ippool and cache-size
Hi all. I have a question about rlm_ippool and cache-size option. Info from description: cache-size: The gdbm cache size for the db files. Should be equal to the number of ip's available in the ip pool. Also, note the cache size matches the number of IP's in your pool. More is OK but wasteful, less is very bad. My pool size is 32k. And I'm using this pool only for fallback issue. So, I'll need it rarely in the future. If cache-size = 32768, then radiusd process takes all memory. Mon Sep 13 12:33:46 2010 : Error: Couldn't fork: Cannot allocate memory If cache-size = 16384 : top: PID USER#160;#160;#160;#160;#160; PR#160; NI#160; VIRT#160; RES#160; SHR S %CPU %MEM#160;#160;#160; TIME+#160; COMMAND#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; #160; #160;3061 freerad#160;#160; 20#160;#160; 0#160; 304m 261m 1080 S#160;#160;#160; 0 52.1#160;#160; 0:00.00 radiusd radiusd takes 261m! :-[ ] So, here is my question. If I'll use default cache-size =800, and at some point radius will start using this pool, what will happen if all 800 ip-addresses will be taken? Will the system slowdown, or if there will be a segmentation fault or something else? Why is less is very bad?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool and cache-size
Konstantin Chekushin wrote: My pool size is 32k. And I'm using this pool only for fallback issue. So, I'll need it rarely in the future. For 32K IP's, I'd suggest using a database. If cache-size = 32768, then radiusd process takes all memory. Mon Sep 13 12:33:46 2010 : Error: Couldn't fork: Cannot allocate memory If cache-size = 16384 : ... radiusd takes 261m! :-[ ] shrug That's how in-memory databases work. They use memory. So, here is my question. If I'll use default cache-size =800, and at some point radius will start using this pool, what will happen if all 800 ip-addresses will be taken? Will the system slowdown, or if there will be a segmentation fault or something else? Why is less is very bad? If you have 32K IP's, use a database. See the sqlippool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
interpret check-Item and change reply-item to set VLAN
Hallo Liste,
is there any how_to or solution to interpret the ldap checkItem and
change the replyItem (I think in inner-tunnel)?
f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the
replyItem should be set to '111'.
ldap.attrmap:
checkItem Tunnel-Private-Group-Id sectionNetwork
replyItem Tunnel-Private-Group-Id sectionNetwork
the following in users file wont work:
DEFAULT Tunnel-Private-Group-Id == sec11
Tunnel-Private-Group-Id=111,
Reply-Message += changed
DEFAULT Auth-Type == EAP
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Reply-Message += Access success for %{User-Name}.,
Fall-Through = no
I use FreeRADIUS Version 2.1.6, for host i386-pc-solaris2.8, openLDAP,
802.1x with mschapv2. This works fine for me.
radiusd -X output:
...
rlm_ldap: performing search in dc=domain,dc=de, with filter (uid=user)
checking if remote access for user is allowed by uid
looking for check items in directory...
rlm_ldap: sectionNetwork - Tunnel-Private-Group-Id:0 == sec11
rlm_ldap: sambaNTPassword - NT-Password == removed
rlm_ldap: sambaLMPassword - LM-Password == removed
looking for reply items in directory...
rlm_ldap: sectionNetwork - Tunnel-Private-Group-Id:0 = sec11
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
...
++[eap] returns ok
} # server inner-tunnel
Got tunneled reply code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Reply-Message = Access success for user.
Tunnel-Private-Group-Id:0 = sec11
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = user
Got tunneled reply RADIUS code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Reply-Message = Access success for user.
Tunnel-Private-Group-Id:0 = sec11
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = user
Tunneled authentication was successful.
SUCCESS
Saving tunneled attributes for later
++[eap] returns handled
...
Sending Access-Accept of id 131 to 10.0.0.12 port 1645
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Reply-Message = Access success for user.
Tunnel-Private-Group-Id:0 = sec11
User-Name = user
MS-MPPE-Recv-Key =
0x611ed2d5955bded1d3302045c5930fd4aad610a0b6f5aa1045ba0477f12b7eee
MS-MPPE-Send-Key =
0xc38e1cad9590596e3902a46a40706ad8bde70f05bde110698b631b503c00f51b
EAP-Message = 0x030a0004
Message-Authenticator = 0x
Finished request 10.
...
thanks and
beste Gruesse
Michael
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Hi David and Alexander... thank you, so much... I've tried your tips, but it didn't work... # dpkg -l |grep freeradius ii freeradius 2.1.9+gita high-performance and highly configurable R ii freeradius-common 2.1.9+gitFreeRADIUS common files ii freeradius-dialupadmin 2.1.9+gitset of PHP scripts for administering a FreeR ii freeradius-ldap 2.1.9+gitLDAP module for FreeRADIUS server ii freeradius-utils 2.1.9+gitFreeRADIUS client utilities ii libfreeradius-dev 2.1.9+gitFreeRADIUS shared library development files ii libfreeradius2 2.1.9+gitFreeRADIUS shared library # dpkg -l |grep libssl ii libssl-dev 0.9.8g-15+lenny8 SSL development libraries, header files and ii libssl0.9.8 0.9.8g-15+lenny8 SSL shared libraries # freeradius -v freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built on Sep 13 2010 at 09:40:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interpret check-Item and change reply-item to set VLAN
On 09/13/2010 01:44 PM, Michael Bathe wrote:
Hallo Liste,
is there any how_to or solution to interpret the ldap checkItem and
change the replyItem (I think in inner-tunnel)?
f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the
replyItem should be set to '111'.
ldap.attrmap:
checkItem Tunnel-Private-Group-Id sectionNetwork
replyItem Tunnel-Private-Group-Id sectionNetwork
This looks wrong.
the following in users file wont work:
DEFAULT Tunnel-Private-Group-Id == sec11
Tunnel-Private-Group-Id=111,
Reply-Message += changed
DEFAULT Auth-Type == EAP
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Reply-Message += Access success for %{User-Name}.,
Fall-Through = no
This also looks wrong.
What are you trying to do, in more detail? Something is settings
Tunnel-Private-Group-Id to sec11, and then you want to re-write it to
111 - why not just change the thing that sets it in the first place?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interpret check-Item and change reply-item to set VLAN
Michael Bathe wrote: is there any how_to or solution to interpret the ldap checkItem and change the replyItem (I think in inner-tunnel)? f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the replyItem should be set to '111'. $ man unlang The ldap module doesn't do generic comparison or setting of attributes. Neither does the users file. But the unlang policy language does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Kleber Larroyd wrote: If you can't be bothered to explain *why* you're doing this, and *what* is going wrong, then we can't be bothered to read the reams of data you posted. It also helps to *read* the debug output. Really. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Douglas Caro wrote: Hi David and Alexander... thank you, so much... I've tried your tips, but it didn't work... shrug The Wiki contains instructions for building your own debian package with OpenSSL support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
On 09/13/2010 10:35 AM, Kleber Larroyd wrote: Have any idea ? Where can i find the solution ? When i trying connect (windows vista) freeradius server *with wireless over access point* i get this error: In the future please follow the instructions to send the *complete* output of radiusd -X *only*. Also please read the debug output before asking for help, you answer is in the output. Mon Sep 13 10:34:23 2010 : Info: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Mon Sep 13 10:34:23 2010 : Debug: rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user No password means you didn't configure authorization in the inner-tunnel. You test only worked because it wasn't doing TLS and hence never entered the inner-tunnel virtual server. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool and cache-size
Thanks for advice, but I am using database for main solution (I've writen my module for this issue, which uses rlm_sql functions for sql logic). And I wont to use file-based for redundancy only. So, the main question - what will happens, if query-cache will be less, then ip-range? I have made a simple test, when ip-range is 90 ip-s, and cache is 10. It looks that it works fine. Quoting *Alan DeKok al...@deployingradius.com*: Konstantin Chekushin wrote: My pool size is 32k. And I'm using this pool only for fallback issue. So, I'll need it rarely in the future. For 32K IP's, I'd suggest using a database. If cache-size = 32768, then radiusd process takes all memory. Mon Sep 13 12:33:46 2010 : Error: Couldn't fork: Cannot allocate memory If cache-size = 16384 : ... radiusd takes 261m! :-[ ] That's how in-memory databases work. They use memory. So, here is my question. If I'll use default cache-size =800, and at some point radius will start using this pool, what will happen if all 800 ip-addresses will be taken? Will the system slowdown, or if there will be a segmentation fault or something else? Why is less is very bad? If you have 32K IP's, use a database. See the sqlippool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Douglas Caro wrote: # freeradius -v freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built on Sep 13 2010 at 09:40:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. It seems suspicious to me that your freeradius is reporting a build date of today. Unless the .deb installation causes this date to up updated, it implies that you built this binary locally. I have to be honest, even though I run Debian a lot I usually compile FreeRadius myself so I'm not that familiar with the packaged version. -David Mitchell The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
David Mitchell wrote: Douglas Caro wrote: # freeradius -v freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built on Sep 13 2010 at 09:40:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. It seems suspicious to me that your freeradius is reporting a build date of today. Unless the .deb installation causes this date to up updated, it implies that you built this binary locally. I have to be honest, even though I run Debian a lot I usually compile FreeRadius myself so I'm not that familiar with the packaged version. You tried Alexander's tips, not mine. You built your own binary, and if you didn't get TLS support you will have to debug the configure/make process yourself. The 2.1.8 version in the Lenny backports has TLS support built in. I'm 100% certain of this because I just installed it and checked. -David Mitchell -David Mitchell The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Hi,
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
personally, I'd advise that you set those to yes rather than no.
File /etc/raddb/users
DEFAULT Auth-Type = ntlm_auth
you dont need to do this. ever. we do PEAP and dont have such a line - in fact,
the only time you need to est this is if you need to break the system in a wierd
way
Files /etc/raddb/sites-enable/inner-tunnel and /etc/raddb/sites-enable/default
authenticate {
ntlm_auth
...
}
no no no. leave the inner-tunnel and default exactly as you found them - it
will work out
of the box. what guide were you following to get this working? I ask because
if there
is some document out there than it needs to be taken down.
[r...@radiusserver etc]# ntlm_auth --request-nt-key --domain=MYDOMAINTEST
--username=testuser01 --password=test
NT_STATUS_OK: Success (0x0)
good, that bits fine
[r...@radiusserver /]# radtest testuser01 test localhost 0 teste123
Sending Access-Request of id 51 to 127.0.0.1 port 1812
User-Name = testuser01
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=51, length=20
and all thats done is a basic PAP test. you'd need to use more advanced tools
such as eapol_test
from the wpa_supplicant package for actually simulating a standard Windows
client that is
doing an EAP method - with an EAP test your packets would be proxied into the
inner-tunnel
virtual server...
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which samba version / patch for Active Directory 2008
Hello If someone who has a working freeradius samba ntlm_auth AD 2008 setup could let me know which version of samba they are using and which patches it might help me a great deal. I have a working configuration freeradius + samba 3.0.37 + Active Directory 2003. Our Active Directory servers are in the process of moving to 2008 and the 3.0.37 does not return the correct/same keys when looking at a upgraded AD server. I have it pointed to our last AD 2003 server and it work there. I've setup samba 3.4.8 with the patch https://bugzilla.samba.org/attachment.cgi?id=5894 (which needed a little changing to match line number changes). The session keys (if thats what they are) returned by running ntlm_auth on the 2 setups are different (I've put a wrapper script around it so that I can catch them being returned). If I run ntlm_auth repeatedly with the same challenge and nt-response the ones returned by the broken setup seem to change every few minutes whereas the working one stays the same. Thanks in advance, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Hi, The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. I'm not sure which bit of this isnt clear enough? the FreeRADIUS daemon was not built with OpenSSL support - which means that when the ./configure stage was done, either the required libraries werent present or it was configured with eg --disable-openssl or such. (cant recall the flag off-hand 'cos I've never built it in that way). if you've installed eg ssl-dev package AFTER the configure and/or install then thigns wont be magically working! you must go through the whole configure stage WITH the right libraries installed. thats the runtime OpenSSL stuff AND the development (headers/includes) for OpenSSL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help in troubleshooting PEAP authenticathion with XP client
Hi, Can somebody indicates me if there is any log that can help me identifying the problem with my Windows XP client trying to authenticate to the radius server. I do not know how to interpret the RADIUS/DECODE: parse response no app start; FAIL since no communication was establish between the AP and the radius server. Thanks for your help Stephane The following is the debug output from the Ciso AP dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. *dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds * dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0012.f078. *dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078. *%DOT11-7-AUTH_FAILED: Station 0012.f078. Authentication failed *dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. *dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds * dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0012.f078. * dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. * dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds * dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0012.f078. *dot11_auth_dot1x_send_response_to_server: Sending client 0012.f078. data to server * dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds RADIUS/ENCODE(001A):Orig. component type = DOT11 *RADIUS: AAA Unsupported Attr: ssid [263] 14 *RADIUS: 4D 6F 6E 6F 6E 63 6C 65 5F 53 74 65 [test] *RADIUS: AAA Unsupported Attr: interface [156] 3 RADIUS: 32 [2] RADIUS(001A): Storing nasport 281 in rad_db RADIUS(001A): Config NAS IP: 10.5.104.22 RADIUS/ENCODE(001A): acct_session_id: 26 RADIUS(001A): sending RADIUS/DECODE: parse response no app start; FAIL RADIUS/DECODE: parse response; FAIL dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0012.f078. dot11_auth_dot1x_send_response_to_client: Forwarding serve r message to client 0012.f078. dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds *dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078. *dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which samba version / patch for Active Directory 2008
Hi, If someone who has a working freeradius samba ntlm_auth AD 2008 setup could let me know which version of samba they are using and which patches it might help me a great deal. I have a working configuration freeradius + samba 3.0.37 + Active Directory 2003. we moved to 2008 last year and kept exactly the same FR/samba setup - ie 3.0.x with no issue. using default CentOS supplied RPM (for SAMBA - we homebuild the FreeRADIUS from source). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://de3wpk.2010healthworld2.com/cap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login Incorrect !
Hi guys ,
Im trying to authenticate freeradius against passwd , but i keep getting
Login Incorrect error , im doing EAP/PEAP mschapv2
I dont know what im missing
I can perform a radtest with sucess .
Here is the ouput
rad_recv: Access-Request packet from host 192.168.0.1 port 2048, id=187,
length=232
User-Name = momo
NAS-Port = 0
Called-Station-Id = 00-22-B0-45-DF-69:SapoNet
Calling-Station-Id = 00-22-FB-73-31-DA
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x02080050190017030100201c877f9482d13faf8e1619e14f1e0d909fa7983b184bb9f05c95a6cb6a845796170301002049a23598867fa02bfcf83108e8cb2130d7ebda59dd41304c300ea048c8bfa68d
State = 0xad18a6f8aa10bf33ac12d56bfa8b4024
Message-Authenticator = 0xc8a9f7c084d0b839d9340a38c5e328aa
+- entering group authorize {...}
++[preprocess] returns ok
++[unix] returns updated
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for reject or fail. Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [momo/via Auth-Type = EAP] (from client SapoNet port 0
cli 00-22-FB-73-31-DA)
Delaying reject of request 26 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 26
Sending Access-Reject of id 187 to 192.168.0.1 port 2048
EAP-Message = 0x04080004
Message-Authenticator = 0x
Waking up in 1.0 seconds.
Here is the conf
main {
user = root
group = root
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
} client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 192.168.0.1 {
require_message_authenticator = no
secret = teste123
shortname = SapoNet
nastype = other
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/radius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512pem_file_type = yes
private_key_file = /etc/raddb/certs/server.pem
certificate_file = /etc/raddb/certs/server.pem
CA_file = /etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /etc/raddb/certs/dh
random_file =
Re: Login Incorrect !
Paulo Maia wrote: Im trying to authenticate freeradius against passwd , but i keep getting Login Incorrect error , im doing EAP/PEAP mschapv2 I dont know what im missing I can perform a radtest with sucess . Here is the ouput Which you need to read. The debug output you posted to the list contains instructions which tell you how to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + MySql + Wireless Clients without certificates
Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP + MySql + EAPTLS
Hi
I have installed freeradius recently with MySQL and tested with success to
authenticate VTY session en cisco routers and switches.
However, my configuration with EAP_TLS is not working properly.
I use a Cisco AP
I create and copy the certificates to a Windows XP SP3 laptop to test if
everything is OK, but in freeradius -X mode I got a lot of message and
none give me the reason of the problem.
The AP says authentication failed and the Radius server sends the challenge
an wait, and later clean all request an becomes ready to process requests.
here is a portion of the output of the radius activity
Its appears that certificates are accepted, but XP stations continue trying
to authenticated
THANKS
=
rad_recv: Access-Request packet from host 10.10.10.5 port 1645, id=16,
length=176
User-Name = prue...@mydomain
Framed-MTU = 1400
Called-Station-Id = a8b1.d422.d432
Calling-Station-Id = 0019.d20c.4ed4
Service-Type = Login-User
Message-Authenticator = 0x7c4ac4a412db3b9cfba443de50792eed
EAP-Message = 0x0202001b01707275656261314062616e636f706c617a612e636f6d
NAS-Port-Type = Wireless-802.11
NAS-Port = 19153
NAS-Port-Id = 19153
NAS-IP-Address = 10.10.10.5
NAS-Identifier = AP_CISCO
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm mydomain.com for User-Name = prue...@mydomain
[suffix] No such realm mydomain
++[suffix] returns noop
[eap] EAP packet type response id 2 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} - prue...@mydomain
[sql] sql_set_user escaped user -- 'prue...@mydomain'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'prue...@mydomain' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username =
'prue...@mydomain' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = 'TI'
ORDER BY id
[sql] User found in group TI
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'TI'
ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 16 to 10.10.10.5 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x765770697654693c62d8b4b34c9394a6
Finished request 0.
Going to the next request
.
.
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] TLS 1.0 Handshake [length 05c7], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] TLS 1.0 Handshake [length 0082], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 18 to 10.10.10.5 port 1645
.
.
.
[tls] -- verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] TLS 1.0 Handshake [length 0086], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls]
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Marten You mean configuring freeradius for EAP-PEAP its not necessary to creates certificates? Its possible to use with CISCO AP as NAS? Thanks On Mon, Sep 13, 2010 at 6:23 PM, Marten Pape marten.p...@pape-hn.de wrote: Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP + MySql + EAPTLS
Esteban TALAVERA wrote: I create and copy the certificates to a Windows XP SP3 laptop to test if everything is OK, but in freeradius -X mode I got a lot of message and none give me the reason of the problem. The AP says authentication failed and the Radius server sends the challenge an wait, and later clean all request an becomes ready to process requests. This problem is in the FAQ. See also the comments in eap.conf. For a complete EAP howto, see http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool and cache-size
Konstantin Chekushin wrote: Thanks for advice, but I am using database for main solution (I've writen my module for this issue, which uses rlm_sql functions for sql logic). And I wont to use file-based for redundancy only. So, the main question - what will happens, if query-cache will be less, then ip-range? I have made a simple test, when ip-range is 90 ip-s, and cache is 10. It looks that it works fine. If it works... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
