Re: Re [How to use Listen directive in inner tunnel virtual server]
Thomas Fagart wrote: I've tried 2.1.x. (2.1.11) Seems to work well but after an hour of working I've got the following Apr 10 22:20:50 vma-prdaut-08 radiusd[65766]: Exiting due to internal error: Failed in select: Invalid argument Apr 10 22:20:50 vma-prdaut-08 radiusd[65766]: Exiting due to internal error: Failed in select: Invalid argument My guess is you're running FreeBSD, and possibly in a VM? The issue seems to be that the system time goes up and down... FreeRADIUS expects time to increase, and when it doesn't, it passes a negative wait time to the select() function. This isn't nice, so select() complains. The fix is to double-check the times, and limit them at some reasonable value. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to authenticate freeradius+AD
hi, dont really care about config - radiusd -X output please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to authenticate freeradius+AD
Yao Konou wrote: Can you guide on how fix it . Follow the documentation, including the documentation for what information to post to the list. This is a rar file with my user + ntlm_auth + mschap + site-enable/default conf. That information is probably useless. Post the debug output, as suggested in the FAQ, README, man page, web pages, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unable to authenticate freeradius+AD
Hi ,
This my radius radiusd -X output
Thanks
Yao Thierry Konou
AMR SERVICES
11 Rue du Petit Châtelier CS90346
44303 NANTES CEDEX 3
Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88
Site: http://www.amr-services.fr
-Message d'origine-
De : freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org
[mailto:freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org]
De la part de Alan Buxey
Envoyé : mercredi 13 avril 2011 10:49
À : FreeRadius users mailing list
Objet : Re: unable to authenticate freeradius+AD
hi,
dont really care about config - radiusd -X output please
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_realm, checking if it's valid)
Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_realm
Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating suffix
Mon Apr 11 14:24:39 2011 : Debug: realm suffix {
Mon Apr 11 14:24:39 2011 : Debug: format = suffix
Mon Apr 11 14:24:39 2011 : Debug: delimiter = @
Mon Apr 11 14:24:39 2011 : Debug: ignore_default = no
Mon Apr 11 14:24:39 2011 : Debug: ignore_null = no
Mon Apr 11 14:24:39 2011 : Debug: }
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_files, checking if it's valid)
Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_files
Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating files
Mon Apr 11 14:24:39 2011 : Debug: files {
Mon Apr 11 14:24:39 2011 : Debug: usersfile = /etc/freeradius/users
Mon Apr 11 14:24:39 2011 : Debug: acctusersfile =
/etc/freeradius/acct_users
Mon Apr 11 14:24:39 2011 : Debug: preproxy_usersfile =
/etc/freeradius/preproxy_users
Mon Apr 11 14:24:39 2011 : Debug: compat = no
Mon Apr 11 14:24:39 2011 : Debug: }
Mon Apr 11 14:24:39 2011 : Debug: [/etc/freeradius/users]:103 WARNING! Changing
'Tunnel-Medium-Type =' to 'Tunnel-Medium-Type ==' for comparing RADIUS
attribute in check item list for user DEFAULT
Mon Apr 11 14:24:39 2011 : Debug: Module: Checking session {...} for more
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_radutmp, checking if it's
valid)
Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_radutmp
Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating radutmp
Mon Apr 11 14:24:39 2011 : Debug: radutmp {
Mon Apr 11 14:24:39 2011 : Debug: filename = /var/log/freeradius/radutmp
Mon Apr 11 14:24:39 2011 : Debug: username = %{User-Name}
Mon Apr 11 14:24:39 2011 : Debug: case_sensitive = yes
Mon Apr 11 14:24:39 2011 : Debug: check_with_nas = yes
Mon Apr 11 14:24:39 2011 : Debug: perm = 384
Mon Apr 11 14:24:39 2011 : Debug: callerid = yes
Mon Apr 11 14:24:39 2011 : Debug: }
Mon Apr 11 14:24:39 2011 : Debug: Module: Checking post-proxy {...} for more
modules to load
Mon Apr 11 14:24:39 2011 : Debug: Module: Checking post-auth {...} for more
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_attr_filter, checking if it's
valid)
Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_attr_filter
Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating
attr_filter.access_reject
Mon Apr 11 14:24:39 2011 : Debug: attr_filter attr_filter.access_reject {
Mon Apr 11 14:24:39 2011 : Debug: attrsfile =
/etc/freeradius/attrs.access_reject
Mon Apr 11 14:24:39 2011 : Debug: key = %{User-Name}
Mon Apr 11 14:24:39 2011 : Debug: }
Mon Apr 11 14:24:39 2011 : Debug: } # modules
Mon Apr 11 14:24:39 2011 : Debug: } # server
Mon Apr 11 14:24:39 2011 : Debug: server {
Mon Apr 11 14:24:39 2011 : Debug: modules {
Mon Apr 11 14:24:39 2011 : Debug: Module: Checking authenticate {...} for more
modules to load
Mon Apr 11 14:24:39 2011 : Debug: Module: Checking authorize {...} for more
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_preprocess, checking if it's
valid)
Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module rlm_preprocess
Mon Apr 11 14:24:39 2011 : Debug: Module: Instantiating preprocess
Mon Apr 11 14:24:39 2011 : Debug: preprocess {
Mon Apr 11 14:24:39 2011 : Debug: huntgroups =
/etc/freeradius/huntgroups
Mon Apr 11 14:24:39 2011 : Debug: hints = /etc/freeradius/hints
Mon Apr 11 14:24:39 2011 : Debug: with_ascend_hack = no
Mon Apr 11 14:24:39 2011 : Debug: ascend_channels_per_line = 23
Mon Apr 11 14:24:39 2011 : Debug: with_ntdomain_hack = no
Mon Apr 11 14:24:39 2011 : Debug: with_specialix_jetstream_hack = no
Mon Apr 11 14:24:39 2011 : Debug: with_cisco_vsa_hack = no
Mon Apr 11 14:24:39 2011 : Debug: with_alvarion_vsa_hack = no
Mon Apr 11 14:24:39 2011 : Debug: }
Mon Apr 11 14:24:39 2011 : Debug: Module: Checking preacct {...} for more
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_acct_unique, checking if it's
valid)
Mon Apr 11 14:24:39 2011 : Debug: Module: Linked to module
Re: unable to authenticate freeradius+AD
hi, looks like PC not properly responding have you got the RADIUS server CA on the client? (ie does the client know the CA and trust it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unable to authenticate freeradius+AD
Yes, The client is windows XP SP3 and I copied the certificate from the server to the client,installed it and configurated to use mschapV2. For information I can authenticate these users above: yao and Rgc but the members of LDAP groups radius-users can not #DEFAULT Auth-Type = ntlm_auth yaoCleartext-Password := yao, MS-CHAP-Use-NTLM-Auth := 0 Reply-Message = Felicitations vous venez de vous connecter au reseaux RGC, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2 rgc Cleartext-Password := rgc, MS-CHAP-Use-NTLM-Auth := 0 Reply-Message = Felicitations vous venez de vous connecter au reseaux RGC, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2 DEFAULT NAS-Port-Type == Ethernet, Ldap-Group == radius-users, Tunnel-Private-Group-Id == 2, Tunnel-Type == VLAN, Service-Type == Login-User, Tunnel-Medium-Type = IEEE-802, Fall-Through = no Thanks Yao Thierry Konou AMR SERVICES 11 Rue du Petit Châtelier CS90346 44303 NANTES CEDEX 3 Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88 Site: http://www.amr-services.fr -Message d'origine- De : freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org [mailto:freeradius-users-bounces+ykonou=amr-services@lists.freeradius.org] De la part de Alan Buxey Envoyé : mercredi 13 avril 2011 11:12 À : FreeRadius users mailing list Objet : Re: unable to authenticate freeradius+AD hi, looks like PC not properly responding have you got the RADIUS server CA on the client? (ie does the client know the CA and trust it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Duplicate Accounting maybe once, twice a day
Marius Pesé wrote: This is both the same package. Maybe the odd thing is not the duplicate every once in a while but rather the fact that the bulk of them is not duplicated? Accounting packets WILL get sent twice. There's little you can do to avoid that. You need to design the system so that it handles duplicate accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Duplicate Accounting maybe once, twice a day
Hi Alan, thanks for the quick reply. If accounting packets are sent twice per default, do you have a guess as to why 1 or 2 per day lead to duplicate entries and the other hundred or so just have 1 entry? Thanks Marius From: freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org [freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: Wednesday, April 13, 2011 12:12 PM To: FreeRadius users mailing list Subject: Re: FW: Duplicate Accounting maybe once, twice a day Marius Pesé wrote: This is both the same package. Maybe the odd thing is not the duplicate every once in a while but rather the fact that the bulk of them is not duplicated? Accounting packets WILL get sent twice. There's little you can do to avoid that. You need to design the system so that it handles duplicate accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi, Can anyone please give some solution or idea to debug it. Regards Senthil On Mon, Apr 11, 2011 at 5:57 PM, senthil kumar mail...@gmail.com wrote: Hi Alan, Any solution or debug to this problem. Please let me know. Regards Senthil On Fri, Apr 8, 2011 at 1:43 PM, senthil kumar mail...@gmail.com wrote: Hi Alan, Earlier I have faced the same problem and after changing Make file it was working fine. Now certificate got expired and I tried to generate new certificate. Problem is I am not able to connect with the new certificate. So please let me know how to solve this problem. Regards Senthil On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok al...@deployingradius.comwrote: senthil kumar wrote: I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. *Read* the debug log. There's a lot of text, but looking for warning or error or failure or reject is simple. [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate See? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adversity always presents opportunity for Introspection Regards Senthil -- Adversity always presents opportunity for Introspection Regards Senthil -- Adversity always presents opportunity for Introspection Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address and Username Binding on FreeRADIUS
I am trying to lock a single user to a single laptop. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4300485.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address and Username Binding on FreeRADIUS
Use Calling-Station-Id value in radcheck ! On 4/13/2011 6:10 PM, syharash wrote: I am trying to lock a single user to a single laptop. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4300485.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 5924 (20110303) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Duplicate Accounting maybe once, twice a day
Marius Pesé wrote: thanks for the quick reply. If accounting packets are sent twice per default, That's not what I said. do you have a guess as to why 1 or 2 per day lead to duplicate entries and the other hundred or so just have 1 entry? They CAN get sent twice. Sometimes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groups with port permissions
Hi All, I'm new in FreeRadius. I have install freeRadius and ChillSpot on Debian with squid and iptables. Everything is ok, but I want to make a Group with port permissions. For exampel first group Low with only HTTP(S) permission, the second group Mittel with HTTP(S), POP(S), IMAP, SMTP(S) and the third group Hi with all permission (all ports). How can I do this? I have my hotspot in my caffe-bar and only customers can have a internet. Thanks for your help! PS: Sorry for my englisch :-) -- View this message in context: http://freeradius.1045715.n5.nabble.com/groups-with-port-permissions-tp4300533p4300533.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and Microsoft NPS
ok this should look better
Starting program: /usr/sbin/radiusd -X
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
rbtree_find (tree=0xe19fdc02, Data=0xb79b21a4) at rbtree.c:476
476 rbnode_t *Current = tree-Root;
Missing separate debuginfos, use: debuginfo-install glibc-2.13-1.i686
keyutils-libs-1.2-6.fc12.i686 krb5-libs-1.8.2-9.fc14.i686
libcom_err-1.41.12-6.fc14.i686 libselinux-2.0.96-6.fc14.1.i686
libtool-ltdl-2.2.10-3.fc14.i686 nss-softokn-freebl-3.12.9-5.fc14.i686
openssl-1.0.0d-1.fc14.i686 zlib-1.2.5-2.fc14.i686
Thread 1 (Thread 0xb79e8730 (LWP 17523)):
#0 rbtree_find (tree=0xe19fdc02, Data=0xb79b21a4) at rbtree.c:476
Current = value optimized out
#1 0xb7fce38b in rbtree_deletebydata (tree=0xe19fdc02, data=0xb79b21a4)
at rbtree.c:457
node = value optimized out
#2 0xb79d5123 in eap_handler_free (inst=0x294330, handler=0xb79b21a4)
at mem.c:138
No locals.
#3 0x00131127 in request_free (request_ptr=0xbfffebec) at util.c:235
this = value optimized out
next = 0x0
request = 0x2734d0
#4 0xb79aec29 in eappeap_postproxy (handler=0x2745b8, data=0x274e60)
at peap.c:532
rcode = value optimized out
tls_session = 0x274e60
fake = 0x2734d0
request = 0x273ff8
#5 0xb79d2c07 in eap_post_proxy (inst=0x253b90, request=0x273ff8)
at rlm_eap.c:602
rcode = value optimized out
data = value optimized out
i = value optimized out
len = value optimized out
vp = value optimized out
handler = 0x2745b8
#6 eap_post_proxy (inst=0x253b90, request=0x273ff8) at rlm_eap.c:565
No locals.
#7 0x0012c95d in call_modsingle (component=6, c=0x26e778, request=0x273ff8)
at modcall.c:297
myresult = value optimized out
#8 modcall (component=6, c=0x26e778, request=0x273ff8) at modcall.c:670
myresult = 1
stack = {pointer = 1, priority = {0 repeats 32 times}, result = {
0 repeats 32 times}, children = {0x0 repeats 32 times},
start = {0x0 repeats 32 times}}
parent = 0x26e778
child = 0x26e368
sp = 0x26e368
if_taken = 0
was_if = 0
#9 0x0012b0a4 in indexed_modcall (comp=6, idx=0, request=0x273ff8)
at modules.c:728
rcode = value optimized out
list = value optimized out
server = value optimized out
#10 0x0012ba4c in module_post_proxy (type=0, request=0x273ff8)
at modules.c:1565
No locals.
#11 0x0013504c in process_proxy_reply (request=0x273ff8) at event.c:1730
rcode = value optimized out
post_proxy_type = 0
vp = 0x0
#12 0x001350fe in request_pre_handler (request=0x273ff8) at event.c:1855
rcode = value optimized out
#13 0x001389c3 in radius_handle_request (request=0x273ff8,
fun=0x118d80 rad_authenticate) at event.c:3767
No locals.
#14 0x001309ec in thread_pool_addrequest (request=0x273ff8,
fun=0x118d80 rad_authenticate) at threads.c:874
No locals.
#15 0x00136424 in event_socket_handler (xel=value optimized out, fd=14,
ctx=0x273080) at event.c:3419
listener = 0x273080
fun = 0x118d80 rad_authenticate
request = 0x273ff8
#16 0xb7fd4d65 in fr_event_loop (el=0x26e948) at event.c:411
ef = value optimized out
i = value optimized out
rcode = 1
maxfd = value optimized out
when = {tv_sec = 1302699971, tv_usec = 386585}
wake = value optimized out
read_fds = {fds_bits = {16384, 0 repeats 31 times}}
master_fds = {fds_bits = {31872, 0 repeats 31 times}}
#17 0x00138994 in radius_event_process () at event.c:3760
No locals.
#18 0x0011821e in main (argc=2, argv=0xb7c4) at radiusd.c:406
rcode = value optimized out
argval = value optimized out
spawn_flag = 0
dont_fork = 1
flag = 0
act = {__sigaction_handler = {sa_handler = 0x12e6e0 sig_fatal,
sa_sigaction = 0x12e6e0 sig_fatal}, sa_mask = {__val = {
0 repeats 32 times}}, sa_flags = 0, sa_restorer = 0}
From: freeradius-users-bounces+seth.doty=nebraska@lists.freeradius.org
[freeradius-users-bounces+seth.doty=nebraska@lists.freeradius.org] On
Behalf Of Phil Mayers [p.may...@imperial.ac.uk]
Sent: Tuesday, April 12, 2011 5:07 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Freeradius and Microsoft NPS
On 04/12/2011 07:32 PM, Doty, Seth wrote:
The box is fedora 14 with freeradius from the repos. This the the output of
the gdb log flle:
Can you install the freeradius-debuginfo RPM and do this again; the
backtrace is partial/mangled.
It looks like it may be dying in request_free in peap.c:625, but the
debug info will give line numbers; you could also try stepping up a
few times and examining relevant variables.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
Re: groups with port permissions
Hi I think your best bet would be is to assign different ip pools for each of these groups on your NAS. Then use iptables an limit each ip group as you like. Regards Stephen On Wed, Apr 13, 2011 at 3:02 PM, subcode subc...@gmx.de wrote: Hi All, I'm new in FreeRadius. I have install freeRadius and ChillSpot on Debian with squid and iptables. Everything is ok, but I want to make a Group with port permissions. For exampel first group Low with only HTTP(S) permission, the second group Mittel with HTTP(S), POP(S), IMAP, SMTP(S) and the third group Hi with all permission (all ports). How can I do this? I have my hotspot in my caffe-bar and only customers can have a internet. Thanks for your help! PS: Sorry for my englisch :-) -- View this message in context: http://freeradius.1045715.n5.nabble.com/groups-with-port-permissions-tp4300533p4300533.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
Doty, Seth wrote: ok this should look better See commit 4dbb466b6526c0dacdcf36949bbdaa38416a1be2 on git.freeradius.org. Grab the v2.1.x branch, it should be fixed there. We should release 2.1.11 soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to send wifi connection attributes.
Hi all, I've a mac authentication schema working. Now I want to add 802.1x Eap+Mschapv2 for WiFI/Wire. We're using Aruba's AP. Aruba it's very peculiar, it extends an aruba-ap vlan between the controller the AP's. The other configured vlans are secure tunnels inside this aruba-ap vlan. Our Aruba wifi has 2 main vlans, one for data the other for voip (alias SSID wifidata wifivoip) with diff QoS. The test user aaa authentication it's correct, but I'm still not able to send to my aruba controller the vlan the authenticated user should be attach too. So to wifidata with a laptop, but to wifivoip with a mobile. I do cheat adding to the test user aaa a pair of radiusReplyItem attributes: Aruba-User-Vlan = 4000 Aruba-User-Role = authenticated The cheat works: () ++[exec] returns noop Sending Access-Accept of id 166 to 84.89.232.250 port 32834 Tunnel-Private-Group-Id:0 = X1 Aruba-User-Vlan = 4000 Aruba-User-Role = authenticated User-Name = aaa MS-MPPE-Recv-Key = 0x634d9e2f148f2484671e78e939bb4a9661ac05f1f242a016e9b16458538d6632 MS-MPPE-Send-Key = 0x24d48bb9ce204be409131d3dd3226c4bb7bee7805c5dd006b25e2f9d0faca881 EAP-Message = 0x03260004 Message-Authenticator = 0x Finished request 55. (...) But without the cheat, does not. It connects correctly to the wifi, but as is attached to an incorrect vlan ,in our case the aruba-ap vlan, it does not get a correct ip from our dhcp. (.) Sending Access-Accept of id 121 to 84.89.232.250 port 32834 Tunnel-Private-Group-Id:0 = X1 User-Name = aaa MS-MPPE-Recv-Key = 0x6859e312650c6232d0b20930eba797e110036da56fb710248c676ba5558e05e0 MS-MPPE-Send-Key = 0x3520313eb26c8f00f9a4d561aa183cc3991d38dd89d43322ad32a80437f172d9 EAP-Message = 0x030c0004 Message-Authenticator = 0x Finished request 10. Going to the next request The problem is one user aaa may be able to connect to wifidata wifivoip with diferent devices (laptop / mobile). Any clue? Where should I force the radiusReplyItem ??? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
On 13/04/11 14:16, Alan DeKok wrote: Doty, Seth wrote: ok this should look better See commit 4dbb466b6526c0dacdcf36949bbdaa38416a1be2 on git.freeradius.org. Grab the v2.1.x branch, it should be fixed there. Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't crash the server, but equally it doesn't pass the S=XXX success back correctly either, so the client does a PEAP reject. It seems as if the rlm_eap_mshcapv2 post_proxy function isn't working somehow; I am trying to perform a git bisect to find when it stopped working, but am running into problems with the commits which don't build :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
On 13/04/11 16:01, Phil Mayers wrote: On 13/04/11 14:16, Alan DeKok wrote: Doty, Seth wrote: ok this should look better See commit 4dbb466b6526c0dacdcf36949bbdaa38416a1be2 on git.freeradius.org. Grab the v2.1.x branch, it should be fixed there. Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't crash the server, but equally it doesn't pass the S=XXX success back correctly either, so the client does a PEAP reject. It seems as if the rlm_eap_mshcapv2 post_proxy function isn't working somehow; I am trying to perform a git bisect to find when it stopped working, but am running into problems with the commits which don't build :o( Sigh. I can't even build old version of the server any more; libtool really is a crock of s**t. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Duplicate Accounting maybe once, twice a day
On Wed, Apr 13, 2011 at 5:12 PM, Alan DeKok al...@deployingradius.com wrote: Marius Pesé wrote: This is both the same package. Maybe the odd thing is not the duplicate every once in a while but rather the fact that the bulk of them is not duplicated? Accounting packets WILL get sent twice. There's little you can do to avoid that. You need to design the system so that it handles duplicate accounting packets. ... which sometimes is as simple as changing the database schema to use (username,acctuniqid) as unique key. When you do that and a duplicate accounting start packet arrives, the default accounting_start_query (insert) on dialup.conf should fail and accounting_start_query_alt (update) will be executed instead. So you won't have duplicate records. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
Phil Mayers wrote: Sigh. I can't even build old version of the server any more; libtool really is a crock of s**t. I'm looking to get rid of libtool libltdl entirely for 3.0. At this point, every major OS has dlopen(). And libtool is just ridiculous. 99.9% of systems use GCC, so libtool is useless and slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
Phil Mayers wrote: Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't crash the server, but equally it doesn't pass the S=XXX success back correctly either, so the client does a PEAP reject. Hmm... OK. It seems as if the rlm_eap_mshcapv2 post_proxy function isn't working somehow; I am trying to perform a git bisect to find when it stopped working, but am running into problems with the commits which don't build :o( Sorry... we really need a test infrastructure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
On 13/04/11 16:22, Alan DeKok wrote: Phil Mayers wrote: Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't crash the server, but equally it doesn't pass the S=XXX success back correctly either, so the client does a PEAP reject. Hmm... OK. It seems as if the rlm_eap_mshcapv2 post_proxy function isn't working somehow; I am trying to perform a git bisect to find when it stopped working, but am running into problems with the commits which don't build :o( Sorry... we really need a test infrastructure. No worries; it seems to be broken for 2.1.7 and 2.1.8, but worked in 2.1.1 - still trying to track it down more tightly than that. (We don't actually use this feature so I'm not that fussed, but I'm determine to wrestle git bisect into submission ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
On 13/04/11 16:32, Phil Mayers wrote: On 13/04/11 16:22, Alan DeKok wrote: Phil Mayers wrote: Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't crash the server, but equally it doesn't pass the S=XXX success back correctly either, so the client does a PEAP reject. Hmm... OK. It seems as if the rlm_eap_mshcapv2 post_proxy function isn't working somehow; I am trying to perform a git bisect to find when it stopped working, but am running into problems with the commits which don't build :o( Sorry... we really need a test infrastructure. No worries; it seems to be broken for 2.1.7 and 2.1.8, but worked in 2.1.1 - still trying to track it down more tightly than that. Actually, scratch that. Proxying in those versions doesn't work for me at all: ERROR: Failed to create a new socket for proxying requests. ERROR: Failed inserting request into proxy hash. ERROR: Failed to proxy request 7 ...I'm baffled as to what I'm doing wrong, but I'm giving up at this point! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Microsoft NPS
Phil Mayers wrote: Actually, scratch that. Proxying in those versions doesn't work for me at all: ERROR: Failed to create a new socket for proxying requests. ERROR: Failed inserting request into proxy hash. ERROR: Failed to proxy request 7 ...I'm baffled as to what I'm doing wrong, but I'm giving up at this point! 2.1.10: * Fix proxying of packets from inside a TTLS/PEAP tunnel. Closes bug #25. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL problem
Hi everyone, I'm new here. My name is Gábor Nagy from Hungary. I'm doing my thesis. I have some problems with configure the SQL in freeradius-dialupadmin. Right now when I click on User Statistics or Accounting or Statistics ... etc... I get this: DEBUG(SQL,MYSQL DRIVER): Connect: User= root ,Password= ** Can you help me? It's very important, Thank you, Gabe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? http://git.freeradius.org Grab the v2.1.x branch. Read raddb/modules/mschap, and raddb/eap.conf, the mschapv2 section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco PEAP/MSCHAPv2 issues
Have a new problem today. I have a wireless network setup where users can either TTLS/PAP or PEAP/MSCHAPv2 to our active directory. All has been working for months with clients using either method. Today the PEAP/MSCHAPv2 stopped working while the TTLS/PAP continues to work. I see no errors in logs. Any help or suggestions would be greatly appreciated. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Cisco-PEAP-MSCHAPv2-issues-tp4302081p4302081.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
