FreeRADIUS and PostgresSQL
Hi everyone I'm using Oracle Enterprise Linux (Red Hat EL clone) and the packaged version of FreeRADIUS (1.1.3) to ultimately authenticate some Linux machines centrally. I've been following the HOWTO at http://wiki.freeradius.org/SQL_HOWTO but some of it does appear to be out of date. I've managed to successfully authenticate using the users file, but when I try to authenticate against the test data I've put in the database I'm getting the following in the logs; rad_recv: Access-Request packet from host 127.0.0.1:38929, id=223, length=64 User-Name = john.gardner User-Password = xx NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = john.gardner, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 2 radius_xlat: 'john.gardner' rlm_sql (sql): sql_set_user escaped user -- 'john.gardner' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'john.gardner' ??ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'john.gardner' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns fail for request 2 modcall: leaving group authorize (returns fail) for request 2 Finished request 2 Going to the next request Now, it appears that the problem is to do with 'Cleartext-Password' I've stored in the database, but this seems to be correct according to the HOWTO. Can anyone see the problem just from the log? Is there a list of all the correct data that could entered into the database? Thanks in advance John This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall Civic Offices, Westoe Road, South Shields, Tyne Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and PostgresSQL
Hi, I've been following the HOWTO at http://wiki.freeradius.org/SQL_HOWTO but some of it does appear to be out of date. It's not the HOWTO that's out of date, it's your server version being ancient. I can only strongly urge you to use the 2.x releases, they are so much more convenient and feature-rich. Especially if you are setting up a brand new instance, it's a very bad idea to start with this outdated version 1.1.3. rlm_sql_postgresql: affected rows = rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user And that's where the misery of ancientness kicks in: 1.1.3 did not know about Cleartext-Password yet. If you really want to stick with this old version, you could use User-Password instead. But again: please don't. Use 2.x. Now, it appears that the problem is to do with 'Cleartext-Password' I've stored in the database, but this seems to be correct according to the HOWTO. Can anyone see the problem just from the log? Is there a list of all the correct data that could entered into the database? All attributes are defined in the dictionary (and all the files which are included by raddb/dictionary). These are hundreds. But it's not usually necessary to read them - the HOWTOs get you through the config, so long as the versions they refer to are halfways in sync. Greetings, Stefan Winter Thanks in advance John This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall Civic Offices, Westoe Road, South Shields, Tyne Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with rlm_realm
Hi, I M using freeradius-server 2.1.7. The authentication rate i m getting is just 4 or 5. when i put a timestamp in each of the modules, i found out that the module rlm_realm is called about 12 times in each authentication. That is in each handshake between the mobile unit and the radius server the rlm_realm is called many a times. how can i minimize this so that it is called only once. bcoz i m not using any realms. Thanks Regards, Kachin The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS and PostgresSQL
Thanks Stefan It's not the HOWTO that's out of date, it's your server version being ancient. I can only strongly urge you to use the 2.x releases, they are so much more convenient and feature-rich. Especially if you are setting up a brand new instance, it's a very bad idea to start with this outdated version 1.1.3. I'm sorry I assumed it was the HOWTO that was wrong, but the HOWTO did say, ...I tested this instructions on CentOS 5.0 and CentOS 5.1. CentOS 5.x came with FreeRadius 1.1.3... As we are using OEL 5.4 I thought this would be OK. And that's where the misery of ancientness kicks in: 1.1.3 did not know about Cleartext-Password yet. If you really want to stick with this old version, you could use User-Password instead. But again: please don't. Use 2.x. Ah! That is good news. The problem is that I'm working under constraints of a support agreement that will only allow us to install the packages that come with OEL 5.x, so at the moment, 1.1.3 is the only thing I can work with :-( All attributes are defined in the dictionary (and all the files which are included by raddb/dictionary). These are hundreds. But it's not usually necessary to read them - the HOWTOs get you through the config, so long as the versions they refer to are halfways in sync. I will have a look at the dictionary. Thanks again. John This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall Civic Offices, Westoe Road, South Shields, Tyne Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
inner - outer identity
Dear, While trying to connect to an access point via peap, eap-tls the connection works successfully using user credentials entered manually. When asking to auth via Windows login, FR uses always the roaming id, how can I change this behaviour to use the windows login, instead of using the roaming id ? Thanx, Lieven Stubbe Belgian Railways - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inner - outer identity
lieven.stu...@b-holding.be wrote: While trying to connect to an access point via peap, eap-tls the connection works successfully using user credentials entered manually. When asking to auth via Windows login, FR uses always the roaming id, Umm... no. The *Windows* machine is sending the roaming Id. how can I change this behaviour to use the windows login, instead of using the roaming id ? Fix the Windows machine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could not link driver rlm_sql_mysql:
Hi All, While trying to run the FreeRadius I got this error. Please let me know what should be done to overcome this. While checking it on FreeRadius emails, i found the same problem has been encountered by others too, but did`nt get to see the solution, thus posting it. ERROR: Could not link driver rlm_sql_mysql: ld.so.1: radiusd: fatal: rlm_sql_mysql.so: open failed: No such file or directory Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[161]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. Errors initializing modules r...@cn# Thanks and Regards, Yagnesh Dave.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql:
Yagnesh Dave yagnesh.d...@rediffmail.com writes: rlm_sql_mysql.so: open failed: No such file or directory Is this unclear? You should install all the modules you want to use from wherever you got FreeRADIUS. If you've built it yourself, you have to install the necessary headers and libraries before configuring it. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Idle Time-out- Session time-out/ Aacct start-stop packet
Dear all, I would like my user to get a session time-out of 20 minutes. While looking at the debug, I noticed that my users matched the default entry [12] attrs.accounting.response and get authenticate every 10 minutes (in fact, this even take over the session time-out attribute that I could attribute to a specific user) So, basically, I don't know how to control it. DEFAULT Vendor-Specific =* ANY, Message-Authenticator =* ANY, Proxy-State =* ANY I thank that was the file that I could configure to get all my users re-authenticate after 20 minutes. Then, I had a look to the attrs file I noticed that the Idle-time out was of 10 minutes..So, I decided to put the Idle time of 1200 instead of the regular 600 who was written in this file. DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port = 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU = 576, Framed-Filter-ID =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, Message-Authenticator =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY, State =* ANY, Session-Timeout = 28800, Idle-Timeout = 1200, Port-Limit = 2 Unfortunately, that did not work and now, I am still stuck to figure out how could I do that. To sum up this issue, I got Alvarion NAS, from my users, I can see accounting start and accounting stop packet, every 10 minutes, I got an accounting packet stop from my users with everytime the same termination cause = lost-carrier. Thanks in advance for you help. Let me know if you need more details. Regards Sylvain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confused by id
I'm trying to successfully use FreeRADIUS to help centrally authenticate some linux servers. I'm storing the credentials in a postgres db but I'm confused by the 'id' in the radcheck database. In the SQL HOWTO, they show the id as (mysql); ++++--+--+ | id | UserName | Attribute | Value| Op | ++++--+--+ | 1 | fredf | Password | wilma| == | | 2 | barney | Password | betty| == | | 2 | dialrouter | Password | dialup | == | ++++--+--+ Where as mine (postgres) looks like; id | username| attribute | op | value +---+---++ 1 | john.gardner | User-Password | := | xx 2 | joe.bloggs| User-Password | := | xx 3 | john.doe | User-Password | := | xx Is this really meant to be 1,2,2 or should this be 1,2,3 sequentially? i.e. as in a incrementing key? Thanks in advance John This email and any files transmitted with it are intended solely for the named recipient and may contain sensitive, confidential or protectively marked material up to the central government classification of ?RESTRICTED which must be handled accordingly. If you have received this e-mail in error, please immediately notify the sender by e-mail and delete from your system, unless you are the named recipient (or authorised to receive it for the recipient) you are not permitted to copy, use, store, publish, disseminate or disclose it to anyone else. E-mail transmission cannot be guaranteed to be secure or error-free as it could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses and therefore the Council accept no liability for any such errors or omissions. Unless explicitly stated otherwise views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the Council and are not intended to be legally binding. All Council network traffic and GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. South Tyneside Council, Town Hall Civic Offices, Westoe Road, South Shields, Tyne Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by id
John Gardner wrote: I'm trying to successfully use FreeRADIUS to help centrally authenticate some linux servers. I'm storing the credentials in a postgres db but I'm confused by the 'id' in the radcheck database. In the SQL HOWTO, they show the id as (mysql); ... Where as mine (postgres) looks like; ... Is this really meant to be 1,2,2 or should this be 1,2,3 sequentially? i.e. as in a incrementing key? It's an incrementing key. See the schema. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rlm_realm
kachin Agarwal wrote: I M using freeradius-server 2.1.7. The authentication rate i m getting is just 4 or 5. when i put a timestamp in each of the modules, Is it that hard to run the server in debugging mode? i found out that the module rlm_realm is called about 12 times in each authentication. That is in each handshake between the mobile unit and the radius server the rlm_realm is called many a times. how can i minimize this so that it is called only once. bcoz i m not using any realms. Then why did you configure the server to use the realms module? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius EAP authentication
Hello everyone, I am installing a RADIUS server on a ubuntu server with freeradius. All tests are working properly except when I try to connect through an access point. This is the debug that I get: rad_recv: Access-Request packet from host 192.168.1.1 port 1084, id=1, length=206 Message-Authenticator = 0x789bf39c8f59de88701888fc6ed3a2f2 Service-Type = Framed-User User-Name = diego\000 Framed-MTU = 1488 State = 0x734ffec0734ee45437bb08e87fc6420c Called-Station-Id = 00-15-E9-A3-01-CE:radius Calling-Station-Id = 00-15-AF-9F-8D-E0 NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020100060319 NAS-IP-Address = 192.168.1.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = diego, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - diego [sql] sql_set_user escaped user -- 'diego' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'diego' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'diego' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'diego' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - diego [sql] sql_set_user escaped user -- 'diego' expand: %{User-Password} - expand: %{Chap-Password} - expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}[image: Silbando despreocupadamente]%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'diego', '', 'Access-Reject', '2009-11-27 17:33:06') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'diego', '', 'Access-Reject', '2009-11-27 17:33:06') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok expand: %{User-Name} - diego attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 1 to 192.168.1.1 port 1084 EAP-Message = 0x04010004 Message-Authenticator = 0x Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +53 Waking up in 0.9 seconds. Cleaning up request 1 ID 1 with timestamp +53 Ready to process requests. I think the error occurs here: [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select But I do not know how to fix it ... if anyone can help I would be extremely grateful, as I have tried many things, but not fix. Thanks in advance and greetings - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 02:39 AM 12/1/2009, Alan DeKok wrote: Because you've forced the ntlm_auth module to be run. That module ONLY checks clear-text passwords, and there is NO clear-text password in the request. Change the line having ... Auth-Type := ntlm_auth, ... to ... Auth-Type = ntlm_auth, ... DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth, Ldap-Group == VPN_Users It runs the LDAP group check, but still lets the user log in even when he's not in the VPN_Users group: rlm_ldap::groupcmp: Group VPN_Users not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for ciscorsteeves [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: ((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) - ((sAMAccountname=ciscorsteeves)(objectClass=person)) [ldap] expand: OU=Enterprise,DC=example,DC=com - OU=Enterprise,DC=example,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with filter ((sAMAccountname=ciscorsteeves)(objectClass=person)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user ciscorsteeves authorized to use remote access And read man users to see what the difference is. Ahh, man 5 users. cool. Rick Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logins against AD failing in *most* cases. Can see why, but don't *understand* why.
Still trying to get our FreeRADIUS system working nicely after the AD upgrade to server 2008. Compiling Samba to version 3.4.3 from source fixed our ntlm_auth issue, but most users were still unable to connect. I have 2 examples here, one of a user who failed to connect, one of a user who succeeded (you may wish to skip to the end of the mail for some things i've noted, and only then look back at all the debug output ;) ). Firstly, the last packet of my auth attempt after the EAP negotiation has been done, where my MSCHAPv2 password gets authenticated against the domain (sorry for the wall of text): rad_recv: Access-Request packet from host 148.88.249.136 port 32770, id=107, length=325 User-Name = us...@lancaster.ac.uk Calling-Station-Id = 00-19-D2-7A-32-37 Called-Station-Id = 00-22-55-EF-12-70:eduroam NAS-Port = 29 NAS-IP-Address = 148.88.249.136 NAS-Identifier = open-lwapp03 Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 431 EAP-Message = 0x0209007b19001703010070617a586349258a547c06634d0fddf4595a1335caed798858 583e7abb666d98687d584b69e92570c58f855442a0e4cfbee722a8e408ec1c952f97b3ef 286ed3b611ff5799f587048f82e762c79a90e9b20c01e5a1ed175726e2db392b9e7b5a4a bf57e82a3fd0caf93f164fc3d14b547f State = 0x358f4053338659fabf419b83279b13d2 Message-Authenticator = 0x57a488c36caaca604135f6e50b03a561 +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm lancaster.ac.uk for User-Name = us...@lancaster.ac.uk [suffix] Found realm lancaster.ac.uk [suffix] Adding Stripped-User-Name = user1 [suffix] Adding Realm = lancaster.ac.uk [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++? if (%{User-Name} =~ /^(.*)(.*)$/) expand: %{User-Name} - us...@lancaster.ac.uk ? Evaluating (%{User-Name} =~ /^(.*)(.*)$/) - FALSE ++? if (%{User-Name} =~ /^(.*)(.*)$/) - FALSE [eap] EAP packet type response id 9 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900521a0209004d31edbf49d61deaee3bc54da173c7fa87f388 ad0f8484b8ba14e9d5a5f87ebbd0dc0995dcfacd4c8947006d657965727364406c616e63 61737465722e61632e756b server { PEAP: Setting User-Name to us...@lancaster.ac.uk Sending tunneled request EAP-Message = 0x020900521a0209004d31edbf49d61deaee3bc54da173c7fa87f388 ad0f8484b8ba14e9d5a5f87ebbd0dc0995dcfacd4c8947006d657965727364406c616e63 61737465722e61632e756b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = us...@lancaster.ac.uk State = 0x87479817874e82241c779ef3ac5e3935 Calling-Station-Id = 00-19-D2-7A-32-37 Called-Station-Id = 00-22-55-EF-12-70:eduroam NAS-Port = 29 NAS-IP-Address = 148.88.249.136 NAS-Identifier = open-lwapp03 Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 431 server inner-tunnel { +- entering group authorize {...} ++[mschap] returns noop ++? if (%{User-Name} =~ /^(.*)(.*)$/) expand: %{User-Name} - us...@lancaster.ac.uk ? Evaluating (%{User-Name} =~ /^(.*)(.*)$/) - FALSE ++? if (%{User-Name} =~ /^(.*)(.*)$/) - FALSE ++? if (%{User-Name} =~ /^(.*)\@(.*)$/) expand: %{User-Name} - us...@lancaster.ac.uk ? Evaluating (%{User-Name} =~ /^(.*)\@(.*)$/) - TRUE ++? if (%{User-Name} =~ /^(.*)\@(.*)$/) - TRUE ++- entering if (%{User-Name} =~ /^(.*)\@(.*)$/) {...} expand: %{1} - user1 expand: %{2} - lancaster.ac.uk +++[request] returns noop ++- if (%{User-Name} =~ /^(.*)\@(.*)$/) returns noop [eap] EAP packet type response id 9 length 82 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{Stripped-User-Name} - user1 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} - user1 [sql] sql_set_user escaped user -- 'user1' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'user1' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' - SELECT GroupName FROM radusergroup WHERE UserName='user1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1
Re: Logins against AD failing in *most* cases. Can see why, but don't *understand* why.
Secondly, my colleague's machine actually responds to the Access-Challenge sent at the end of the packet where the ntlm_auth is done, whereas my machine does not. This is the crucial point I think. Without this final response the Access-Accept is never sent back. My colleague is using Windows XP with the Intel Pro/Set Wireless drivers and supplicant. If he changes to using the XP inbuilt supplicant, everything stops working. I am on Windows 7 using the inbuilt supplicant. As best we can tell, this is the problematic difference. The Intel supplicant is presumably getting and responding to the Access-Challenge where the windows inbuilt supplicant is not, but I don't know why or what could be causing it. My machine also doesn't respond to the Access-Challenge under Ubuntu 9.10, using the Gnome inbuilt supplicant. This is most likely a CA cert problem. The comments in the default eap.conf give a very specific warning about this (access-challenge which is never replied to) and explain the issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logins against AD failing in *most* cases. Can see why, but don't*understand* why.
Secondly, my colleague's machine actually responds to the Access-Challenge sent at the end of the packet where the ntlm_auth is done, whereas my machine does not. This is the crucial point I think. Without this final response the Access-Accept is never sent back. My colleague is using Windows XP with the Intel Pro/Set Wireless drivers and supplicant. If he changes to using the XP inbuilt supplicant, everything stops working. I am on Windows 7 using the inbuilt supplicant. As best we can tell, this is the problematic difference. The Intel supplicant is presumably getting and responding to the Access-Challenge where the windows inbuilt supplicant is not, but I don't know why or what could be causing it. My machine also doesn't respond to the Access-Challenge under Ubuntu 9.10, using the Gnome inbuilt supplicant. This is most likely a CA cert problem. The comments in the default eap.conf give a very specific warning about this (access-challenge which is never replied to) and explain the issue. This being the case, why does my machine successfully respond to all the other Access-Challenges before the MSCHAPv2 password is dealt with? The trace I gave was for an Access-Challenge id 107. Ids 100 (my initial request) to 106 (the other parts of the EAP setup) all finish with an Access-Challenge with an EAP-Message being sent to my client, and all of those Challenges are successfully responded to. It was also my (possibly erroneous) understanding that FreeRADIUS would never get to the point of being able to get the MSCHAPv2 password from the client if the CA cert was incorrect, as it would never complete the setup of the EAP session inside which the MSCHAPv2 data is contained. Additionally I am using exactly the same certificates, file ownership and permissions and eap.conf settings that worked fine before the AD upgrade, and the certificates are not used in talking to the domain to auth credentials so I can't think that the issue lies there. I am perfectly willing to accept that you may be right and this may be my issue, I just don't understand how it has suddenly become a problem. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth, Ldap-Group == VPN_Users It runs the LDAP group check, but still lets the user log in even when he's not in the VPN_Users group: Use unlang for better control of what happens: if(Huntrgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth } } } else { reject } } Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logins against AD failing in *most* cases. Can see why, but don't *understand* why.
Still trying to get our FreeRADIUS system working nicely after the AD upgrade to server 2008. Compiling Samba to version 3.4.3 from source fixed our ntlm_auth issue, but most users were still unable to connect. I have 2 examples here, one of a user who failed to connect, one of a user who succeeded (you may wish to skip to the end of the mail for some things i've noted, and only then look back at all the debug output ;) ). There was such issue with samba 3.2.x. Solution was to downgrade to samba 3.0.x. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius EAP authentication
Hello everyone, I am installing a RADIUS server on a ubuntu server with freeradius. All tests are working properly except when I try to connect through an access point. This is the debug that I get: [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select Go back to configure output and see what happened with openSSL support. It looks like openSSL or development libraries aren't installed. Fix that and then build freeradius again. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 01:03 PM 12/1/2009, t...@kalik.net wrote: Use unlang for better control of what happens: if(Huntrgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth } } } else { reject } } If I understand correctly, I don't need to worry about ntlm_auth at all in this case (because with MSCHAP I don't have a cleartext password, and thus ntlm_auth won't do me any good), so I probably don't need to update the Auth-Type? So I think what I need is: if(Huntgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { } else { reject } } woudl that unlang go into the ./users file? or into the authorization {..} section? Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logins against AD failing in *most* cases. Can see why, but don't*understand* why.
Meyers, Dan wrote: This is most likely a CA cert problem. The comments in the default eap.conf give a very specific warning about this (access-challenge which is never replied to) and explain the issue. This being the case, why does my machine successfully respond to all the other Access-Challenges before the MSCHAPv2 password is dealt with? It is setting up a TLS tunnel, and doing certificate exchanges. In this regard, RADIUS is *just* like ethernet. When you connect to a web server via HTTPS, there is a *lot* of network traffic before you get the real content: the web page. With PEAP, the real content is the username password in the tunnel. If the client doesn't like the server certificate, it spends a lot of time (and packets) figuring that out. The trace I gave was for an Access-Challenge id 107. Ids 100 (my initial request) to 106 (the other parts of the EAP setup) all finish with an Access-Challenge with an EAP-Message being sent to my client, and all of those Challenges are successfully responded to. Use wireshark to look at the packets. All it's doing is TLS setup, and certificate exchanges. *No* user authentication is happening. It was also my (possibly erroneous) understanding that FreeRADIUS would never get to the point of being able to get the MSCHAPv2 password from the client if the CA cert was incorrect, as it would never complete the setup of the EAP session inside which the MSCHAPv2 data is contained. Yes. That's what you're seeing. The *client* is deciding it doesn't like the certificate, and is stopping. Remember... the RADIUS server has nearly *zero* power in the network. The NAS controls almost everything. The supplicant (client machine) controls almost everything else. The server has the *least* amount of power. Additionally I am using exactly the same certificates, file ownership and permissions and eap.conf settings that worked fine before the AD upgrade, and the certificates are not used in talking to the domain to auth credentials so I can't think that the issue lies there. shrug It's Windows. It's difficult to tell what it's doing. AD upgrades intentionally break inter-operability with Samba, and XP / Vista upgrades intentionally break inter-operability with all third-party RADIUS servers. And FreeRADIUS always gets the blame. It explains why I come across as cranky much of the time. I am perfectly willing to accept that you may be right and this may be my issue, I just don't understand how it has suddenly become a problem. Ask Microsoft for explanations fixes. If you get *any* response, it will be thanks, we'll look into that. The people on this list are stuck just as much as you are. But we try to help, which makes a certain class of people think everything is *our* fault. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
I read some of the information saying it is possible to insert attribute in Accounting Response Packet but RFC said almost no attribute will inject into response packet. No, it says that there is no need for any attribute in it. You can add vendor specific attributes. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
If I understand correctly, I don't need to worry about ntlm_auth at all in this case (because with MSCHAP I don't have a cleartext password, and thus ntlm_auth won't do me any good), so I probably don't need to update the Auth-Type? If you are sure that all requests will be mschap. That if will work just if it's a pap request. So I think what I need is: if(Huntgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { Put just ok in there. It might not like empty brackets. } else { reject } } woudl that unlang go into the ./users file? or into the authorization {..} section? authorize. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS and PostgresSQL
Thanks Stefan It's not the HOWTO that's out of date, it's your server version being ancient. I can only strongly urge you to use the 2.x releases, they are so much more convenient and feature-rich. Especially if you are setting up a brand new instance, it's a very bad idea to start with this outdated version 1.1.3. I'm sorry I assumed it was the HOWTO that was wrong, but the HOWTO did say, ...I tested this instructions on CentOS 5.0 and CentOS 5.1. CentOS 5.x came with FreeRadius 1.1.3... As we are using OEL 5.4 I thought this would be OK. http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5 Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql:
While trying to run the FreeRadius I got this error. Please let me know what should be done to overcome this. While checking it on FreeRadius emails, i found the same problem has been encountered by others too, but did`nt get to see the solution, thus posting it. ERROR: Could not link driver rlm_sql_mysql: ld.so.1: radiusd: fatal: rlm_sql_mysql.so: open failed: No such file or directory Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[161]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. Errors initializing modules Most common fix is given in the message. Others are in the FAQ. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Idle Time-out- Session time-out/ Aacct start-stop packet
Unfortunately, that did not work and now, I am still stuck to figure out how could I do that. To sum up this issue, I got Alvarion NAS, You have our sincere condolences. from my users, I can see accounting start and accounting stop packet, every 10 minutes, I got an accounting packet stop from my users with everytime the same termination cause = lost-carrier. So timeouts are not responsible and changing them will achieve nothing. You need to see why is NAS dropping connections. Perhaps some re-authentication setting? Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 01:29 PM 12/1/2009, t...@kalik.net wrote: So I think what I need is: if(Huntgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { Put just ok in there. It might not like empty brackets. } else { reject } } That did it! Thanks! I think that gets me up 100%. (Now to go write up all the docs for my own paper trail, and get them in shape to go somewhere in the freeradius doc realm) Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with JRadius Performance issues.
Hi, I am evaluating freeradius with jradius. Currently i am performing performance testing for the Freeradius-Jradius combination using radperf tool. JRadius is simply authenticating the user from the jradius-config.xml file using one of the default handlers, so nothing fancy there. Here are a few numbers that i get. Standalone Freeradius 500 requests/sec gives me 461 1000 requests/sec gives me 858 Freeradius with JRadius ( Standard 8 connections in the configuration) 500 requests/sec gives me 60 1000 requests/sec gives me 152 So, as you can see, the performance numbers are way lower when JRadius is used. I tried increasing the connections and the threads in jradius but it did not help. I understand that since the freeradius to jradius connection pool uses tcp sockets, the performance will be lower than when freeradius is run by itself but this low is something I did not expect. Has anybody run into this issue? Is there a way around to getting the performance numbers higher? Thanks for your help! Hema. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
Dear Ivan Kalik, Can you share with me how to add vendor attributes in Acct Response Packet? Regards t...@kalik.net wrote: I read some of the information saying it is possible to insert attribute in Accounting Response Packet but RFC said almost no attribute will inject into response packet. No, it says that there is no need for any attribute in it. You can add vendor specific attributes. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
Can you share with me how to add vendor attributes in Acct Response Packet? Like any other with unlang or with acct_users file. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Authentication Not Working ??
Greetings, I've got a 1.1-3 FreeRadius server and trying to figure out what to do to enable PAP authentication. CHAP is working when I use Radius Ping but if I change the Password to User-Password which if I understand it is supposed to enable PAP. When I do this, I get a Access-Reject. Is there something else I need to do to enable PAP or force it? Thanks! Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication Not Working ??
I've got a 1.1-3 FreeRadius server and trying to figure out what to do to enable PAP authentication. CHAP is working when I use Radius Ping but if I change the Password to User-Password which if I understand it is supposed to enable PAP. When I do this, I get a Access-Reject. Is there something else I need to do to enable PAP or force it? Why are you using such an ancient server version? Upgrade. Or read instructions in users file. They should be relevant for your server version. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and PostgresSQL
Hi, Ah! That is good news. The problem is that I'm working under constraints of a support agreement that will only allow us to install the packages that come with OEL 5.x, so at the moment, 1.1.3 is the only thing I can work with :-( you can get prebuilt RPMs for your distro - the link has been posted. I might point out here that whilst you're paying good money for support for old software you are getting FREE support from an internet mailing list populated by dedicated users/developers of the product :-| alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
Well, thanks to an inordinate amount of help, I've got my RADIUS server up and running exactly how I want it to. As part of my business process, I've got a detailed doc on how the server is/was constructed. I'd like to contribute that to the wiki, but I don't see that I can create an account. Also, since it drives me nuts when I'm searching on line for a fix, and an email thread ends JUST before I have the data that I need, or a piece is missing, here's that documentation as well Rick Steeves 091201 freeradi...@corwyn.net Setup and configuration instructions, on CentOS 5.x Goals: o Authentication telnet sessions for Cisco switches against AD for a specific security group (Infrastructure) o Authentication for VPN users using MSCHAP on a sonicwall firewall using a Windows VPN client with L2TP against AD for a specific security group (VPN_Users) Install The linux site for the rpm download of freeradius2 is: http://people.redhat.com/jdennis/freeradius-rhel-centos Create /etc/yum.repos.d/freeradius2.repo: [freeradius2] name=Freeradius2 baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos enabled=1 gpgenabled=0 Install freeradius2: yum install freeradius2 freeradius2-utils freeradius2-ldap Enable FreeRadius to start on boot: chkconfig radiusd on To start the freeRadius service service radiusd start To run the service in debug mode (which you should be doing until everything works): service radiusd stop radiusd X Configuration http://deployingradius.com/documents/configuration/active_directory.html Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc Verify that a user in the domain can be authenticated: wbinfo -a user%password Try the same login with the ntlm_auth program, which is what FreeRADIUS will be using: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password ./raddb/radiusd.conf (see Appendix C) Update max_requests to # users * 256 Add to the end of the auth listen {..} clients = disambiguate Add to the end of the acct listen {..} clients = disambiguate Add to the end of the modules{..} section: exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=example.com -username=%{mschap:User-Name} --password=%{User-Password} } In log {..} auth = yes huntgroups huntgroups let you restrict which clients are associated with which user. You will need to add each IP of each device that will be using the RADIUS server, and associate it with the correct huntgroup. This will let the ./users file associate the user with the appropriate device: /etc/radbb/huntgroups: Cisco_Huntgroup NAS-IP-Address == 10.100.0.1 Cisco_Huntgroup NAS-IP-Address == 10.100.0.2 Cisco_Huntgroup NAS-IP-Address == 10.100.0.3 VPN_Huntgroup NAS-IP-Address == 10.4.1.2 ./raddb/modules/ldap (See appendix D) If this file is missing, you need to install the RPM for freeradius2-ldap. This section is one of the biggest pains to configure, as all of your LDAP strings need to be 100% correct, andt hey will be very specific to the environment. Of course, update server, identify, password, basedn for your own environment. You will need a user account in AD to permit the bind to LDAP. In this example, that account is in: CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com In this example, the Security groups are located in (or below): OU=Enterprise,DC=example,DC=com ldap { server = example.com identity = CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com password = secretpassword basedn = OU=Enterprise,DC=example,DC=com filter = ((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) groupmembership_attribute = memberOf ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) } Configuration of different virtual sites For this you'll have 3 general sites, default (used mostly for testing on 127.0.0.1), server_cisco (used to AAA the Cisco users), and server_vpn (used to AAA the VPN users). inner-tunnel Add: ntlm_auth to the end of the authenticate{..} section default Add: ntlm_auth to the end of the authenticate{..} section server_cisco (see Appendix B) We're going to duplicate the default config, and modify it for that particular virtual server: cp
Problem to start radiusd -x
Hi all: I had install Debian lenny. later, mysql, later apache and later, download freeradius freeradius-server-2.1.7.tar.gz, untar and ./configure, make and make install. the errors like checking for gcc... no was solved. now, i tried to run famous radiusd -x but i have the follow error message: debian:~/freeradius-server-2.1.7# radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.7.so: cannot open shared object file: No such file or directory debian:~/freeradius-server-2.1.7# radiusd -x radiusd: error while loading shared libraries: libfreeradius-radius-2.1.7.so: cannot open shared object file: No such file or directory debian:~/freeradius-server-2.1.7# radtest test test localhost 0 testing123 /usr/local/bin/radclient: error while loading shared libraries: libfreeradius-radius-2.1.7.so: cannot open shared object file: No such file or directory debian:~/freeradius-server-2.1.7# i do everything logged as root from a ssh session by Putty why error? any idea? i will search in doc or wiki, but help will be grateful. Carlos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:6. Problem to start radiusd -x (C. Diego Raffaelli A.)
Hi all ... i found: *Author: *Salim Engin *Date: *2009-09-17 02:46 -400 *To: *FreeRadius users mailing list *Subject: *Re: Upgrading from 2.1.6 to 2.1.7 Just try to execute ldconfig and retry... i did it, and i get something that i think is debug info... then i did radtest and i have a response. unaccepted but its a response: please look my radiusd -X uncomplete Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 *Failed binding to authentication address * port 1812: Address already in use* /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 debian:~/freeradius-server-2.1.7# radtest test test localhost 0 testing123 Sending Access-Request of id 93 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 1.2.3.4 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=93, length=20 I would like to know if its normal this: Failed binding to authentication address * port 1812: Address already in use *and this:* *rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=93, length=20* thanks a lot Carlos * * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem to start radiusd -x
I had install Debian lenny. later, mysql, later apache and later, download freeradius freeradius-server-2.1.7.tar.gz, untar and ./configure, make and make install. the errors like checking for gcc... no was solved. now, i tried to run famous radiusd -x but i have the follow error message: debian:~/freeradius-server-2.1.7# radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.7.so: cannot open shared object file: No such file or directory debian:~/freeradius-server-2.1.7# radiusd -x radiusd: error while loading shared libraries: libfreeradius-radius-2.1.7.so: cannot open shared object file: No such file or directory debian:~/freeradius-server-2.1.7# radtest test test localhost 0 testing123 /usr/local/bin/radclient: error while loading shared libraries: libfreeradius-radius-2.1.7.so: cannot open shared object file: No such file or directory debian:~/freeradius-server-2.1.7# Linker is looking for libraries in the wrong place. Add correct ldpath. You had a message about that when building the server. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:6. Problem to start radiusd -x (C. Diego Raffaelli A.)
*Failed binding to authentication address * port 1812: Address already in use* /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 One instance is already running. killall radiusd should stop it. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication Not Working ??
Regarding the version, by design if running Centos, which purposely has a long cycle between releases based on upstream for stability. I'm not against upgrading this though. :) So I did in fact read the users file or I wouldn't have made it this far, but I'm not seeing anything that points me to this. Upon further analysis, I can make this work, it seems from the Users file. But if I have the user in mysql it will only respond with an Access- Accept if the password type on NTRadPing is set to Chap. On Dec 1, 2009, at 6:01 PM, t...@kalik.net wrote: I've got a 1.1-3 FreeRadius server and trying to figure out what to do to enable PAP authentication. CHAP is working when I use Radius Ping but if I change the Password to User-Password which if I understand it is supposed to enable PAP. When I do this, I get a Access-Reject. Is there something else I need to do to enable PAP or force it? Why are you using such an ancient server version? Upgrade. Or read instructions in users file. They should be relevant for your server version. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help on TLS+Active Directory
Hi. Need some help to understand this combination. I'm trying to setup EAP-TLS + Active Directory Authentication on a wireless mobility controller. This mob con has this Portal Captive feature. To start testing, I configured freeradius as a ldap client for Active Directory, using the Administrator account to bind to it, and using commonname as a filter. Then I configured the portal captive from the mob-con to authenticate through the radius server, and it worked fine, even using the simultaneous-use attribute. Then, I tried to go ahead configuring EAP-TLS. At first I recompiled the source code to include support for ssl. Then I created the certs on freeradius using the Makefile which comes on the package. I signed up the client certificates using the CA ones, not the server ones. Next, I configured the corresponding sections on eap.conf and default (enabling eap) and started freeradius -X. After copying the certificates to the Windows Vista machines, I started the association. Everything was well, and the client authenticated without problems. Even trying to use the same certificate on another machine reached the simultaneous-use count and didn't allow the client to connect. BUT, we noted an interesting behaviour. If the client specify Windows to use another username to login, although freeradius complaints that the user doesn't exist on ldap, it seems it still accepts this user, as long as the certificate is fine. So, in this case, if the user isn't allowed to login because of simultaneous use, he still can change the username which he uses specifying another one (whichever, even if it doesn't exist) and voilá! He can now log in. I'm sure I'm missing something, but I'm not sure what. Any clue? Will supply log or conf files upon request (right now, I'm not sure what parts could be relevant to you). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User REALMS and PAP rejected when using MySQL based accounts
Greetings All: I am standing up a new radius server for pass through auth. I'm struggling with accounts that are mysql based (which I have to use for the my automated billing system). Using NTRadPING Test Utility. I can authenticate using PAP and REALMS if the user is just located in USERS file I can authenticate without a REALM and with CHAP when using MySQL but I CAN'T authenticate using realms or using PAP when using accounts in MySQL. in users: test2 Auth-Type:=Local,User-Password == password (works everytime with all combinations) radcheck UsernName Attribute op Value test3User-Password == password usergroup - UserName GroupNamePriority test3 Dialin 1 radgroupcheck -- idGroupName Attribute op Value 1 Dialin Auth-Type:= Local - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User REALMS and PAP rejected when using MySQL based accounts
Missed the need to strip the realm. That fixed both problems. On Dec 1, 2009, at 9:04 PM, James Hankins wrote: Greetings All: I am standing up a new radius server for pass through auth. I'm struggling with accounts that are mysql based (which I have to use for the my automated billing system). Using NTRadPING Test Utility. I can authenticate using PAP and REALMS if the user is just located in USERS file I can authenticate without a REALM and with CHAP when using MySQL but I CAN'T authenticate using realms or using PAP when using accounts in MySQL. in users: test2 Auth-Type:=Local,User-Password == password (works everytime with all combinations) radcheck UsernName Attribute op Value test3User-Password == password usergroup - UserName GroupNamePriority test3 Dialin 1 radgroupcheck -- idGroupName Attribute op Value 1 Dialin Auth-Type:= Local - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rlm_realm
Hi, Ya i tried to build it using --without-rlm_realm, but then too it is building. wat might be the problem?? and ya it takes a very long time when i run the radius server in debugging mode.. what might be the problem for the low authentication rate? how much auth rate approx should i get with freeradius-server 2.1.7? Thanx Regards, Kachin The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rlm_realm
kachin Agarwal wrote: Hi, Ya i tried to build it using --without-rlm_realm, but then too it is building. wat might be the problem?? Perhaps you could try using a text editor to edit the configuration files, and remove the calls to the realm module? and ya it takes a very long time when i run the radius server in debugging mode.. what might be the problem for the low authentication rate? You've edited the configuration files and broken them. how much auth rate approx should i get with freeradius-server 2.1.7? For passwords in the users file, a default install should get 5K packets/s. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help on TLS+Active Directory
gera wrote: BUT, we noted an interesting behaviour. If the client specify Windows to use another username to login, although freeradius complaints that the user doesn't exist on ldap, it seems it still accepts this user, as long as the certificate is fine. That's how EAP-TLS works. So, in this case, if the user isn't allowed to login because of simultaneous use, he still can change the username which he uses specifying another one (whichever, even if it doesn't exist) and voilá! He can now log in. I'm sure I'm missing something, but I'm not sure what. You need to update the CRL to revoke the certificate. The user then can't use it for authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html