Re: Freeradius on lenny doesn't permit mschap auth
On 14/01/2011 23:47, Alan DeKok wrote: Fabien COMBERNOUS wrote: [...] David is not bridling but just remember his constraints. They are *his* constraints. If he can't even install a version of 2.1.10 in order to run radtest which can do MS-CHAP, then those constraints are ridiculous. Even if he have to consider them, perhaps he thinks like you. :) In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. If it is impossible to do what it is necessary, a help for him is probably to provide the good reasons of the modification of his setup.Only blaming the person is not useful in my opinion. How ever, i understand that you don't want to loose your time. Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Fabien COMBERNOUS fcombern...@kezia.com writes: In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. So? You've painted yourself into an unsupportable environment. The polite thing to do would be to state this when asking, to avoid wasting everyones time. Noone really cares whether it's stupidity on an individual or an enterprise level. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Mon Jan 17 2011 � 09:29:47AM +0100, Fabien COMBERNOUS dit : On 14/01/2011 23:47, Alan DeKok wrote: Fabien COMBERNOUS wrote: [...] David is not bridling but just remember his constraints. They are *his* constraints. If he can't even install a version of 2.1.10 in order to run radtest which can do MS-CHAP, then those constraints are ridiculous. Even if he have to consider them, perhaps he thinks like you. :) To resume to be in a distribution make easy security updates. I wait squeeze in hurry (perhaps before the end of my radius project ;-) ). In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. If it is impossible to do what it is necessary, a help for him is probably to provide the good reasons of the modification of his setup.Only blaming the person is not useful in my opinion. How ever, i understand that you don't want to loose your time. Thanks for my defense. But I consider the flame closed. And I understand too the lake of time for everyone. I will try to find a mschap string with a second installation on a second server. After that I will see and tell the result here. I expect to have some other questions about the differences beetween the 2 versions but I hope it will be ok. Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group Regards, -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
I think some comments.. are too heavys : P I'm reading this list looking for solutions, or improvements for my servers, but this threads are disgusting me. It's not necessary to write thing like this.. I'm not agree with this. When someone requests help, you can help as usually. If he can't do what is necessary, is his problem, but no more.. next thread : D! It's not necessary to start a war in the list.. * Martín Ruiz* * * *Ibersystems Solutions, SL* * * Dpto. Redes Inalámbricas Tel. 902 909 858 93 184 52 13 669 37 95 21 Fax 93 758 63 01 http://www.ibersystems.es martinr...@ibersystems.es *Estemensaje puede contener información confidencial y/o privilegiada. Siusted no es el destinatario o una persona expresamente autorizada pararecibir este envío no debe utilizar, copiar, reenviar, distribuir, o engeneral disponer de ninguna forma de la información incluida. Sihubiera recibido este mensaje por error, sírvase informar al emisormediante una respuesta inmediata y bórrelo, por favor. Muchas gracias.* ***Antes de imprimir este e-mail, piensa en si es realmente necesario: El Medio Ambiente es responsabilidad de todos* 2011/1/17 Bjørn Mork bj...@mork.no Fabien COMBERNOUS fcombern...@kezia.com writes: In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. So? You've painted yourself into an unsupportable environment. The polite thing to do would be to state this when asking, to avoid wasting everyones time. Noone really cares whether it's stupidity on an individual or an enterprise level. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Mon Jan 17 2011 � 10:13:56AM +0100, Bjørn Mork dit : Fabien COMBERNOUS fcombern...@kezia.com writes: [...] So? You've painted yourself into an unsupportable environment. The polite thing to do would be to state this when asking, to avoid wasting everyones time. Noone really cares whether it's stupidity on an individual or an enterprise level. Please, my intention was not to produce a flamewar. It is the first time it happen for me and make me unconfortable. I probably misunderstood some terms in mails and was probably misunderstood in my intention. What I seek on this list is your expertise on freeradius to solve a problem that I described. Think I have some problem with english and freeradius (it is the first time I deal with freeradius and all these strange words as mschap and eap and ... ;-) ) I'm ready to make many efforts to solve my problems, but I cannot without your help, please be clear on explanation as I'm a newby in this area. (for exemple the idea of made another server to have the mschap string was not clear in the begginning for me). Bjørn Beside our past disagreement, thank you for your help. -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On Mon, Jan 17, 2011 at 10:20:00AM +0100, David Dumortier wrote: In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I will try to find a mschap string with a second installation on a second server. This was supposed to be the solution to the showstopper from the get-go. The client and the server simply do not have to be installed from the same source on the same machine. Adding a new machine with newer software for a specific purpose is usually a triviality these days. As usual, it would have helped if all parties would have steered away from snappy remarks. Rather than do that, it's often simpler and eminently more productive to keep silent. (Yes, I know I've said this before. Repetitio est mater studiorum.) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Install problems
Hello I can't install the last freeradius to our new server ./configure --libdir=/usr/local/lib/freeradius2 --with-mysql-lib-dir=/usr/lib64/mysql --disable- libltdl-install --with-system-libtool --without-openssl libtool: link: rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: (cd .libs gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC -c -fno-builtin radiusdS.c) libtool: link: rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic /var/instapp/freeradius- server-2.1.10/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /var/instapp/freeradius-server-2.1.10/libltdl/.libs/libltdl.so -ldl -Wl,-rpath - Wl,/usr/local/lib/freeradius2 .libs/modules.o: In function `setup_modules': /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined reference to `lt_preloaded_symbols' collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src/main' gmake[3]: *** [main] Error 2 gmake[3]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/var/instapp/freeradius-server-2.1.10' make: *** [all] Error 2 What's the solution ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Josip Rodin j...@entuzijast.net writes: As usual, it would have helped if all parties would have steered away from snappy remarks. Rather than do that, it's often simpler and eminently more productive to keep silent. You are of course correct. I apologise for my unnecessary comment. I will try to avoid such comments in the future. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install problems
Breuer Nicolas wrote: I can't install the last freeradius to our new server ./configure --libdir=/usr/local/lib/freeradius2 --with-mysql-lib-dir=/usr/lib64/mysql --disable-libltdl-install --with-system-libtool --without-openssl ... /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined reference to `lt_preloaded_symbols' Edit the Make.inc file, and find the line starting with CFLAGS. Add a -DIE_LIBTOOL_DIE to the end. Do make clean, followed by make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install problems
Hello I just do that. MAKE= /usr/bin/gmake CC = gcc RANLIB = ranlib INCLUDE = CFLAGS = $(INCLUDE) -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG - DIE_LIBTOOL_DIE Same error libtool: compile: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall - D_GNU_SOURCE -DNDEBUG -DIE_LIBTOOL_DIE -I/var/instapp/freeradius-server- 2.1.10/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.10\ -DNO_OPENSSL -c detail.c -fPIC -DPIC -o .libs/detail.o libtool: compile: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall - D_GNU_SOURCE -DNDEBUG -DIE_LIBTOOL_DIE -I/var/instapp/freeradius-server- 2.1.10/src -DHOSTINFO=\x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.10\ -DNO_OPENSSL -c detail.c -o detail.o /dev/null 21 /usr/bin/libtool --mode=link gcc -export-dynamic -dlopen self \ -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.lo radiusd.lo stats.lo session.lo threads.lo util.lo valuepair.lo version.lo xlat.lo event.lo realms.lo evaluate.lo vmps.lo detail.lo \ /var/instapp/freeradius-server-2.1.10/src/lib/libfreeradius-radius.la -lnsl -lresolv - lpthread \ -lcrypt /var/instapp/freeradius-server-2.1.10/libltdl/libltdl.la libtool: link: rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: (cd .libs gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC -c -fno-builtin radiusdS.c) libtool: link: rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT libtool: link: gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic /var/instapp/freeradius- server-2.1.10/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /var/instapp/freeradius-server-2.1.10/libltdl/.libs/libltdl.so -ldl -Wl,-rpath - Wl,/usr/local/lib/freeradius2 .libs/modules.o: In function `setup_modules': /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined reference to `lt_preloaded_symbols' collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src/main' gmake[3]: *** [main] Error 2 gmake[3]: Leaving directory `/var/instapp/freeradius-server-2.1.10/src' gmake[2]: *** [all] Error 2 Date sent: Mon, 17 Jan 2011 11:57:47 +0100 From: Alan DeKok al...@deployingradius.com To: nicolas.bre...@belcenter.biz, FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject:Re: Install problems Breuer Nicolas wrote: I can't install the last freeradius to our new server ./configure --libdir=/usr/local/lib/freeradius2 --with-mysql-lib-dir=/usr/lib64/mysql --disable-libltdl-install --with-system-libtool --without-openssl ... /var/instapp/freeradius-server-2.1.10/src/main/modules.c:1372: undefined reference to `lt_preloaded_symbols' Edit the Make.inc file, and find the line starting with CFLAGS. Add a -DIE_LIBTOOL_DIE to the end. Do make clean, followed by make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.10 with oracle instantclient11.2
Dear Alexandre, Ok the patch you sent didnt work for me so here are some steps that I took and would like to share so that other may benefit from it :) these steps are working with FreeRadius 2.1.10 and Oracle Instantclient 11.2, autoconf 2.59 and libtool 1.5.4 and OS is centOS 5.4 (final) Steps that I did are as follows, 1: changed the configure.in file in src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.in replace libnnz10 to libnnz11 and also libclntsh10 to libclntsh11 etc 2: changed back to parent directory i.e. freeradius/ and then did aclocal command 3: autogen.sh works after aclocal so ran ./autogen.sh 4: created a symlink in oracleinstant client lib directory named libclntsh.so - libclntsh.so.11.1 (as freeradius oracle driver looks for libclntsh.so) 5: did # ./configure --with-oracle-include-dir=/opt/instantclient_11_2/sdk/include/ --with-experimental-modules --with-oracle-lib-dir=/opt/instantclient_11_2/ 6: now make make installl 7: after install export LD_LIBRARY_PATH to you instantclient folder i.e LD_LIBRARY_PATH=/opt/instantclient_11_2 8: change sql.conf to point to oracle and then radiusd -X and it works with oracle (atleast it worked for me) if it works for others then I hope somebody add it to the wiki as well Thanks Waqas On Sat, Jan 15, 2011 at 1:42 AM, Alexandre alxg...@gmail.com wrote: Hardcoding libnnz11should be done in configure not in configure.in. and so there is no need to run. ./autogen.sh Le 14 janv. 2011 20:19, Waqas Toor waqasnasirt...@gmail.com a écrit : Dear Alexandre, Thanks, I have autoconf 2.59 after patching I had to do #aclocal # ./autogen.sh # ./configure --with-oracle-include-dir=/opt/instantclient_11_2/sdk/include/ --with-experimental-modules --with-oracle-lib-dir=/opt/instantclient_11_2/ now the error is configure: configuring in ./drivers/rlm_sql_oracle configure: running /bin/sh './configure' --prefix=/usr/local '--prefix=/usr/local' '--with-oracle-include-dir=/opt/instantclient_11_2/sdk/include/' '--with-experimental-modules' '--with-oracle-lib-dir=/opt/instantclient_11_2/' '--enable-ltdl-install' '--cache-file=/dev/null' '--srcdir=.' --cache-file=/dev/null --srcdir=. checking for oci.h... checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz. configure: creating ./config.status config.status: creating Makefile please note that is no version in libnnz. and if I hardcode the version in lnnz11 and libnnz11 in configure.in and the again do the above steps then i get this error configure: configuring in ./drivers/rlm_sql_oracle configure: running /bin/sh './configure' --prefix=/usr/local '--prefix=/usr/local' '--with-oracle-include-dir=/opt/instantclient_11_2/sdk/include/' '--with-experimental-modules' '--with-oracle-lib-dir=/opt/instantclient_11_2/' '--enable-ltdl-install' '--cache-file=/dev/null' '--srcdir=.' --cache-file=/dev/null --srcdir=. checking for oci.h... checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz11. this oracle thing is becoming pain now :) Thank you Waqas Waqas On Fri, Jan 14, 2011 at 10:56 PM, Alexandre alxg...@gmail.com wrote: A workaround for your very own problem could be to change all references to libnnz10 to libnnz11 in the configure file (in the same directory). regards 2011/1/14 Alexandre alxg...@gmail.com: personnally I got it working with libtool 1.5 and autoconf 2.61 2011/1/14 Waqas Toor waqasnasirt...@gmail.com: Dear Alexandre, I am sorry I should have mentioned the env previously .. its CentOS 5.4 64bit if I do ./autogen.sh without applying patch on a clean extract from the tarball it gives the same error. I am not good with libtool and autoconf. can you head me to a direction where i can figure out this or which autoconf and libtool version i need to work this out. Thanks waqas On Fri, Jan 14,
Re: Problem with iPods/iTouches
Does this problem also happen with iOS 4.x devices other than the iPod Touch? Does the problem happen with non-Enterasys gear? (Do you have any that you can test with?) Additionally, what firmware version are you running on the Enterasys gear? Can you share your config (or at least the relevant pieces)? Hi Terry- The problem also happens with an iPad. Ive had a teacher report problems with his iPhone too, but I havent gotten my hands on it yet. We dont have any other wireless gear except for the Enterasys controller and APs. We updated the firmware to v7.31.03.0005 last week but we also had the problem on the previous version as well v7.31.2.10. A default config for FreeRadius 2.1.8 or 2.1.10 shows the problem. As for the controller, the settings on the SSID its set to use WPA v2 with AES enc. 802.1x for auth. The radius server config on the controller is using MSCHAPv2 by default. Is that what you were looking for? Thanks for your help- Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap fails
Ntlm_auth nt and lm key requests NT_STATUS_OK: Success (0x0) but the mschap section still fails after cert exchance... Log file - http://pastebin.com/rDhRKgiC Suse Ent 11.0.0.32, samba 3.2.7, FreeRadius 2.1.1 Any ideas? Pointers? Suggestions?! Anyone recommend a distro that just works? Jason Hall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap fails
On 17/01/11 14:34, Jason Hall wrote: Ntlm_auth nt and lm key requests NT_STATUS_OK: Success (0x0) but the mschap section still fails after cert exchance… Has it ever worked? If not, this is probably the Samba bug documented (in newer versions of FreeRadius) in eap.conf: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/eap.conf#L526 You may need a newer version of Samba that incorporates this bug fix (or older one that doesn't have the bug): https://bugzilla.samba.org/show_bug.cgi?id=7568 ...or apply the config item mentioned here: https://bugzilla.samba.org/show_bug.cgi?id=6563#c49 RHEL5 with the samba3x RPM works for us (though someone else on the list was having problems, so maybe it depends on Active Directory config) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sub-TLV's
Understood. Here is the dictionary I am working with: The changes start at line 168. # -*- text -*- ## # # WiMAX Forum # # Updated from NWG_R1_V1.2.1-Stage-3.pdf # # NWG_R1_V1.2-Stage-3.pdf # RADIUS discussion is on pp. 432-498 # WiMAX VSA's are on p. 450 and following. # # DHCP MIP keys are on p.48 and following. # # WiMAX VSA's have a non-standard format: # # type1 octet # length 1 octet # continuation1 octet 0bcrrr # value 1+ octets # # If the high bit of the continuation field is set, then # the next attribute of the same WiMAX type should have it's # value concatenated to this one. # # The C bit MUST be zero for all small types. e.g. integer, # ipaddr, ipv6addr, etc. It MAY be set for string and octet # types. The maximum attribute length for string and octet # types is still 253 bytes, even with continuations. The WiMAX # specifications do not specify a maximum length, so we have chosen # to keep the traditional RADIUS maximum length here. # # The C bit MAY be 1 for TLV types. There is no restriction on # TLV length other than maximum packet size (a bit less than 4K). # # The rest of the bits in the continuation octet are reserved, # and MUST be zero. # # Each WiMAX VSA is packed into one Vendor-Specific attribute # with Vendor-Id of WiMAX. Multiple WiMAX sub-TLV's ARE packed # into one VSA with an encapsulating TLV. # # The WiMAX forum adds the following (non-standard) data types: # # byte - one-octet unsigned integer # short- two-octet unsigned integer in network byte order # signed - 4-octet signed integer in network byte order. # combo-ip - if length 4, is the same as the ipaddr type. # if length 16, is the same as ipv6addr type. # tlv - encapsulated sub-attributes # i.e. Vendor-Specific - WiMAX TLV - WiMAX sub-tlv. # ## # # $Id$ # ## VENDOR WiMAX 24757 format=1,1,c BEGIN-VENDORWiMAX ATTRIBUTE WiMAX-Capability1 tlv BEGIN-TLV WiMAX-Capability ATTRIBUTE WiMAX-Release 1 string ATTRIBUTE WiMAX-Accounting-Capabilities 2 byte ATTRIBUTE WiMAX-Hotlining-Capabilities3 byte ATTRIBUTE WiMAX-Idle-Mode-Notification-Cap4 byte # This is really a bitmap VALUE WiMAX-Accounting-Capabilities No-Accounting 0 VALUE WiMAX-Accounting-Capabilities IP-Session-Based1 VALUE WiMAX-Accounting-Capabilities Flow-Based 2 # This is really a bitmap VALUE WiMAX-Hotlining-CapabilitiesNot-Supported 0 VALUE WiMAX-Hotlining-CapabilitiesHotline-Profile-Id 1 VALUE WiMAX-Hotlining-CapabilitiesNAS-Filter-Rule 2 VALUE WiMAX-Hotlining-CapabilitiesHTTP-Redirection4 VALUE WiMAX-Hotlining-CapabilitiesIP-Redirection 8 VALUE WiMAX-Idle-Mode-Notification-Cap Not-Supported 0 VALUE WiMAX-Idle-Mode-Notification-Cap Supported 1 END-TLV WiMAX-Capability ATTRIBUTE WiMAX-Device-Authentication-Indicator 2 byte ATTRIBUTE WiMAX-GMT-Timezone-offset 3 signed ATTRIBUTE WiMAX-AAA-Session-Id4 octets # 32 octets in length ATTRIBUTE WiMAX-MSK 5 octets encrypt=2 ATTRIBUTE WiMAX-hHA-IP-MIP4 6 ipaddr ATTRIBUTE WiMAX-hHA-IP-MIP6 7 ipv6addr ATTRIBUTE WiMAX-DHCPv4-Server 8 combo-ip ATTRIBUTE WiMAX-DHCPv6-Server 9 combo-ip # MN-HA-CMIP4 = H(MIP-RK, CMIP4 MN HA | HA-IPv4 | MN-NAI), or # MN-HA-PMIP4 = H(MIP-RK, PMIP4 MN HA | HA-IPv4 | MN-NAI) ATTRIBUTE WiMAX-MN-hHA-MIP4-Key 10 octets encrypt=2 # MN-HA-CMIP4-SPI == MIP-SPI, or # MN-HA-PIMP4-SPI == MIP-SPI + 1 ATTRIBUTE WiMAX-MN-hHA-MIP4-SPI 11 integer # MN-HA-CMIP6 = H(MIP-RK, CMIP6 MN HA | HA-IPv6 | MN-NAI) ATTRIBUTE WiMAX-MN-hHA-MIP6-Key 12 octets encrypt=2 # MN-HA-CMIP6-SPI == MIP-SPI + 2 ATTRIBUTE WiMAX-MN-hHA-MIP6-SPI 13 integer # FA-RK = H(MIP-RK, FA-RK) ATTRIBUTE WiMAX-FA-RK-Key 14 octets encrypt=2 # 160 bit random number ATTRIBUTE WiMAX-HA-RK-Key 15 octets encrypt=2 # SPI-CMIP4 ATTRIBUTE
Re: Sub-TLV's
David Peterson wrote: Understood. Here is the dictionary I am working with: The changes start at line 168. Ah. Nested TLV's aren't supported in 2.1.x. Instead, see the git stable branch for massive changes to allow all of the WiMAX goodness. It has many updates to the dictionary parser, a re-written attribute encoder/decoder, unit tests, changed internal API, etc. These are all the required in order to support the nested WiMAX TLVs, and *cannot* be back-ported to 2.1.x. I can add checks for 2.1.11 which produce a more useful error message describing why the dictionary can't be loaded. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sub-TLV's
OK that makes sense. I am using the Master branch per the git instructions. I am receiving this error during compile: make[4]: Entering directory `/usr/src/freeradius-server/src/main' /bin/sh /usr/src/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server/src -DHOSTINFO=\i686-pc-linux-gnu\ -DRADIUSD_VERSION=\2.4.0\ -DOPENSSL_NO_KRB5 -c auth.c libtool: compile: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server/src -DHOSTINFO=\i686-pc-linux-gnu\ -DRADIUSD_VERSION=\2.4.0\ -DOPENSSL_NO_KRB5 -c auth.c -fPIC -DPIC -o .libs/auth.o In file included from /usr/src/freeradius-server/src/freeradius-devel/radiusd.h:107, from auth.c:28: /usr/src/freeradius-server/src/freeradius-devel/smodule.h:144: error: expected specifier-qualifier-list before 'RADCLIENT' Am I using the right code? David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Monday, January 17, 2011 11:26 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Sub-TLV's David Peterson wrote: Understood. Here is the dictionary I am working with: The changes start at line 168. Ah. Nested TLV's aren't supported in 2.1.x. Instead, see the git stable branch for massive changes to allow all of the WiMAX goodness. It has many updates to the dictionary parser, a re-written attribute encoder/decoder, unit tests, changed internal API, etc. These are all the required in order to support the nested WiMAX TLVs, and *cannot* be back-ported to 2.1.x. I can add checks for 2.1.11 which produce a more useful error message describing why the dictionary can't be loaded. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sub-TLV's
David Peterson wrote: OK that makes sense. I am using the Master branch per the git instructions. Uh... no. My email said the stable branch. I'll get around to fixing the web page and/or git in the next while. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cleaning house on radius server?
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? is it also safe to assume that any file with no uncommented lines is also safe to remove? I'm most interrested in removing the SQL directories and all the unused modules in the modules directory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modules directory
I've found something odd in regard to the modules directory. I ended up
needing to use checkval module for ldap authentication to work properly
for me. the documentation I found said to place the following in config
files:
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = no
}
at the location I wanted the check to occur, but instead I ended up
needing to use just:
checkval
because the above code was located in modules/checkval .
The question is at this point, how could I, for example, have two
different checkval checks? suppose I want to check an additional
attribute? I recon I need a new file, but I'm not sure if it matters
what I call the new file, or, for that matter, I'm not sure what to put
inside the new file, except that I'm sure it must look very similar to
that above.
if someone could explain the specifics of this, or tell me where to find
them explained, I would much appreciate the help.
one more question: can there be multiples of ANY module specified? for
example, can I use two different ldap or sql modules if I were to need
to (just as a bad example, I propose: 1 radius server, 2 wlans with
different user bases that can't be merged into one directory for
whatever reasons).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cleaning house on radius server?
On 01/17/2011 03:36 PM, Christ Schlacta wrote: I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? No. Because different client use different authentication methods. There really is no value to be gained by removing configuration files and entries, in the end you're far more likely to break something. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules directory
On 01/17/2011 03:37 PM, Christ Schlacta wrote: one more question: can there be multiples of ANY module specified? In general modules can be instantiated multiple times under different names with configuration parameters unique to that name. Not sure if this is true for *all* modules though, there are probably some singletons. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cleaning house on radius server?
Christ Schlacta li...@aarcane.org wrote: I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? is it also safe to assume that any file with no uncommented lines is also safe to remove? I'm most interrested in removing the SQL directories and all the unused modules in the modules directory. That's a terrible idea. Think about what you are trying to accomplish. I would recommend you either put your configuration in some revision control system or alternatively accept that Mr DeKok knows what he is doing and thus not straying far from the 'Path of Light' is a Good Idea(tm). If you take up the latter you should: * install from fresh a copy of FreeRADIUS (even if it is from $DISTRO[favourite]) * assuming Debian, 'cp -a /etc/freeradius /etc/freeradius.orig' * apply your needed changes to /etc/freeradius * try to make the output of 'diff -u -r -N freeradius.org freeradius' as small as possible whilst suiting your needs (learn to use templates and policy.conf extensively) This means that when you come to upgrading your FreeRADIUS installation, you are applying a diff/patch file rather than trying to work everything out from scratch. You can also trivially see what you have been changing. Cheers -- Alexander Clouter .sigmonster says: does your DRESSING ROOM have enough ASPARAGUS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cleaning house on radius server?
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? is it also safe to assume that any file with no uncommented lines is also safe to remove? I'm most interrested in removing the SQL directories and all the unused modules in the modules directory. Cleaning house on FreeRADIUS is NOT recommended and NOT required. FreeRADIUS is a complex piece of software and takes some time to completely understand. Until you completely understand FreeRADIUS, you should not randomly delete files and change the configuration. Do you clean house with other software and OSes that you run? Do you delete the files you don't need on MySQL, Linux or a Windows PC? Probably not. The human body has many vestigial organs. Have you contacted a surgeon to remove your appendix, tonsils, adenoids, gall bladder and that spare kidney? Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem in opensips+radius accounting
Hello: I am doing accounting with opensips+freeradius+radiusclient-ng.Now when i make a call using X-Lite,the radius server has response,but the accounting message is not right,the attribute service-type and eap-service-typeis present in the log,I dont know what is the matter,how to set service-type?Your timely help will be greatly appreciated. Here is the response of the freeradius: Acct-Status-Type = Start User-Service-Type = IAPP-Register EAP-Key-Name = \000\000\000\310 Error-Cause = Invite Attr-55 = 0x4d33d5c7 Sip-From-Tag = 2c29a446 Sip-To-Tag = 1fb68f517efd4f6682a527d79cf5809b Acct-Session-Id = YzIxMDNjMTRlNTUxYTJiYmRkNzhkYmU4MThmZWM3OWQ. User-Name = 3901@192.168.118.39 Calling-Station-Id = sip:3901@192.168.118.39 Called-Station-Id = sip:3902@192.168.118.39 Sip-Translated-Request-URI = sip:192.168.118.41:16591 Attr-223 = 0x3c7369703a33393031403139322e3136382e3131382e34313a33323435343e NAS-Port = 5060 Acct-Delay-Time = 0 NAS-IP-Address = 192.168.118.39 The config file of opensips related to radius is as fllowed: # - acc params - /* what sepcial events should be accounted ? */ modparam(acc, early_media, 1) modparam(acc, report_ack, 1) modparam(acc, report_cancels, 1) /* by default ww do not adjust the direct of the sequential requests. if you enable this parameter, be sure the enable append_fromtag in rr module */ modparam(acc, detect_direction, 0) /* account triggers (flags) */ modparam(acc, failed_transaction_flag, 3) modparam(acc, log_flag, 1) modparam(acc, log_missed_flag, 2) /* uncomment the following lines to enable DB accounting also */ #modparam(acc, db_flag, 1) #modparam(acc, db_missed_flag, 2) modparam(acc,aaa_flag,2) modparam(acc,aaa_missed_flag,3) modparam(acc,service_type,15) #modparam(aaa_radius, radius_config, /usr/local/etc/radiusclient-ng/radiusclient.conf) modparam(acc,aaa_url,radius:/usr/local/etc/radiusclient-ng/radiusclient.conf) modparam(acc, aaa_extra,User-Name=$Au ;\ Calling-Station-Id=$from;\ Called-Station-Id=$to ;\ Sip-Translated-Request-URI=$ruri;\ Sip-RPid=$avp(s:rpid);\ Canonical-URI=$avp(s:can_uri);\ Billing-Party=$avp(s:billing_party);\ Divert-Reason=$avp(s:divert_reason);\ X-RTP-Stat=$hdr(X-RTP-Stat);\ Contact=$hdr(contact);\ Event=$hdr(event);\ SIP-Proxy-IP=$avp(s:sip_proxy_ip);\ ENUM-TLD=$avp(s:enum_tld)) The dictionary file of opensips is as followed: Attributes ### ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius ATTRIBUTE Sip-Group211 string # Proprietary, group_radius ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Sip-Call-Duration227 integer ATTRIBUTE Sip-Call-Setuptime 228 integer ###lines add### ATTRIBUTE Sip-Method101 integer ATTRIBUTE Sip-Response-Code 102 integer# Schulzrinne, acc ATTRIBUTE Sip-To-Tag104 string # Schulzrinne, acc ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc ATTRIBUTE Sip-Translated-Request-URI107 string # Proprietary, acc ATTRIBUTE Source-IP 214 string ATTRIBUTE Source-Port 215 string ATTRIBUTE Sip-Src-IP108 string # Proprietary, acc ATTRIBUTE Sip-Src-Port 109 string # Proprietary, acc ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Realm 1063 string# Sterman, auth_radius ATTRIBUTE Digest-Nonce 1064 string# Sterman, auth_radius ATTRIBUTE Digest-Method 1065 string# Sterman, auth_radius ATTRIBUTE Digest-URI1066 string# Sterman, auth_radius ATTRIBUTE Digest-QOP1067 string# Sterman, auth_radius ATTRIBUTE Digest-Algorithm 1068 string# Sterman, auth_radius ATTRIBUTE Digest-Body-Digest1069 string# Sterman, auth_radius ATTRIBUTE Digest-CNonce 1070 string# Sterman,
acc:acc_aaa_request: failed to add Contact, 17
Hello: When I am do accounting with opensips1.6.4+freeradius2.1.10+radiusclient0.5.6,I meet the following error: acc:acc_aaa_request: failed to add Contact, 17 I kmow I need to define the attribute Contactin the dictionary file dictionary.opensips,but I can not find the value and type of the attribute contact,can anyone tell me the value and types of the attribute?Thanks a lot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
来自happyeveryday1...@126.com的邮件
Hello:
I am using opensips1.6.4+freeradius2.1.10+radiusclient0.5.6 to do accounting
when two X_Lite registered in opensips make a call,Now I define the attribute
Contactas followed:
ATTRIBUTE Contact 100 string
When I make a call, the radius server has a response,
rad_recv: Accounting-Request packet from host 192.168.118.39 port 50962,
id=179, length=288
Acct-Status-Type = Start
Service-Type = IAPP-Register
EAP-Key-Name = \000\000\000\310
Error-Cause = Invite
Attr-55 = 0x4d343460
Sip-From-Tag = 1e356213
Sip-To-Tag = c73cd9ce3e9841fbb233a3f65b14b5ee
Acct-Session-Id = NDgzODg4NGRhYzMwYTQ0MjBmNTlmNTlmNmVkM2U0ZGE.
User-Name = 3901@192.168.118.39
Calling-Station-Id = sip:3901@192.168.118.39
Called-Station-Id = sip:3902@192.168.118.39
Sip-Translated-Request-URI = sip:192.168.118.41:11520
Framed-IPv6-Pool = sip:3901@192.168.118.41:44838
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 192.168.118.39
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 5060,Client-IP-Address =
192.168.118.39,NAS-IP-Address = 192.168.118.39,Acct-Session-Id =
NDgzODg4NGRhYzMwYTQ0MjBmNTlmNTlmNmVkM2U0ZGE.,User-Name =
3901@192.168.118.39'
[acct_unique] Acct-Unique-Session-ID = d7155edddc677690.
++[acct_unique] returns ok
[suffix] Looking up realm 192.168.118.39 for User-Name = 3901@192.168.118.39
[suffix] No such realm 192.168.118.39
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/usr/local/var/log/radius/radacct/192.168.118.39/detail-20110117
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.118.39/detail-20110117
[detail]expand: %t - Mon Jan 17 20:21:52 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -3901@192.168.118.39
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name}
-3901@192.168.118.39
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 179 to 192.168.118.39 port 50962
Finished request 0.
Cleaning up request 0 ID 179 with timestamp +32
Going to the next request
Ready to process requests.
You can see that there is some error information ,such as
error-cause=invite;and when the call is terminated,the opensips receives a bye
message,but the radius server has no response,can anyone help to figure out the
error please?Thank you very much.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting with opensip and radius;error-cause=invite
Hello:
I am using opensips1.6.4+freeradius2.1.10+radiusclient0.5.6 to do accounting
when two X_Lite registered in opensips make a call,Now I define the attribute
Contactas followed:
ATTRIBUTE Contact 100 string
When I make a call, the radius server has a response,
rad_recv: Accounting-Request packet from host 192.168.118.39 port 50962,
id=179, length=288
Acct-Status-Type = Start
Service-Type = IAPP-Register
EAP-Key-Name = \000\000\000\310
Error-Cause = Invite
Attr-55 = 0x4d343460
Sip-From-Tag = 1e356213
Sip-To-Tag = c73cd9ce3e9841fbb233a3f65b14b5ee
Acct-Session-Id = NDgzODg4NGRhYzMwYTQ0MjBmNTlmNTlmNmVkM2U0ZGE.
User-Name = 3901@192.168.118.39
Calling-Station-Id = sip:3901@192.168.118.39
Called-Station-Id = sip:3902@192.168.118.39
Sip-Translated-Request-URI = sip:192.168.118.41:11520
Framed-IPv6-Pool = sip:3901@192.168.118.41:44838
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 192.168.118.39
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 5060,Client-IP-Address =
192.168.118.39,NAS-IP-Address = 192.168.118.39,Acct-Session-Id =
NDgzODg4NGRhYzMwYTQ0MjBmNTlmNTlmNmVkM2U0ZGE.,User-Name =
3901@192.168.118.39'
[acct_unique] Acct-Unique-Session-ID = d7155edddc677690.
++[acct_unique] returns ok
[suffix] Looking up realm 192.168.118.39 for User-Name = 3901@192.168.118.39
[suffix] No such realm 192.168.118.39
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/usr/local/var/log/radius/radacct/192.168.118.39/detail-20110117
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.118.39/detail-20110117
[detail]expand: %t - Mon Jan 17 20:21:52 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -3901@192.168.118.39
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name}
-3901@192.168.118.39
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 179 to 192.168.118.39 port 50962
Finished request 0.
Cleaning up request 0 ID 179 with timestamp +32
Going to the next request
Ready to process requests.
You can see that there is some error information ,such as
error-cause=invite;and when the call is terminated,the opensips receives a bye
message,but the radius server has no response,can anyone help to figure out the
error please?Thank you very much.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cleaning house on radius server?
I have everyone setup to use tls authentication, with authorization via ldap check on the hostname and the mac address. that's the ONLY path. On 1/17/2011 13:28, John Dennis wrote: On 01/17/2011 03:36 PM, Christ Schlacta wrote: I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? No. Because different client use different authentication methods. There really is no value to be gained by removing configuration files and entries, in the end you're far more likely to break something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules directory
On 2011/01/17 10:37 PM, Christ Schlacta wrote:
one more question: can there be multiples of ANY module specified? for
example, can I use two different ldap or sql modules if I were to need to
(just as a bad example, I propose: 1 radius server, 2 wlans with different
user bases that can't be merged into one directory for whatever reasons).
The first instance of a module is defined (and called) using the module name
e.g.
Definition:
checkval {
item =
}
Calling the module:
checkval
The seconds instance is named and called using the name
Definition:
checkval blah {
item = ...
}
Calling the module:
blah
Hope that helps.
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
