doing Accounting, isn't it possible to
move the outer.reply higher up in the stack? Or it shouldn't matter?
Kind regards,
xiwen
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
ok added that new line to radiusd.conf, seems to go through the first stages
of the authorize section, when it comes to the sql part it errors again.
Radiusd -X Debug:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49731, id=252,
length=59
User-Name = sqltest
User-Password = testpwd
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = sqltest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - sqltest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 252 to 127.0.0.1 port 49731
Waking up in 4.9 seconds.
Cleaning up request 0 ID 252 with timestamp +10
Ready to process requests.
--
View this message in context:
http://www.nabble.com/mysql-errors-when-running-freeradius-tp23977490p24071260.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
ok added that new line to radiusd.conf, seems to go through the first
stages
of the authorize section, when it comes to the sql part it errors again.
Post the debug of the server startup as well.
Radiusd -X Debug:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49731, id=252,
length=59
User-Name = sqltest
User-Password = testpwd
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = sqltest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - sqltest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 252 to 127.0.0.1 port 49731
Waking up in 4.9 seconds.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
linux-6pfg:/home/james # radiusd -X
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec 3 2008
at 10:47:13
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
Re: mysql errors when running freeradius
JamesWhetherly wrote:
linux-6pfg:/home/james # radiusd -X
...
Module: Linked to module rlm_sql
Module: Instantiating sql
Ok, it's there...
sql {
...
authorize_check_query =
authorize_group_check_query =
authorize_group_reply_query =
accounting_onoff_query =
accounting_update_query =
accounting_update_query_alt =
accounting_start_query =
accounting_start_query_alt =
accounting_stop_query =
accounting_stop_query_alt =
connect_failure_retry_delay = 60
simul_count_query =
simul_verify_query =
postauth_query =
Uh... the queries are all blank. Why have you done that?
Again, the default configuration requires *minimal* editing to get it
to work. The only time the queries are empty is when you edit sql.conf,
and *delete* the line saying:
$INCLUDE sql/${database}/dialup.conf
Why did you do that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan Ivan, I can confirm that the change made to the event.c file fixed the problem with the robust proxy accounting. Many thanks for you help. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunneled_reply has no effect
Hi, After uncommenting that in inner-tunnel, I see local users authenticated by the LOCAL auth called outer.reply. But this is not the case for external users(Realm handled by external proxy). The latter is what I really want: being able to see which external user is authenticating. The whole concept of inner tunneling and protecting it via TLS is *because* you are *not* supposed to see the actual authentication credentials. For your local users, you terminate the tunnel yourself and can decide to expose the information by uncommenting the above, but for non-local users it is supposed to not work. As we are not doing Accounting, isn't it possible to move the outer.reply higher up in the stack? Or it shouldn't matter? Outer anonymous identities preserve privacy of the (remote) user authenticating. If you want to change that, you need a business agreement with the remote party to disclose their user information to you. Taking a peek at your mail domain name: if you are about to set up eduroam - there is no automated disclosure of the inner identity in eduroam. There is a process to ask the identity provider (IdP) retroactively *if and when* the user has done something wrong and needs to be traced. But there is no proactive information disclosure - or better put, it's in the discretion of the IdP to tell the rest of the world who his user is; unsurprisingly most IdPs opt not to do so, if for no other reason than to evade privacy and data protection laws. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Robust proxy accounting
Chris Howley wrote: I can confirm that the change made to the event.c file fixed the problem with the robust proxy accounting. That's great news! Many thanks for you help. And thanks for spending the time to not only debug it, but provide useful feedback. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
... including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/counter.conf ... You have done something to sql.conf. It didn't include dialup.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient: no response from server ... please help newbe.
Hi Please could someone help a newbe ... I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700 User-Name = TC-Demo ^X^C [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo radclient: no response from server for ID 77 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo radclient: no response from server for ID 215 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo radclient: no response from server for ID 168 socket 3 The server is listening on all the port's I have tried .. r...@localhost ~]# netstat -antup | grep rad udp0 0 0.0.0.0:18120.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:18130.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:18140.0.0.0:* 2461/radiusd What have I missed ... Regards Gregory Machin Email: gmac...@techconcepts.co.za Cell: +27 (0) 72 524 5098 gtalk: gmachin.techconce...@gmail.com Support helpd...@techconcepts.co.za Tell: +27 (0) 11 803 2169 Fax: +27 (0) 11 803 2189 After Hours Cell:+27 (0) 82 790 0796 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunneled_reply has no effect
On Wed, Jun 17, 2009 at 01:23:57PM +0200, Stefan Winter wrote: The whole concept of inner tunneling and protecting it via TLS is *because* you are *not* supposed to see the actual authentication credentials. For your local users, you terminate the tunnel yourself and can decide to expose the information by uncommenting the above, but for non-local users it is supposed to not work. Outer anonymous identities preserve privacy of the (remote) user authenticating. If you want to change that, you need a business agreement with the remote party to disclose their user information to you. Taking a peek at your mail domain name: if you are about to set up eduroam - there is no automated disclosure of the inner identity in eduroam. There is a process to ask the identity provider (IdP) retroactively *if and when* the user has done something wrong and needs to be traced. But there is no proactive information disclosure - or better put, it's in the discretion of the IdP to tell the rest of the world who his user is; unsurprisingly most IdPs opt not to do so, if for no other reason than to evade privacy and data protection laws. Yes, I am aware privacy is a concern. As I am doing some tests, I thought it would be easier to debug if there's a way to relate a request to a proxied username. This is technically not possible or it's more a political matter? I thought the outer-tunnel is set up to secure the connection between the user and the authentication server. So the Authentication has access to the unencrypted data which it in turn queries proxies to verify the received credentials; this data is encrypted using the home-server shared key. Please enlighten me if this is not correct. Best regards, Xiwen -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server ... please help newbe.
Am 17.06.2009 um 13:43 schrieb Gregory Machin: Hi Please could someone help a newbe ... I'm using the following stack FreeRADIUS Version 2.1.3 with coova- chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700 User-Name = TC-Demo ^X^C [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo radclient: no response from server for ID 77 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo radclient: no response from server for ID 215 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo radclient: no response from server for ID 168 socket 3 The server is listening on all the port's I have tried .. r...@localhost ~]# netstat -antup | grep rad udp0 0 0.0.0.0:1812 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1813 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1814 0.0.0.0:* 2461/radiusd What have I missed ... Do you know (via tcpdump, wireshark or so) that the packets do arrive on the computer where Freeradius runs? If not, check firewall settings of both computers and of anything that might be between. Have a nice day! Regards Gregory Machin Email: gmac...@techconcepts.co.za Cell: +27 (0) 72 524 5098 gtalk: gmachin.techconce...@gmail.com Support helpd...@techconcepts.co.za Tell: +27 (0) 11 803 2169 Fax: +27 (0) 11 803 2189 After Hours Cell:+27 (0) 82 790 0796 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server ... please help newbe.
I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line Send it to NAS (coova-chilli), not radius server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunneled_reply has no effect
Hi, I thought the outer-tunnel is set up to secure the connection between the user and the authentication server. So the Authentication has access to the unencrypted data which it in turn queries proxies to verify the received credentials; this data is encrypted using the home-server shared key. Please enlighten me if this is not correct. the outer identity is used to identity (and can be anonymous - the RFC states it should be blank ie @realm.com rather than anonym...@realm.com) the user that is requesting the service - so that the packets can be sent to the correct end server via proxy methods before the inner tunnel can be created (which uses the RADIUS certificate etc to create a secure tunnel through the proxied path) authentication can never occur on outer id/outer tunnel. well, it could if you just didnt care about security, didnt use passwords and didnt have any kind of EAP ;-) dont forget, the user never does anything. the packets get sent via 802.1X to the NAS (RADIUS client) which in turn passes the RADIUS packets to the RADIUS server (which then proxies etc if needed). the NAS will never talk directly to the final AAA RADIUS - the communication is always passed through the proxy chain. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radclient: no response from server ... please help newbe.
From: freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org [freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org] On Behalf Of Ivan Kalik [...@kalik.net] Sent: Wednesday, June 17, 2009 1:57 PM To: FreeRadius users mailing list Subject: Re: radclient: no response from server ... please help newbe. I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line Send it to NAS (coova-chilli), not radius server. Ivan Kalik Kalik Informatika ISP The whole stack is running on the same server. I have tried to send it to the chilli ports with the same results.. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
I thought that the dialup.conf was linked to the 'nas' table . . . .
I've re-added it and it just brings up errors to do with the nas table
again, which i deleted and told not to look at with readclients.
radiusd -X debug:
linux-6pfg:/home/james # radiusd -X
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec 3 2008
at 10:47:13
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
WARNING: No such configuration item nas_table
/etc/raddb/sql/mysql/dialup.conf[65]: Reference SELECT id, nasname,
shortname, type, secret FROM ${nas_table} not found
Errors reading /etc/raddb/radiusd.conf
--
View this message in context:
http://www.nabble.com/mysql-errors-when-running-freeradius-tp23977490p24073492.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Alan, It worked after I put my user entry before DEFAULT Auth-Type == System. Thanks for your help, Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, I still suggest: abcUser-Password == test that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
JamesWhetherly wrote:
I thought that the dialup.conf was linked to the 'nas' table . . . .
No.
I've re-added it and it just brings up errors to do with the nas table
again, which i deleted and told not to look at with readclients.
Could you *please* stop breaking the configuration? Don't delete
the reference to the nas table. Don't re-add the reference. Use the
*default* configuration. It *works*.
radiusd -X debug:
...
including configuration file /etc/raddb/sql/mysql/dialup.conf
WARNING: No such configuration item nas_table
/etc/raddb/sql/mysql/dialup.conf[65]: Reference SELECT id, nasname,
shortname, type, secret FROM ${nas_table} not found
You've edited the sql.conf file, and broken the server. Don't do
that. Really. We've told you *many* times what to do. You're still
not following instructions. You're still doing *extra* work that is
breaking the system.
Really. If you had simply done the *minimum* amount of work, *as
instructed*, it would work by now. Every random change you make takes
you further away from a working configuration.
It also wastes your time, and ours.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
create nas table and leave it empty. add client in clients.conf
you have all you will need inside clients.conf... just delete comments and
enter your own IP address(es) and secret.
On Wed, Jun 17, 2009 at 3:19 PM, JamesWhetherly
jameswhethe...@hotmail.comwrote:
I thought that the dialup.conf was linked to the 'nas' table . . . .
I've re-added it and it just brings up errors to do with the nas table
again, which i deleted and told not to look at with readclients.
radiusd -X debug:
linux-6pfg:/home/james # radiusd -X
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec 3
2008
at 10:47:13
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
WARNING: No such configuration item nas_table
/etc/raddb/sql/mysql/dialup.conf[65]: Reference SELECT id, nasname,
shortname, type, secret FROM ${nas_table} not found
Errors reading /etc/raddb/radiusd.conf
--
View this message in context:
http://www.nabble.com/mysql-errors-when-running-freeradius-tp23977490p24073492.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql errors when running freeradius
I thought that the dialup.conf was linked to the 'nas' table . . . . I've re-added it and it just brings up errors to do with the nas table again, which i deleted and told not to look at with readclients. Don't delete things from sql.conf. Put back: # Table to keep radius client info nas_table = nas Just don't read any clients from it. If you want to read clients from it create the table with nas.sql. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSH authendication with radius server fails if the user does not exist in radius client
Hi, I am trying to authenticate ssh login using radius server running in another linux machine. I added a new user in /usr/local/etc/raddb/users of radius server. Now when I do ssh to the radius client, the radius server denies request and says 'Password doesn't match. But I gave right password. If I add the new user in radius client machine, then if I do ssh, the server accepts and authenticates the request. So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Do I need to configure anywhere in client or server to skip the local machine user check. Please help me to solve this issue. Thanks in advance. Regards, Dhandapani -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24074268.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Yes, that's how PAM works. It can't authenticate users that don't exist locally (think about it - if user/group is not defined locally what will user be able to access on the machine). Nothing to do with radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi, Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == test and Cleartext-Password := test. They both work fine when the user entry is before default setting in users file. Just to let you know. Elias -Original Message- From: freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o rg [mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free radius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: June-17-09 4:09 AM To: FreeRadius users mailing list Subject: Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication. Hi, I still suggest: abcUser-Password == test that is wrong. wrong and wrong Elias, please put your entry at the top of the users file - or remove the DEFAULT Auth-Type == System from your config (this forces the server to always use 'system' auth - which you really dont want) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Wed, 17 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: abcUser-Password == test that is wrong. wrong and wrong Okay, this isn't just my favorite quibbler jumping on me. So I have to ask, even if there is a 'better' syntax, or a 'preferred' way of doing things, why is this 'standard' old radius check item so 'wrong'? I checked the docs, and it *appears* that checking an input attribute value against a hard-coded constant is still valid syntax. Though I notice that the example that both Elias and I quote is *gone* from the 1.1.7 docs (Elias, please check, I think you have man pages and/or documentation from a version of FR earlier than your 1.1.7! This really confuses things!). So why is Input-Attribute == value now wrong? Is it just wrong for the Passwords? Groups? Or is '==' deprecated for all check items past a certain release? If so, why is it still in the 'users' man page for 2.x? I finally noticed that Cleartext-Password is not an input attribute, which suggests that there is something 'different' about the way we're now specifying input attribute checking in the users file. I don't doubt that it 'makes sense' according to some new way of doing things, but it looks like an amazing departure from 'classic' Livingston syntax If so, I'm *really* glad I didn't upgrade my live version. :-O - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Elias Abou Zeid wrote: Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == test and Cleartext-Password := test. They both work fine when the user entry is before default setting in users file. Yes. Because *old* versions of the server accepted 'User-Password ==', and not 'Cleartext-Password :='. We try to keep compatibility between versions of the server. Even with that, 'User-Password ==' is wrong. It's been wrong for nearly three years now. Any blog, web page, howto, etc. that suggests it is wrong, and is out of date. At some point, that backwards compatibility will be removed. Any systems still using User-Password == will then *break*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use logging
Well, in debugging mode, it doesn't log anything to the file, but the
debug output shows it being rejected. When I am not running in debug,
I only get 'Login OK: [zdls02/p2182111] (from client allowed_clients
port 536936642)' logged by the radius server, I am logging my own
simultaneous use message, although this shows up prior to the login ok
message in the logs.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.231 port 50895,
id=25, length=97
User-Name = zdls02
Service-Type = Framed-User
NAS-IP-Address = 10.10.10.231
NAS-Port = 536936642
NAS-Port-Type = Virtual
User-Password = fred
Framed-Protocol = PPP
NAS-Port-Id = 2/0/0/1.194
Service-Type = Framed-User
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 21
[preprocess] hints: Matched DEFAULT at 58
[preprocess] hints: Matched DEFAULT at 751
[preprocess] hints: Matched DEFAULT at 1180
++[preprocess] returns ok
++[gwis] returns ok
[files] users: Matched entry DEFAULT at line 316
++[files] returns ok
Found Auth-Type = gwis
+- entering group authenticate {...}
++[gwis] returns ok
+- entering group session {...}
[rlm_gwis 4a38f8a476ce4ac0b0 Error] Authentication failed due to
simultaneous use: zdls02
++[gwis] returns reject
Login OK: [zdls02/p2182111] (from client allowed_clients port 536936642)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - zdls02
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 25 to 10.10.10.231 port 50895
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 25 with timestamp +26
Ready to process requests.
On Wed, Jun 17, 2009 at 3:08 AM, Ivan Kalikt...@kalik.net wrote:
I have setup a custom module to do auth and acct. In debug mode
everything appears correct, and responses appear correct. When I
don't have radius running in debug mode, responses still appear
correct, but if auth fails due to simultaneous use, radius is logging
'Auth: Login OK'. Authentication was successful, but the auth request
failed due to simultaneous use, so it should be logging a failure I
would think. Any idea what I might be doing wrong?
If simultaneous checking rejected the user you will have an entry like:
Multiple logins (max 1) : [username]
in radius.log.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
Charles Gregory wrote: Okay, this isn't just my favorite quibbler jumping on me. So I have to ask, even if there is a 'better' syntax, or a 'preferred' way of doing things, why is this 'standard' old radius check item so 'wrong'? The '==' operator should be *comparing* attributes. There should be no magic needed to compare attributes. Until 1.1.4, the code had magic specifically for User-Password. This kind of magic is wrong on many levels. It makes the code more complex, it is inconsistent, and it breaks the principle of least surprise. In addition to that, many authentication methods do *not* contain a User-Password. So if we got rid of that magic without doing anything else, checking User-Password == foo for EAP requests will *always* fail. This will make administrators unhappy. There is a simple solution. Tell the server what the known good password is. Let the modules do the authentication. So the MS-CHAP module will take the known good password, do it's MS-CHAP calculations, and compare that to what's in the packet. The same goes for CHAP, EAP, and other authentication protocols. That's why we have Cleartext-Password, NT-Password, Crypt-Password, and others. Those are all different forms of the known good password. And because they are server side attributes, they will *never* go into a packet. This is a Good Thing. This argument is the same argument against using Auth-Type = LDAP. LDAP is a *database*. Using it as an authentication server is *wrong*, because LDAP servers don't implement CHAP, MS-CHAP, EAP, etc. Until the documentation and examples were updated to SHOUT at people don't use Auth-Type = LDAP, there were weekly complaints that people had followed some horrible third-party guide, and couldn't get EAP working. I checked the docs, and it *appears* that checking an input attribute value against a hard-coded constant is still valid syntax. Yes. And there is magic to deal with User-Password, so that it does what users expect, and *not* what is the right thing to do. So why is Input-Attribute == value now wrong? It's not. Doing those comparisons on User-Password is wrong. *Unless* you want to break every authentication method other than PAP. Or is '==' deprecated for all check items past a certain release? No. If so, why is it still in the 'users' man page for 2.x? Because it works. I finally noticed that Cleartext-Password is not an input attribute, Yes. It's a check attribute. See the users file documentation for how check attributes are treated. which suggests that there is something 'different' about the way we're now specifying input attribute checking in the users file. I don't doubt that it 'makes sense' according to some new way of doing things, but it looks like an amazing departure from 'classic' Livingston syntax Yes. The Livingston server was wrong. It had magic to deal with 'User-Password = foo', that made it work for CHAP authentication. This was (and still is) ugly. The Livingston server also read the entire users file into memory for *every* request. That behavior was wrong, too. The Livingston server didn't cache requests and responses, so it would re-process duplicates, causing unnecessary delays and load. See RFC 5080 for the *FreeRADIUS* way of doing things, which all RADIUS servers have now implemented. If so, I'm *really* glad I didn't upgrade my live version. :-O Upgrading versions always requires care and attention. This is no different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == test and Cleartext-Password := test. They both work fine when the user entry is before default setting in users file. For a pap request. Try sending chap or mschap request and see what happens. Cleartext-Password will work with all cases, User-Password won't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Wed, 17 Jun 2009, Elias Abou Zeid wrote: Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == test and Cleartext-Password := test. They both work fine when the user entry is before default setting in users file. Just to let you know. Elias Thank you, Elias. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use logging
Well, in debugging mode, it doesn't log anything to the file, but the
debug output shows it being rejected. When I am not running in debug,
I only get 'Login OK: [zdls02/p2182111] (from client allowed_clients
port 536936642)' logged by the radius server, I am logging my own
simultaneous use message, although this shows up prior to the login ok
message in the logs.
You authentication module is broken.
...
Found Auth-Type = gwis
+- entering group authenticate {...}
++[gwis] returns ok
+- entering group session {...}
[rlm_gwis 4a38f8a476ce4ac0b0 Error] Authentication failed due to
simultaneous use: zdls02
++[gwis] returns reject
...
It first returns ok, then rejects. So you get both login OK and reject.
Fix the module.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Thanks a lot Ivan for the clarification. I am feeling like working with you. Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Can't we login using the centralized username/password? Regards, Dhandapani Ivan Kalik wrote: So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Yes, that's how PAM works. It can't authenticate users that don't exist locally (think about it - if user/group is not defined locally what will user be able to access on the machine). Nothing to do with radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24075986.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Yes. Can't we login using the centralized username/password? No, that can't work. Let's say that you were authenticated and reached the shell as a nonexistant local user. How is he suposed to access anything or execute any commands? No permissions would apply to him. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
Hi Ivan,
I used the following user record:
a...@radius User-Password == test
Service-Type = Framed-User,
Framed-Protocol = PPP
And I sent a CHAP request, authentication still work.
rad_recv: Access-Request packet from host 10.205.1.1:1812, id=212,
length=188
User-Name = a...@radius
CHAP-Password = 0x01fb483b2d567fd0e128500a3ce0980d0b
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = Quiet
NAS-Port = 167903232
NAS-Real-Port = 2717909092
NAS-Port-Type = Virtual
NAS-Port-Id = 10/2 vlan-id 100 pppoe 372
Medium-Type = DSL
Mac-Addr = 00-0c-29-10-12-c3
Platform-Type = SmartEdge-800
OS-Version = 6.1.2.6p9
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/auth-detail-20090617
modcall[authorize]: module auth_log returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm RADIUS for User-Name = a...@radius
rlm_realm: No such realm RADIUS
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry a...@radius at line 148
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by a...@radius with CHAP password
rlm_chap: Using clear text password test for user a...@radius
authentication.
rlm_chap: chap user a...@radius authenticated succesfully
modcall[authenticate]: module chap returns ok for request 0
modcall: leaving group CHAP (returns ok) for request 0
Login OK: [...@radius/CHAP-Password] (from client SE-Quiet port
167903232)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute.
modcall[post-auth]: module main_pool returns noop for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m
%d expands to
/usr/local/var/log/radius/radacct/10.205.1.1/reply-detail-20090617
modcall[post-auth]: module reply_log returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 212 to 10.205.1.1 port 1812
Service-Type = Framed-User
Framed-Protocol = PPP
Finished request 0
-Original Message-
From:
freeradius-users-bounces+elias.abou.zeid=ericsson@lists.freeradius.o
rg
[mailto:freeradius-users-bounces+elias.abou.zeid=ericsson@lists.free
radius.org] On Behalf Of Ivan Kalik
Sent: June-17-09 11:02 AM
To: FreeRadius users mailing list
Subject: RE: [rad] RE: Free Radius users record samples for
SmartEdgerouter subcriberauthentication.
Just out for sake of completeness. On FreeRADIUS Version 1.1.7
I tried both User-Password == test and Cleartext-Password := test.
They both work fine when the user entry is before default setting in
users file.
For a pap request. Try sending chap or mschap request and see what
happens. Cleartext-Password will work with all cases, User-Password
won't.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use logging
The authentication portion of the module returns ok, the session
portion returns reject, as it should.
On Wed, Jun 17, 2009 at 9:18 AM, Ivan Kalikt...@kalik.net wrote:
Well, in debugging mode, it doesn't log anything to the file, but the
debug output shows it being rejected. When I am not running in debug,
I only get 'Login OK: [zdls02/p2182111] (from client allowed_clients
port 536936642)' logged by the radius server, I am logging my own
simultaneous use message, although this shows up prior to the login ok
message in the logs.
You authentication module is broken.
...
Found Auth-Type = gwis
+- entering group authenticate {...}
++[gwis] returns ok
+- entering group session {...}
[rlm_gwis 4a38f8a476ce4ac0b0 Error] Authentication failed due to
simultaneous use: zdls02
++[gwis] returns reject
...
It first returns ok, then rejects. So you get both login OK and reject.
Fix the module.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use logging
James Devine wrote: The authentication portion of the module returns ok, the session portion returns reject, as it should. No. The session portion should return ok, and increment request-simul_count. See rlm_radutmp for examples. This is because users may be tracked in multiple places (radutmp, sql, etc.), *and* they have have Simultaneous-Use limits that are more than one. This allows the SQL module to say I track one login, and the radutmp module to say I track a different login, with the admin allowing 2 simultaneous logins. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Yes. Got it. Thanks Ivan. Regards, Dhandapani Ivan Kalik wrote: Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Yes. Can't we login using the centralized username/password? No, that can't work. Let's say that you were authenticated and reached the shell as a nonexistant local user. How is he suposed to access anything or execute any commands? No permissions would apply to him. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24077890.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: Problem with external authentication script
Hello Ivan.
Forcing Auth-Type in users file should work.
Thanks for this advice. I changed my users file to use MOTP as the
DEFAULT-Auth-Type (first entry of the users file).
/etc/freeradius/users
-
DEFAULT Auth-Type = MOTP
Exec-Program-Wait = /usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}',
Fall-Through = yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
This part of my problem seems to be solved. Freeradius now uses MOTP as
the Auth-Type.
But the old problem is always present: freeradius doesn't call the
external authentication script (otpverify.sh) with the needed arguments
(Secret, PIN and Offset):
[...]
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026,
id=35, length=77
User-Name = user1
User-Password = secret
Service-Type = Authenticate-Only
NAS-Identifier = linux.local
NAS-IP-Address = 192.168.82.40
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = user1, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry DEFAULT at line 2
expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}'
'%{Secret}' '%{PIN}' '%{Offset}' - /usr/local/bin/otpverify.sh 'user1'
'secret' '' '' ''
users: Matched entry user1 at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type MOTP
auth: type MOTP
+- entering group MOTP
expand: %{User-Name} - user1
expand: %{User-Password} - secret
expand: %{Secret} -
expand: %{PIN} -
expand: %{Offset} -
expr: syntax error
Usage: printf [ options ] format [string ...]
Exec-Program output: FAIL
Exec-Program-Wait: plaintext: FAIL
Exec-Program: returned: 1
++[motp] returns reject
auth: Failed to validate the user.
Login incorrect: [user1/secret] (from client 192.168.82.40 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Any ideas ??
Thank you all,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: Problem with external authentication script
On Wed, 17 Jun 2009, Stefan Kuegler wrote:
/etc/freeradius/users
-
DEFAULT Auth-Type = MOTP
Exec-Program-Wait = /usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}',
Fall-Through = yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
If this is correctly represents the order of your entries, then your
program execution command is getting 'constructed' on the DEFAULT entry
*before* you assign those values on the 'user1' entry.
Try moving the user1 line before the DEFAULT (and reverse the 'fall
through' specifications)
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot Authenticate - Help!
Hi,
I'm new to FreeRadius, and I'm having some hard time to put it to
work. Simply talking: I can authenticate from my linux (Suse 11.1)
using radtest, directly linked to the server (LAN). Here is the
answer:
protagoras:~ # radtest teste teste 192.168.10.113:1812 1812 testing123
Sending Access-Request of id 240 to 192.168.10.113 port 1812
User-Name = teste
User-Password = teste
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.10.113 port 1812,
id=240, length=20
So, it works... But then I put the AP to work (Linksys wrt54g),
configured like this:
Security mode: WPA Enterprise
WPA Algorithms: TKIP
RADIUS Server Address: 192.168.10.113 - this is my RADIUS server IP
RADIUS Port: 1812
Shared Key: testing123
Key Renewal Timeout: 3600 seconds
All good, but when I try to connect from Windows XP, Vista or 7,
configured like this
Network Authentication: WPA
Data Encryption: TKIP
EAP Type: PEAP
Authentication Method: MsCHAPv2
Not sending my windows login parameters
It nevers authenticates... No matter what I do. I tried everything I
could find on the list or FAQ before registering. Here goes the log
[r...@testecent raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd.pid
main: bind_address = 192.168.10.113 IP address [192.168.10.113]
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain}
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap.your.domain
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = o=My Org,c=UA
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = dialupAccess
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping =
Re: [rad] Cannot Authenticate - Help!
I notice it matching multiple 'DEFAULT' entries in your 'users' file.
Make sure that one of them doesn't enforce an 'auth-type' other than
the one you want to use here.
- Charles
On Wed, 17 Jun 2009, Filipe Scalioni wrote:
I'm new to FreeRadius, and I'm having some hard time to put it to
work. Simply talking: I can authenticate from my linux (Suse 11.1)
using radtest, directly linked to the server (LAN). Here is the
answer:
protagoras:~ # radtest teste teste 192.168.10.113:1812 1812 testing123
Sending Access-Request of id 240 to 192.168.10.113 port 1812
User-Name = teste
User-Password = teste
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.10.113 port 1812,
id=240, length=20
So, it works... But then I put the AP to work (Linksys wrt54g),
configured like this:
Security mode: WPA Enterprise
WPA Algorithms: TKIP
RADIUS Server Address: 192.168.10.113 - this is my RADIUS server IP
RADIUS Port: 1812
Shared Key: testing123
Key Renewal Timeout: 3600 seconds
All good, but when I try to connect from Windows XP, Vista or 7,
configured like this
Network Authentication: WPA
Data Encryption: TKIP
EAP Type: PEAP
Authentication Method: MsCHAPv2
Not sending my windows login parameters
It nevers authenticates... No matter what I do. I tried everything I
could find on the list or FAQ before registering. Here goes the log
[r...@testecent raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd.pid
main: bind_address = 192.168.10.113 IP address [192.168.10.113]
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain}
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap.your.domain
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = o=My Org,c=UA
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = dialupAccess
ldap: groupname_attribute = cn
ldap:
Re: Cannot Authenticate - Help!
So, it works... But then I put the AP to work (Linksys wrt54g), configured like this: It nevers authenticates... No matter what I do. I tried everything I could find on the list or FAQ before registering. Here goes the log This is a very old version. You shouldn't be using 1.x with EAP for a huge number of reasons. Upgrade. As for the debug - you have removed eap (and lots more) from the configuration and then sent an eap request. No wonder it's not working. Use default configuration and it will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use logging
Ah yes, I was doing that wrong, that seems to work much better now. Thank you. On Wed, Jun 17, 2009 at 10:28 AM, Alan DeKokal...@deployingradius.com wrote: James Devine wrote: The authentication portion of the module returns ok, the session portion returns reject, as it should. No. The session portion should return ok, and increment request-simul_count. See rlm_radutmp for examples. This is because users may be tracked in multiple places (radutmp, sql, etc.), *and* they have have Simultaneous-Use limits that are more than one. This allows the SQL module to say I track one login, and the radutmp module to say I track a different login, with the admin allowing 2 simultaneous logins. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
