ippool and cache-size
Hi all. I have a question about rlm_ippool and cache-size option. Info from description: cache-size: The gdbm cache size for the db files. Should be equal to the number of ip's available in the ip pool. Also, note the cache size matches the number of IP's in your pool. More is OK but wasteful, less is very bad. My pool size is 32k. And I'm using this pool only for fallback issue. So, I'll need it rarely in the future. If cache-size = 32768, then radiusd process takes all memory. Mon Sep 13 12:33:46 2010 : Error: Couldn't fork: Cannot allocate memory If cache-size = 16384 : top: PID USER#160;#160;#160;#160;#160; PR#160; NI#160; VIRT#160; RES#160; SHR S %CPU %MEM#160;#160;#160; TIME+#160; COMMAND#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; #160; #160;3061 freerad#160;#160; 20#160;#160; 0#160; 304m 261m 1080 S#160;#160;#160; 0 52.1#160;#160; 0:00.00 radiusd radiusd takes 261m! :-[ ] So, here is my question. If I'll use default cache-size =800, and at some point radius will start using this pool, what will happen if all 800 ip-addresses will be taken? Will the system slowdown, or if there will be a segmentation fault or something else? Why is less is very bad?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool and cache-size
Konstantin Chekushin wrote: My pool size is 32k. And I'm using this pool only for fallback issue. So, I'll need it rarely in the future. For 32K IP's, I'd suggest using a database. If cache-size = 32768, then radiusd process takes all memory. Mon Sep 13 12:33:46 2010 : Error: Couldn't fork: Cannot allocate memory If cache-size = 16384 : ... radiusd takes 261m! :-[ ] shrug That's how in-memory databases work. They use memory. So, here is my question. If I'll use default cache-size =800, and at some point radius will start using this pool, what will happen if all 800 ip-addresses will be taken? Will the system slowdown, or if there will be a segmentation fault or something else? Why is less is very bad? If you have 32K IP's, use a database. See the sqlippool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
interpret check-Item and change reply-item to set VLAN
Hallo Liste, is there any how_to or solution to interpret the ldap checkItem and change the replyItem (I think in inner-tunnel)? f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the replyItem should be set to '111'. ldap.attrmap: checkItem Tunnel-Private-Group-Id sectionNetwork replyItem Tunnel-Private-Group-Id sectionNetwork the following in users file wont work: DEFAULT Tunnel-Private-Group-Id == sec11 Tunnel-Private-Group-Id=111, Reply-Message += changed DEFAULT Auth-Type == EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Reply-Message += Access success for %{User-Name}., Fall-Through = no I use FreeRADIUS Version 2.1.6, for host i386-pc-solaris2.8, openLDAP, 802.1x with mschapv2. This works fine for me. radiusd -X output: ... rlm_ldap: performing search in dc=domain,dc=de, with filter (uid=user) checking if remote access for user is allowed by uid looking for check items in directory... rlm_ldap: sectionNetwork - Tunnel-Private-Group-Id:0 == sec11 rlm_ldap: sambaNTPassword - NT-Password == removed rlm_ldap: sambaLMPassword - LM-Password == removed looking for reply items in directory... rlm_ldap: sectionNetwork - Tunnel-Private-Group-Id:0 = sec11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ... ++[eap] returns ok } # server inner-tunnel Got tunneled reply code 2 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Reply-Message = Access success for user. Tunnel-Private-Group-Id:0 = sec11 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = user Got tunneled reply RADIUS code 2 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Reply-Message = Access success for user. Tunnel-Private-Group-Id:0 = sec11 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = user Tunneled authentication was successful. SUCCESS Saving tunneled attributes for later ++[eap] returns handled ... Sending Access-Accept of id 131 to 10.0.0.12 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Reply-Message = Access success for user. Tunnel-Private-Group-Id:0 = sec11 User-Name = user MS-MPPE-Recv-Key = 0x611ed2d5955bded1d3302045c5930fd4aad610a0b6f5aa1045ba0477f12b7eee MS-MPPE-Send-Key = 0xc38e1cad9590596e3902a46a40706ad8bde70f05bde110698b631b503c00f51b EAP-Message = 0x030a0004 Message-Authenticator = 0x Finished request 10. ... thanks and beste Gruesse Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Hi David and Alexander... thank you, so much... I've tried your tips, but it didn't work... # dpkg -l |grep freeradius ii freeradius 2.1.9+gita high-performance and highly configurable R ii freeradius-common 2.1.9+gitFreeRADIUS common files ii freeradius-dialupadmin 2.1.9+gitset of PHP scripts for administering a FreeR ii freeradius-ldap 2.1.9+gitLDAP module for FreeRADIUS server ii freeradius-utils 2.1.9+gitFreeRADIUS client utilities ii libfreeradius-dev 2.1.9+gitFreeRADIUS shared library development files ii libfreeradius2 2.1.9+gitFreeRADIUS shared library # dpkg -l |grep libssl ii libssl-dev 0.9.8g-15+lenny8 SSL development libraries, header files and ii libssl0.9.8 0.9.8g-15+lenny8 SSL shared libraries # freeradius -v freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built on Sep 13 2010 at 09:40:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interpret check-Item and change reply-item to set VLAN
On 09/13/2010 01:44 PM, Michael Bathe wrote: Hallo Liste, is there any how_to or solution to interpret the ldap checkItem and change the replyItem (I think in inner-tunnel)? f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the replyItem should be set to '111'. ldap.attrmap: checkItem Tunnel-Private-Group-Id sectionNetwork replyItem Tunnel-Private-Group-Id sectionNetwork This looks wrong. the following in users file wont work: DEFAULT Tunnel-Private-Group-Id == sec11 Tunnel-Private-Group-Id=111, Reply-Message += changed DEFAULT Auth-Type == EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Reply-Message += Access success for %{User-Name}., Fall-Through = no This also looks wrong. What are you trying to do, in more detail? Something is settings Tunnel-Private-Group-Id to sec11, and then you want to re-write it to 111 - why not just change the thing that sets it in the first place? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interpret check-Item and change reply-item to set VLAN
Michael Bathe wrote: is there any how_to or solution to interpret the ldap checkItem and change the replyItem (I think in inner-tunnel)? f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the replyItem should be set to '111'. $ man unlang The ldap module doesn't do generic comparison or setting of attributes. Neither does the users file. But the unlang policy language does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Kleber Larroyd wrote: If you can't be bothered to explain *why* you're doing this, and *what* is going wrong, then we can't be bothered to read the reams of data you posted. It also helps to *read* the debug output. Really. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Douglas Caro wrote: Hi David and Alexander... thank you, so much... I've tried your tips, but it didn't work... shrug The Wiki contains instructions for building your own debian package with OpenSSL support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
On 09/13/2010 10:35 AM, Kleber Larroyd wrote: Have any idea ? Where can i find the solution ? When i trying connect (windows vista) freeradius server *with wireless over access point* i get this error: In the future please follow the instructions to send the *complete* output of radiusd -X *only*. Also please read the debug output before asking for help, you answer is in the output. Mon Sep 13 10:34:23 2010 : Info: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Mon Sep 13 10:34:23 2010 : Debug: rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user No password means you didn't configure authorization in the inner-tunnel. You test only worked because it wasn't doing TLS and hence never entered the inner-tunnel virtual server. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool and cache-size
Thanks for advice, but I am using database for main solution (I've writen my module for this issue, which uses rlm_sql functions for sql logic). And I wont to use file-based for redundancy only. So, the main question - what will happens, if query-cache will be less, then ip-range? I have made a simple test, when ip-range is 90 ip-s, and cache is 10. It looks that it works fine. Quoting *Alan DeKok al...@deployingradius.com*: Konstantin Chekushin wrote: My pool size is 32k. And I'm using this pool only for fallback issue. So, I'll need it rarely in the future. For 32K IP's, I'd suggest using a database. If cache-size = 32768, then radiusd process takes all memory. Mon Sep 13 12:33:46 2010 : Error: Couldn't fork: Cannot allocate memory If cache-size = 16384 : ... radiusd takes 261m! :-[ ] That's how in-memory databases work. They use memory. So, here is my question. If I'll use default cache-size =800, and at some point radius will start using this pool, what will happen if all 800 ip-addresses will be taken? Will the system slowdown, or if there will be a segmentation fault or something else? Why is less is very bad? If you have 32K IP's, use a database. See the sqlippool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Douglas Caro wrote: # freeradius -v freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built on Sep 13 2010 at 09:40:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. It seems suspicious to me that your freeradius is reporting a build date of today. Unless the .deb installation causes this date to up updated, it implies that you built this binary locally. I have to be honest, even though I run Debian a lot I usually compile FreeRadius myself so I'm not that familiar with the packaged version. -David Mitchell The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
David Mitchell wrote: Douglas Caro wrote: # freeradius -v freeradius: FreeRADIUS Version 2.1.9, for host i486-pc-linux-gnu, built on Sep 13 2010 at 09:40:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. It seems suspicious to me that your freeradius is reporting a build date of today. Unless the .deb installation causes this date to up updated, it implies that you built this binary locally. I have to be honest, even though I run Debian a lot I usually compile FreeRadius myself so I'm not that familiar with the packaged version. You tried Alexander's tips, not mine. You built your own binary, and if you didn't get TLS support you will have to debug the configure/make process yourself. The 2.1.8 version in the Lenny backports has TLS support built in. I'm 100% certain of this because I just installed it and checked. -David Mitchell -David Mitchell The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Thanks Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Hi, peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no personally, I'd advise that you set those to yes rather than no. File /etc/raddb/users DEFAULT Auth-Type = ntlm_auth you dont need to do this. ever. we do PEAP and dont have such a line - in fact, the only time you need to est this is if you need to break the system in a wierd way Files /etc/raddb/sites-enable/inner-tunnel and /etc/raddb/sites-enable/default authenticate { ntlm_auth ... } no no no. leave the inner-tunnel and default exactly as you found them - it will work out of the box. what guide were you following to get this working? I ask because if there is some document out there than it needs to be taken down. [r...@radiusserver etc]# ntlm_auth --request-nt-key --domain=MYDOMAINTEST --username=testuser01 --password=test NT_STATUS_OK: Success (0x0) good, that bits fine [r...@radiusserver /]# radtest testuser01 test localhost 0 teste123 Sending Access-Request of id 51 to 127.0.0.1 port 1812 User-Name = testuser01 User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=51, length=20 and all thats done is a basic PAP test. you'd need to use more advanced tools such as eapol_test from the wpa_supplicant package for actually simulating a standard Windows client that is doing an EAP method - with an EAP test your packets would be proxied into the inner-tunnel virtual server... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which samba version / patch for Active Directory 2008
Hello If someone who has a working freeradius samba ntlm_auth AD 2008 setup could let me know which version of samba they are using and which patches it might help me a great deal. I have a working configuration freeradius + samba 3.0.37 + Active Directory 2003. Our Active Directory servers are in the process of moving to 2008 and the 3.0.37 does not return the correct/same keys when looking at a upgraded AD server. I have it pointed to our last AD 2003 server and it work there. I've setup samba 3.4.8 with the patch https://bugzilla.samba.org/attachment.cgi?id=5894 (which needed a little changing to match line number changes). The session keys (if thats what they are) returned by running ntlm_auth on the 2 setups are different (I've put a wrapper script around it so that I can catch them being returned). If I run ntlm_auth repeatedly with the same challenge and nt-response the ones returned by the broken setup seem to change every few minutes whereas the working one stays the same. Thanks in advance, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring EAP-Type/tls because we do not have OpenSSL, support.
Hi, The messages keep appearing Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. I'm not sure which bit of this isnt clear enough? the FreeRADIUS daemon was not built with OpenSSL support - which means that when the ./configure stage was done, either the required libraries werent present or it was configured with eg --disable-openssl or such. (cant recall the flag off-hand 'cos I've never built it in that way). if you've installed eg ssl-dev package AFTER the configure and/or install then thigns wont be magically working! you must go through the whole configure stage WITH the right libraries installed. thats the runtime OpenSSL stuff AND the development (headers/includes) for OpenSSL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help in troubleshooting PEAP authenticathion with XP client
Hi, Can somebody indicates me if there is any log that can help me identifying the problem with my Windows XP client trying to authenticate to the radius server. I do not know how to interpret the RADIUS/DECODE: parse response no app start; FAIL since no communication was establish between the AP and the radius server. Thanks for your help Stephane The following is the debug output from the Ciso AP dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. *dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds * dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0012.f078. *dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078. *%DOT11-7-AUTH_FAILED: Station 0012.f078. Authentication failed *dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. *dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds * dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0012.f078. * dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. * dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds * dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0012.f078. *dot11_auth_dot1x_send_response_to_server: Sending client 0012.f078. data to server * dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds RADIUS/ENCODE(001A):Orig. component type = DOT11 *RADIUS: AAA Unsupported Attr: ssid [263] 14 *RADIUS: 4D 6F 6E 6F 6E 63 6C 65 5F 53 74 65 [test] *RADIUS: AAA Unsupported Attr: interface [156] 3 RADIUS: 32 [2] RADIUS(001A): Storing nasport 281 in rad_db RADIUS(001A): Config NAS IP: 10.5.104.22 RADIUS/ENCODE(001A): acct_session_id: 26 RADIUS(001A): sending RADIUS/DECODE: parse response no app start; FAIL RADIUS/DECODE: parse response; FAIL dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0012.f078. dot11_auth_dot1x_send_response_to_client: Forwarding serve r message to client 0012.f078. dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds *dot11_auth_dot1x_send_client_fail: Authentication failed for 0012.f078. *dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0012.f078. dot11_auth_dot1x_send_id_req_to_client: Client 0012.f078. timer started for 30 seconds - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which samba version / patch for Active Directory 2008
Hi, If someone who has a working freeradius samba ntlm_auth AD 2008 setup could let me know which version of samba they are using and which patches it might help me a great deal. I have a working configuration freeradius + samba 3.0.37 + Active Directory 2003. we moved to 2008 last year and kept exactly the same FR/samba setup - ie 3.0.x with no issue. using default CentOS supplied RPM (for SAMBA - we homebuild the FreeRADIUS from source). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://de3wpk.2010healthworld2.com/cap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login Incorrect !
Hi guys , Im trying to authenticate freeradius against passwd , but i keep getting Login Incorrect error , im doing EAP/PEAP mschapv2 I dont know what im missing I can perform a radtest with sucess . Here is the ouput rad_recv: Access-Request packet from host 192.168.0.1 port 2048, id=187, length=232 User-Name = momo NAS-Port = 0 Called-Station-Id = 00-22-B0-45-DF-69:SapoNet Calling-Station-Id = 00-22-FB-73-31-DA Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02080050190017030100201c877f9482d13faf8e1619e14f1e0d909fa7983b184bb9f05c95a6cb6a845796170301002049a23598867fa02bfcf83108e8cb2130d7ebda59dd41304c300ea048c8bfa68d State = 0xad18a6f8aa10bf33ac12d56bfa8b4024 Message-Authenticator = 0xc8a9f7c084d0b839d9340a38c5e328aa +- entering group authorize {...} ++[preprocess] returns ok ++[unix] returns updated [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for reject or fail. Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [momo/via Auth-Type = EAP] (from client SapoNet port 0 cli 00-22-FB-73-31-DA) Delaying reject of request 26 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 26 Sending Access-Reject of id 187 to 192.168.0.1 port 2048 EAP-Message = 0x04080004 Message-Authenticator = 0x Waking up in 1.0 seconds. Here is the conf main { user = root group = root allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 192.168.0.1 { require_message_authenticator = no secret = teste123 shortname = SapoNet nastype = other } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/radius/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512pem_file_type = yes private_key_file = /etc/raddb/certs/server.pem certificate_file = /etc/raddb/certs/server.pem CA_file = /etc/raddb/certs/ca.pem private_key_password = whatever dh_file = /etc/raddb/certs/dh random_file =
Re: Login Incorrect !
Paulo Maia wrote: Im trying to authenticate freeradius against passwd , but i keep getting Login Incorrect error , im doing EAP/PEAP mschapv2 I dont know what im missing I can perform a radtest with sucess . Here is the ouput Which you need to read. The debug output you posted to the list contains instructions which tell you how to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + MySql + Wireless Clients without certificates
Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP + MySql + EAPTLS
Hi I have installed freeradius recently with MySQL and tested with success to authenticate VTY session en cisco routers and switches. However, my configuration with EAP_TLS is not working properly. I use a Cisco AP I create and copy the certificates to a Windows XP SP3 laptop to test if everything is OK, but in freeradius -X mode I got a lot of message and none give me the reason of the problem. The AP says authentication failed and the Radius server sends the challenge an wait, and later clean all request an becomes ready to process requests. here is a portion of the output of the radius activity Its appears that certificates are accepted, but XP stations continue trying to authenticated THANKS = rad_recv: Access-Request packet from host 10.10.10.5 port 1645, id=16, length=176 User-Name = prue...@mydomain Framed-MTU = 1400 Called-Station-Id = a8b1.d422.d432 Calling-Station-Id = 0019.d20c.4ed4 Service-Type = Login-User Message-Authenticator = 0x7c4ac4a412db3b9cfba443de50792eed EAP-Message = 0x0202001b01707275656261314062616e636f706c617a612e636f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 19153 NAS-Port-Id = 19153 NAS-IP-Address = 10.10.10.5 NAS-Identifier = AP_CISCO +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm mydomain.com for User-Name = prue...@mydomain [suffix] No such realm mydomain ++[suffix] returns noop [eap] EAP packet type response id 2 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - prue...@mydomain [sql] sql_set_user escaped user -- 'prue...@mydomain' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'prue...@mydomain' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'prue...@mydomain' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'TI' ORDER BY id [sql] User found in group TI [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'TI' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 16 to 10.10.10.5 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x765770697654693c62d8b4b34c9394a6 Finished request 0. Going to the next request . . ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] TLS 1.0 Handshake [length 05c7], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] TLS 1.0 Handshake [length 0082], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 18 to 10.10.10.5 port 1645 . . . [tls] -- verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] TLS 1.0 Handshake [length 0086], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls]
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySql + Wireless Clients without certificates
Hi Marten You mean configuring freeradius for EAP-PEAP its not necessary to creates certificates? Its possible to use with CISCO AP as NAS? Thanks On Mon, Sep 13, 2010 at 6:23 PM, Marten Pape marten.p...@pape-hn.de wrote: Hi Esteban, this can be done via EAP-PEAP or EAP-TTLS, but not directly via TLS. Regards, Marten Pape Esteban TALAVERA schrieb: Hi I´ll like to know if there is a way to configurates a Radius server + Mysql to authenticate Wireless clients via a Cisco AP without certificates (EAP TLS), only a username and password Thanks -- *Esteban Talavera* -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP + MySql + EAPTLS
Esteban TALAVERA wrote: I create and copy the certificates to a Windows XP SP3 laptop to test if everything is OK, but in freeradius -X mode I got a lot of message and none give me the reason of the problem. The AP says authentication failed and the Radius server sends the challenge an wait, and later clean all request an becomes ready to process requests. This problem is in the FAQ. See also the comments in eap.conf. For a complete EAP howto, see http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool and cache-size
Konstantin Chekushin wrote: Thanks for advice, but I am using database for main solution (I've writen my module for this issue, which uses rlm_sql functions for sql logic). And I wont to use file-based for redundancy only. So, the main question - what will happens, if query-cache will be less, then ip-range? I have made a simple test, when ip-range is 90 ip-s, and cache is 10. It looks that it works fine. If it works... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html