Re: radutmp only show one user
= /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication 12.12.12.40:1812 Listening on accounting 12.12.12.40:1813 Listening on proxy 12.12.12.40:1814 Ready to process requests. rad_recv: Access-Request packet from host 12.12.12.20:21647, id=3, length=172 Cisco-AVPair = client-mac-address=0018.7170.f202 Framed-Protocol = PPP User-Name = daxocam User-Password = hola NAS-Port-Type = Virtual Cisco-NAS-Port = 0/0/1/130 NAS-Port = 0 NAS-Port-Id = 0/0/1/130 Service-Type = Framed-User NAS-IP-Address = 12.12.12.20 Acct-Session-Id = 0C0C0C1405000389 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/12.12.12.20/auth-detail-20101006' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/12.12.12.20/auth-detail-20101006 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module attr_filter returns noop for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = daxocam, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry daxocam at line 5 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Processing the session section of radiusd.conf modcall: entering group session for request 0 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'daxocam' modcall[session]: module radutmp returns ok for request 0 modcall: leaving group session (returns ok) for request 0 Login OK: [daxocam] (from client cisco_pruebas port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module dani_pool returns noop for request 0 rlm_ippool: Searching for an entry for nas/port: 12.12.12.20/0 rlm_ippool: Searching for an entry for nas/port: 12.12.12.20/0 rlm_ippool: Allocating ip to nas/port: 12.12.12.20/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 10.130.0.83 to client on nas 12.12.12.20,port 0 modcall[post-auth]: module main_pool returns ok for request 0 radius_xlat: '/var/log/radius/radacct/12.12.12.20/reply-detail-20101006' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/12.12.12.20/reply-detail-20101006 modcall[post-auth]: module reply_log returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 3 to 12.12.12.20 port 21647 Framed-IP-Address = 10.130.0.83 Framed-IP-Netmask = 255.255.255.0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 12.12.12.20:21647, id=4, length=210 Acct-Session-Id = 0C0C0C1405000389 Cisco-AVPair = client-mac-address=0018.7170.f202 Framed-Protocol = PPP User-Name = daxocam Cisco-AVPair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Virtual Cisco-NAS-Port = 0/0/1/130 NAS-Port = 0 NAS-Port-Id = 0/0/1/130 Service-Type = Framed-User NAS-IP-Address = 12.12.12.20 Event-Timestamp = Oct 6 2010 08:42:08 CEST Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 1 modcall[preacct]: module preprocess returns noop for request 1 rlm_acct_unique: Hashing 'Cisco-AVPair = client-mac-address=0018.7170.f202,NAS-Port = 0,Client-IP-Address = 12.12.12.20,NAS-IP-Address = 12.12.12.20,Acct-Session-Id = 0C0C0C1405000389,User-Name = daxocam' rlm_acct_unique: Acct-Unique-Session-ID = a0be1505d293aa2d. modcall[preacct]: module acct_unique returns ok for request 1 rlm_realm: No '@' in User-Name = daxocam, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop
RE: Check multiple attributes for one user
Hello, I figured out what was wrong: you need to enable some additional parameters in eap.conf to copy request and reply into the tunnel. So put copy_request_to_tunnel and use_tunneled_reply on yes in ttls and peap section, then it works all fine. Kind regards, Krijn Tanis WiMood -Oorspronkelijk bericht- Van: freeradius-users-bounces+krijntanis=wimood...@lists.freeradius.org [mailto:freeradius-users-bounces+krijntanis=wimood...@lists.freeradius.org] Namens Alan Buxey Verzonden: dinsdag 5 oktober 2010 12:07 Aan: FreeRadius users mailing list Onderwerp: Re: Check multiple attributes for one user Hi, I only enabled SQL in inner-tunnel section authorize. It is not possible to enable it in authenticate, I get error: oops. yes. silly me. you cannot authenticate because its a query not challenge method. okaywell, inner-tunnel EAP section doesnt have a Cleartext-Password for your user - are your authorize queries okay in dialup.conf? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMax VSA Support
Hi Alan, Thank you for your quick response. We have already checked the dictionary and found that wimax dictionary is available in the freeradius server. Actually we are using Freeradius server 2.1.9 and Alvarion base-station and Alvarion ASN GW. Initially we created a service profile in Alvarion ASN GW for the user test using their management software 'AlvariStar'. And 'users' file in the freeradius has been updated to add the user test as follows, test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Filter-Id = servprof2 where servprof2 is the name of the service profile created in Alvarion ASN GW. In this case the authentication was successful and MS has got the IP as well. Then we tried to create the service profile for the user test from the Freeradius by using WiMAX attributes found in the file dictionary.wimax'.The entries for the user in the 'users' file is as shown below. test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, WiMAX-Service-Profile-Id=1, WiMAX-Media-Flow-Type=Streaming-Video, WiMAX-Schedule-Type = Best-Effort, WiMAX-QoS-Id=01, WiMAX-Media-Flow-Type=Robust-Browser, WiMAX-Traffic-Priority=0, WiMAX-Maximum-Sustained-Traffic-Rate=512000 In this case Freeradius has sent the Access-Accept, but the authentication process is not successful and MS is showing an error message as EAP supplicant transferring error. I hope you understand the problem Regards, Anup Anup wrote: Hi, I would like to know whether latest Freeradius version has the support for WiMax VSAs? The server comes with documentation and dictionary files. Please read them. Also please tell me how to send the WiMAX Qos Descriptors in Access-Accept VSAs are just attributes. They can be added / edited like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ __ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic clients and nas-type
On Wed, Oct 6, 2010 at 6:35 PM, Alan DeKok al...@deployingradius.comwrote: Peter Lambrechtsen wrote: I'm trying to setup my dynamic clients and specify a nas-type. In my dynamic-clients I have: ... Then in my sites-enabled/default in the authorize section I have: A completely independent virtual server. The only way for the two virtual servers to communicate is by having one store attributes in a database, and then the other reads the database. Ahh ok, thanks for that. I was wondering why I could use the %Client-Shortname, and not the NAS-Type. That explains it. I'll stick with just using Client-Shortname, as that gives me all I need so far. Cheers again. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HOWTO:Centralised LDAP Authentication - Part 2 - Using dyamic-clients instead of huntgroups
Following on from my previous post on Centralised LDAP Auth post: http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html I've found that using dynamic-clients gives me a few advantages over using huntgroups. 1) Dynamic Clients allows you to have per-NAS shared secrets stored in LDAP (or SQL) instead of having a whole network with the same shared secret. This way you have better pseudo security by being able to set a password for each individual NAS element. 2) Reduced LDAP queries due to dynamic-client's caching of the query results. This is also helps to reduce one extra query against the LDAP database since the client is cached in radiusd's memory. So to set it up it's the same configuration as specified in the above post, with the following differences: Element Setup: It's the same apart from now you need to add a second value to each element for the Shared Secret password. In the below cases I use the ou or Department attribute. --- OU=Elements,OU=Radius,DC=ACME,DC=COM Elements will hold a record of every NAS in your Network. You will create Group objects based on the IP Address of the NAS and set the Location or l attribute to the NAS Huntgroup the NAS belongs to allow them to be centrally managed in LDAP. IE CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM With a l value of CiscoRTR for a Cisco Router that has a NAS-IP-Address or Source-IP-Address of 10.1.2.3. This will make more sense further on. And with a ou value of the shared secret password for the NAS element. ie password --- FILE:/etc/raddb/clients.conf - Don't need to make any changes into this file anymore. With the default config you will need to copy or symlink the dynamic-clients file into the sites-enabled directory. The easist way is to symlink: cd etc/raddb/sites-enabled ln -s ../sites-available/dynamic-clients dynamic-clients Now modify the dynamic-clients file: FILE: /etc/raddb/sites-available/dynamic-clients client dynamic { #Include all IP's in the Dynamic Clients range ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_client_server lifetime = 86400 } server dynamic_client_server { authorize { #Do a ldap lookup in the elements OU, check to see if the Packet-Src-IP-Address object has a ou attribute, if it does continue. if (%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}};) { update control { FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address} #Set the Client-Shortname to be the Location l just like in the Huntgroups, but this time to the shortname. FreeRADIUS-Client-Shortname = %{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}; #NAS Type can't be used so no point in including it. #FreeRADIUS-Client-NAS-Type = %{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?o?sub?cn=%{Packet-Src-IP-Address}}; #Lookup and set the Shared Secret based on the ou attribute. FreeRADIUS-Client-Secret = %{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}; } } ok } } - END FILE:/etc/raddb/sites-enabled/default Instead of setting the Huntgroup, set the FreeRadius Client Name, so change: update request { Huntgroup-Name := %{ldap:ldap:///ou=Elements,ou=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}; } with update request { Client-Shortname := %{Client-Shortname} } So that Client-Shortname is available in this virtual server and make all the same changes in the default file as per the above post. Now lastly the changes in the users file to perform the lookup. Change: DEFAULT Huntgroup-Name == Junipers, Ldap-Group == cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM With DEFAULT Client-Shortname == Junipers, Ldap-Group == cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM And all the same settings as per the previous post. This way you still have the advantages of per-NAS authentication, and now you can also set passwords per-NAS, and less un-necessary traffic to the LDAP server. A win win all around. Alan, do you want me to turn this into a Wiki entry??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WiMax VSA Support
Anup, You have to configure the radius server to use the inner-tunnel. Which version of the 4-Motion software are you using on your system? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of Anup krishnan A Sent: Wednesday, October 06, 2010 4:11 AM To: FreeRadius users mailing list Subject: Re: WiMax VSA Support Hi Alan, Thank you for your quick response. We have already checked the dictionary and found that wimax dictionary is available in the freeradius server. Actually we are using Freeradius server 2.1.9 and Alvarion base-station and Alvarion ASN GW. Initially we created a service profile in Alvarion ASN GW for the user test using their management software 'AlvariStar'. And 'users' file in the freeradius has been updated to add the user test as follows, test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Filter-Id = servprof2 where servprof2 is the name of the service profile created in Alvarion ASN GW. In this case the authentication was successful and MS has got the IP as well. Then we tried to create the service profile for the user test from the Freeradius by using WiMAX attributes found in the file dictionary.wimax'.The entries for the user in the 'users' file is as shown below. test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, WiMAX-Service-Profile-Id=1, WiMAX-Media-Flow-Type=Streaming-Video, WiMAX-Schedule-Type = Best-Effort, WiMAX-QoS-Id=01, WiMAX-Media-Flow-Type=Robust-Browser, WiMAX-Traffic-Priority=0, WiMAX-Maximum-Sustained-Traffic-Rate=512000 In this case Freeradius has sent the Access-Accept, but the authentication process is not successful and MS is showing an error message as EAP supplicant transferring error. I hope you understand the problem Regards, Anup Anup wrote: Hi, I would like to know whether latest Freeradius version has the support for WiMax VSAs? The server comes with documentation and dictionary files. Please read them. Also please tell me how to send the WiMAX Qos Descriptors in Access-Accept VSAs are just attributes. They can be added / edited like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ __ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WiMax VSA Support
Hi David, 1) You have to configure the radius server to use the inner-tunnel. Following are the entries in the eap.conf file. ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = inner-tunnel } I hope this is what you meant by configure inner-tunnel in radius server. Actually, the FreeRadius server is sending the Access-Accept with all WiMAX Attributes for the user as we have given in the users file. But I think the Alvarion ASN Gateway is not handling or recognizing what we are sending 2) Which version of the 4-Motion software are you using on your system? We are using 4motion Release 2.5M1. Regards Anup Anup, You have to configure the radius server to use the inner-tunnel. Which version of the 4-Motion software are you using on your system? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of Anup krishnan A Sent: Wednesday, October 06, 2010 4:11 AM To: FreeRadius users mailing list Subject: Re: WiMax VSA Support Hi Alan, Thank you for your quick response. We have already checked the dictionary and found that wimax dictionary is available in the freeradius server. Actually we are using Freeradius server 2.1.9 and Alvarion base-station and Alvarion ASN GW. Initially we created a service profile in Alvarion ASN GW for the user test using their management software 'AlvariStar'. And 'users' file in the freeradius has been updated to add the user test as follows, test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Filter-Id = servprof2 where servprof2 is the name of the service profile created in Alvarion ASN GW. In this case the authentication was successful and MS has got the IP as well. Then we tried to create the service profile for the user test from the Freeradius by using WiMAX attributes found in the file dictionary.wimax'.The entries for the user in the 'users' file is as shown below. test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, WiMAX-Service-Profile-Id=1, WiMAX-Media-Flow-Type=Streaming-Video, WiMAX-Schedule-Type = Best-Effort, WiMAX-QoS-Id=01, WiMAX-Media-Flow-Type=Robust-Browser, WiMAX-Traffic-Priority=0, WiMAX-Maximum-Sustained-Traffic-Rate=512000 In this case Freeradius has sent the Access-Accept, but the authentication process is not successful and MS is showing an error message as EAP supplicant transferring error. I hope you understand the problem Regards, Anup Anup wrote: Hi, I would like to know whether latest Freeradius version has the support for WiMax VSAs? The server comes with documentation and dictionary files. Please read them. Also please tell me how to send the WiMAX Qos Descriptors in Access-Accept VSAs are just attributes. They can be added / edited like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ __ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ __ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WiMax VSA Support
I have not had any issues with 2.5 though 3.0 is giving me fits. Your eap configuration looks ok, check sites-available/inner-tunnel and make sure you have all of the wimax entries uncommented. David -Original Message- From: Anup krishnan A [mailto:anupk...@cdactvm.in] Sent: Wednesday, October 06, 2010 8:07 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: RE: WiMax VSA Support Hi David, 1) You have to configure the radius server to use the inner-tunnel. Following are the entries in the eap.conf file. ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = inner-tunnel } I hope this is what you meant by configure inner-tunnel in radius server. Actually, the FreeRadius server is sending the Access-Accept with all WiMAX Attributes for the user as we have given in the users file. But I think the Alvarion ASN Gateway is not handling or recognizing what we are sending 2) Which version of the 4-Motion software are you using on your system? We are using 4motion Release 2.5M1. Regards Anup Anup, You have to configure the radius server to use the inner-tunnel. Which version of the 4-Motion software are you using on your system? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius. freeradius-users-bounces+org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.fre eradiu s.org] On Behalf Of Anup krishnan A Sent: Wednesday, October 06, 2010 4:11 AM To: FreeRadius users mailing list Subject: Re: WiMax VSA Support Hi Alan, Thank you for your quick response. We have already checked the dictionary and found that wimax dictionary is available in the freeradius server. Actually we are using Freeradius server 2.1.9 and Alvarion base-station and Alvarion ASN GW. Initially we created a service profile in Alvarion ASN GW for the user test using their management software 'AlvariStar'. And 'users' file in the freeradius has been updated to add the user test as follows, test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Filter-Id = servprof2 where servprof2 is the name of the service profile created in Alvarion ASN GW. In this case the authentication was successful and MS has got the IP as well. Then we tried to create the service profile for the user test from the Freeradius by using WiMAX attributes found in the file dictionary.wimax'.The entries for the user in the 'users' file is as shown below. test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, WiMAX-Service-Profile-Id=1, WiMAX-Media-Flow-Type=Streaming-Video, WiMAX-Schedule-Type = Best-Effort, WiMAX-QoS-Id=01, WiMAX-Media-Flow-Type=Robust-Browser, WiMAX-Traffic-Priority=0, WiMAX-Maximum-Sustained-Traffic-Rate=512000 In this case Freeradius has sent the Access-Accept, but the authentication process is not successful and MS is showing an error message as EAP supplicant transferring error. I hope you understand the problem Regards, Anup Anup wrote: Hi, I would like to know whether latest Freeradius version has the support for WiMax VSAs? The server comes with documentation and dictionary files. Please read them. Also please tell me how to send the WiMAX Qos Descriptors in Access-Accept VSAs are just attributes. They can be added / edited like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ __ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ __ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMax VSA Support
Anup krishnan A wrote: Then we tried to create the service profile for the user test from the Freeradius by using WiMAX attributes found in the file dictionary.wimax'.The entries for the user in the 'users' file is as shown below. ... In this case Freeradius has sent the Access-Accept, but the authentication process is not successful and MS is showing an error message as EAP supplicant transferring error. Well.. blame the NAS. If the Access-Accept is returned and the user isn't accepted on the network, it is *not* the fault of the RADIUS server. Some versions of Alvarion had inventive ways of implementing the standards. i.e. they didn't work. Newer versions (last 4-6 months) should be better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling users/hosts
Ramon Escriba wrote: Hi List, It's a bit naive question, just to keep concepts clear. I want to use the dialupAccess attribute to enable or disable one user/host to login. So if dialupAccess : disabled, the user/host is rejected. ... Matchs the idea?, or should be done in a different way? It's what's in the FAQ as the suggested way to implement a disabled group. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Optional authorize methode
Ricardo Frías Alvarez wrote: Hello! I don't know how to configure Radius to do this : I want that radius accepts the access, if files or ldap returns ok. In descriptive code: IF files return 'OK' THEN access-accept ELSE IF ldap return 'OK' THEN access-accept ELSE access-reject You can implement this pretty much like that via unlang. After I saw the documentation, I thought that I can do this with fail-over and I add this code to sites-enabled/default: ... With this configuration it's happening the following: If files return OK the username/password are accepted. If files return fail username/password are rejected directly. Except that the files module never returns fail. See the source code. This is not what I want. I want that if files fail then check ldap. How I can configure radius to implement this functionality? authorize { ... files if (notfound) { ldap if (notfound) { reject } } ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Disabling users/hosts
Sorry 4 the stupid question, I made I mistake in ldap, I put disable not disabled in one atribute. So disabled user was login normally, I was completely puzzle Looking moe carefully @ logs I realized it. Thanks. -Original Message- From: freeradius-users-bounces+escriba=cells...@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: miércoles, 06 de octubre de 2010 16:40 To: FreeRadius users mailing list Subject: Re: Disabling users/hosts Ramon Escriba wrote: Hi List, It's a bit naive question, just to keep concepts clear. I want to use the dialupAccess attribute to enable or disable one user/host to login. So if dialupAccess : disabled, the user/host is rejected. ... Matchs the idea?, or should be done in a different way? It's what's in the FAQ as the suggested way to implement a disabled group. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WiMax VSA Support
That service profile does not look at all correct. It's a mixed bag of pre-provisioned services and AAA provisioned services. Here is a sample service definition that works with our ASN-GW: WiMAX-QoS-Id:= 101 WiMAX-Service-Class-Name:= DATA WiMAX-Schedule-Type := Best-Effort WiMAX-Traffic-Priority := 1 WiMAX-Maximum-Sustained-Traffic-Rate:= 512000 WiMAX-Reduced-Resources-Code:= 1 WiMAX-QoS-Id+= 102 WiMAX-Service-Class-Name+= DATA WiMAX-Schedule-Type += Best-Effort WiMAX-Traffic-Priority += 1 WiMAX-Maximum-Sustained-Traffic-Rate+= 20971520 WiMAX-Reduced-Resources-Code+= 1 We're using Wichorus, but in working with other vendors and service providers in the past who were using the Alvarion ASN-GW I don't recall that there were significant differences in QOS assignment at least. Looking back through my notes it does appear that most of them were using the proprietary Filter-ID method of service assignment. Using the Filter-Id might help rule out any strange EAP issues. Studying the table of attributes in the WiMAX forum stage three docs (Tables in section 5) also helps explain which TLVs are required and which are not when generating the appropriate responses. Ben -Original Message- From: freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Anup krishnan A Sent: Wednesday, October 06, 2010 3:11 AM To: FreeRadius users mailing list Subject: Re: WiMax VSA Support Hi Alan, Thank you for your quick response. We have already checked the dictionary and found that wimax dictionary is available in the freeradius server. Actually we are using Freeradius server 2.1.9 and Alvarion base-station and Alvarion ASN GW. Initially we created a service profile in Alvarion ASN GW for the user test using their management software 'AlvariStar'. And 'users' file in the freeradius has been updated to add the user test as follows, test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Filter-Id = servprof2 where servprof2 is the name of the service profile created in Alvarion ASN GW. In this case the authentication was successful and MS has got the IP as well. Then we tried to create the service profile for the user test from the Freeradius by using WiMAX attributes found in the file dictionary.wimax'.The entries for the user in the 'users' file is as shown below. test Cleartext-Password := test Auth-Type = Local, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.33, Framed-IP-Netmask = 255.255.255.0, WiMAX-Service-Profile-Id=1, WiMAX-Media-Flow-Type=Streaming-Video, WiMAX-Schedule-Type = Best-Effort, WiMAX-QoS-Id=01, WiMAX-Media-Flow-Type=Robust-Browser, WiMAX-Traffic-Priority=0, WiMAX-Maximum-Sustained-Traffic-Rate=512000 In this case Freeradius has sent the Access-Accept, but the authentication process is not successful and MS is showing an error message as EAP supplicant transferring error. I hope you understand the problem Regards, Anup Anup wrote: Hi, I would like to know whether latest Freeradius version has the support for WiMax VSAs? The server comes with documentation and dictionary files. Please read them. Also please tell me how to send the WiMAX Qos Descriptors in Access-Accept VSAs are just attributes. They can be added / edited like anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This email was sent using SquirrelMail. Webmail for nuts! http://squirrelmail.org/ __ Scanned and protected by Email scanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP w/ freeradius to LDAP storing ntPassword
Hi All, We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html But do we really need both ntpassword and lmpassword in the ldap directory? How the process work regarding ntpassword authentication. Is the following sequence in the right direction? windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. Thanks, Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword
schilling wrote: We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html Note it's 5 years old... But do we really need both ntpassword and lmpassword in the ldap directory? No. windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. No. It's a *lot* more complicated than that. All you need to do is to uncomment ldap in raddb/sites-available/inner-tunnel, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword
There is smbencrypt radius-utils to generate LM Hash and NT Hash, Any known good perl script to do this? sd...@palm:/usr/bin$ smbencrypt schilling LM Hash NT Hash D134D8CD21607749DD4218F5E59DD23A AF8AC3EF6579FC768515F960FB2096AC Then which one is required? Any format requirement in the ldap? Or just copy the 32 character and put in the ldap? Thanks. Schilling On Wed, Oct 6, 2010 at 2:19 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html Note it's 5 years old... But do we really need both ntpassword and lmpassword in the ldap directory? No. windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. No. It's a *lot* more complicated than that. All you need to do is to uncomment ldap in raddb/sites-available/inner-tunnel, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius , how to make it work with dynamic clients
Hello, I want to make free radius work with dynamic set of clients - Clients will have specific range (not just any client) - Clients will have some shared secret. Can it do 2 objectives listed above? I know there is a macro WITH_DYNAMIC_CLIENTS, But after compiling it with having defined WITH_DYNAMIC_CLIENTS, What else I need to configure and how to run, not very sure. Regards, Rajendra Hegde Software Developer CRYPTOCard Inc Website: www.cryptocard.com http://www.cryptocard.com/ Address: 340 March Road, Suite 600 Ottawa, ON, Canada K2K 2E4 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD image001.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius , how to make it work with dynamic clients
Read the sites-available/dynamic-clients and you can base all your dynamic shared secret's based on the IP address of the NAS. Assuming you are talking about having dynamic NAS's (Radius Clients) vs Dynamic 802.1x workstations connecting to a static list of NAS's or switches. Using IP address pools. On Thu, Oct 7, 2010 at 9:09 AM, Rajendra Hegde rajendra.he...@cryptocard.com wrote: Hello, I want to make free radius work with dynamic set of clients - Clients will have specific range (not just any client) - Clients will have some shared secret. Can it do 2 objectives listed above? I know there is a macro WITH_DYNAMIC_CLIENTS, But after compiling it with having defined WITH_DYNAMIC_CLIENTS, What else I need to configure and how to run, not very sure. Regards, *Rajendra Hegde* *Software Developer* *CRYPTOCard Inc* *Website:* www.cryptocard.com *Address:* 340 March Road, Suite 600 Ottawa, ON, Canada K2K 2E4 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword
2010/10/6 schilling schilling2...@gmail.com There is smbencrypt radius-utils to generate LM Hash and NT Hash, Any known good perl script to do this? You can use Crypt::SmbHash (from CPAN). sd...@palm:/usr/bin$ smbencrypt schilling LM Hash NT Hash D134D8CD21607749DD4218F5E59DD23A AF8AC3EF6579FC768515F960FB2096AC Then which one is required? NT Hash is required. Any format requirement in the ldap? Or just copy the 32 character and put in the ldap? Just put the NT Hash in the sambaNTPassword field in LDAP. Thanks. Schilling On Wed, Oct 6, 2010 at 2:19 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html Note it's 5 years old... But do we really need both ntpassword and lmpassword in the ldap directory? No. windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. No. It's a *lot* more complicated than that. All you need to do is to uncomment ldap in raddb/sites-available/inner-tunnel, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMax VSA Support
Hi Ben, Thank you for your response. When we give the service profile name, that we have already created in Alvarion ASN using Alvaristar, in the Filter_Id attribute from FreeRadius, there is no problem and MS is getting registered. But once we try to create the service profile from FreeRadius using WiMAX VSAs then the MS is showing as error like EAP Supplicant Transferring error. The sequence of events happened in FreeRadius is given below. We can't understand what the problem is , please help me. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.0.1 port 1812, id=100, length=162 User-Name = {am=1}a...@local EAP-Message = 0x02010015017b616d3d317d61626364404c4f43414c Message-Authenticator = 0x3541ac93ba7d124888516834ede1203d NAS-Identifier = 172.16.0.1 NAS-IP-Address = 172.16.0.1 Calling-Station-Id = 00-17-C4-9B-B5-84 WiMAX-BS-Id = 0x020202060606 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[wimax] returns ok [suffix] Looking up realm LOCAL for User-Name = {am=1}a...@local [suffix] Found realm LOCAL [suffix] Adding Stripped-User-Name = {am=1}abcd [suffix] Adding Realm = LOCAL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 100 to 172.16.0.1 port 1812 EAP-Message = 0x01020016041053537331a80b9f8efd10896d82b93c8e Message-Authenticator = 0x State = 0x07d1252d07d3218fa467b7478824e818 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.0.1 port 1812, id=101, length=165 User-Name = {am=1}a...@local EAP-Message = 0x020200060315 Message-Authenticator = 0xea259fffd4374457c675b9ae07f3564b NAS-Identifier = 172.16.0.1 NAS-IP-Address = 172.16.0.1 Calling-Station-Id = 00-17-C4-9B-B5-84 WiMAX-BS-Id = 0x020202060606 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 State = 0x07d1252d07d3218fa467b7478824e818 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[wimax] returns ok [suffix] Looking up realm LOCAL for User-Name = {am=1}a...@local [suffix] Found realm LOCAL [suffix] Adding Stripped-User-Name = {am=1}abcd [suffix] Adding Realm = LOCAL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 101 to 172.16.0.1 port 1812 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x07d1252d06d2308fa467b7478824e818 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.0.1 port 1812, id=102, length=253 User-Name = {am=1}a...@local EAP-Message = 0x0203005e15001603010053014f03014cad569dd49214ce612a3acfb814a3d8cc64dafe0fd8cddae61c3aa3a615682b2800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100 Message-Authenticator = 0x7b87235a1ba9a14b13c1181865331307 NAS-Identifier = 172.16.0.1 NAS-IP-Address = 172.16.0.1 Calling-Station-Id = 00-17-C4-9B-B5-84 WiMAX-BS-Id = 0x020202060606 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 State = 0x07d1252d06d2308fa467b7478824e818 +- entering group
[no subject]
http://laramolino.it/und9.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP issue - [mschap] FAILED: MS-CHAP2-Response is incorrect
Hi, I am attempting to replicate a test setup into production and somewhere along the way I must have forgotten something. I have an NT-Password stored in a mysql database and currently get the following response from freeradius upon authenticating: rad_recv: Access-Request packet from host 127.0.0.1 port 58065, id=224, length=130 Service-Type = Framed-User Framed-Protocol = PPP User-Name = jo MS-CHAP-Challenge = 0x6bc832b0733a709ab358ab111e88da69 MS-CHAP2-Response = 0x0d00f974435c9a9eb2abaa5f8350b8c4b3060a9a21d7cb82b31bfbd804045063702431fa9ff46e928dd9 NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = jo, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - jo [sql] sql_set_user escaped user -- 'jo' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jo' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'jo' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jo' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'jo' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'jo' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'jo' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for jo with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - jo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 224 to 127.0.0.1 port 58065 Waking up in 4.9 seconds. Cleaning up request 6 ID 224 with timestamp +888 Ready to process requests. I think I missed one option when documenting the test setup. Unfortunately the test setup was accidentally deleted. Would anyone know what I missed? Thanks, Jon. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html