Multiple Realms
Hi, I have spent some time reading and trying to configure multiple realms to no avail. Basically I currently have one active realm and need to have another realm configured onto the same radius box. For example dsl.example.com.au is one and voice.example.com.au is the second. How can I configure the second? I know it's somewhat to do with proxy.conf file, but not sure how or where to do this. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Realms
Shawky Skaff wrote: Basically I currently have one active realm and need to have another realm configured onto the same radius box. For example dsl.example.com.au is one and voice.example.com.au is the second. You need to configure two realms. How can I configure the second? I know it’s somewhat to do with proxy.conf file, but not sure how or where to do this. You create another realm block, using the name of the second realm. It shouldn't be hard. realm foo { ... } realm bar { ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Values for MySQL tables for pptpd ?
Hi I did setup pptpd with freeradius + mysql http://poptop.sourceforge.net/dox/radius_mysql.html. pptpd poptop works fine without freeradius, with freeradius and mysql, all seems fine apart from me not knowing what values to enter into the mysql tables of freeradius. With no entries in database I get Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:45194, id=198, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = 193.227.186.146 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User test not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User test not found in radgroupcheck rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User not found ### modcall[authorize]: module sql returns notfound for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 198 to 127.0.0.1 port 45194 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 198 with timestamp 4fbc8c9d When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); I get rad_recv: Access-Request packet from host 127.0.0.1:46882, id=199, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = 193.227.186.146 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): No matching entry in the database for request from user [test] modcall[authorize]: module sql returns notfound for request 1 modcall[authorize]: module mschap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user # auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... ---
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Thanks Alan, I assumed Chap-Password because during testing I got auth: No User-Password or CHAP-Password attribute in the request Regards On Wed, May 23, 2012 at 10:16 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database I have microsoft and merit dictionary loaded Regards On Wed, May 23, 2012 at 10:44 AM, Ali Jawad ali.ja...@splendor.net wrote: Thanks Alan, I assumed Chap-Password because during testing I got auth: No User-Password or CHAP-Password attribute in the request Regards On Wed, May 23, 2012 at 10:16 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Then you edited the default configuration and broke the server. I have microsoft and merit dictionary loaded What does that mean? DONT edit the dictionaries. The server WORKS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On 05/23/2012 08:46 AM, Ali Jawad wrote: Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Which version of FreeRADIUS? I have microsoft and merit dictionary loaded I you have fiddled with the dictionaries, you'll break everything. Don't do that. Leave the dictionaries alone. There's no problem loading them all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Fair enough, what is the value that forces use of Cleartext-Password ? Thanks ! On Wed, May 23, 2012 at 11:15 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Then you edited the default configuration and broke the server. I have microsoft and merit dictionary loaded What does that mean? DONT edit the dictionaries. The server WORKS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos thanks On Wed, May 23, 2012 at 11:17 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 05/23/2012 08:46 AM, Ali Jawad wrote: Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Which version of FreeRADIUS? I have microsoft and merit dictionary loaded I you have fiddled with the dictionaries, you'll break everything. Don't do that. Leave the dictionaries alone. There's no problem loading them all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: Fair enough, what is the value that forces use of Cleartext-Password ? DON'T EDIT THE DICTIONARIES. There is NOTHING YOU NEED TO DO. My example WORKS USING THE DEFAULT CONFIGURATION. I have NO IDEA why you're asking that question. It shows a deep misunderstanding of how the server works. Happily, you don't need to understand it. Just DON'T EDIT THE DICTIONARIES. MY EXAMPLE WORKS. What else do I need to say to convince you that you should DO WHAT I SAID? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 3:22 PM, Ali Jawad ali.ja...@splendor.net wrote: Fair enough, what is the value that forces use of Cleartext-Password ? Thanks ! Step back a bit. As Phil said, what version of FR are you using? If you're using 2.1.x, then the dictionary should have an attribute called Cleartext-Password. If the server doesn't recognize it, you need to: - check for typos in your config/db entry. just in case - make SURE you don't break the server (e.g. changing something like default dictionary location) - make SURE you use new-enough version. For example, RHEL/Centos5 has it under the name freeradius2 package. pptpd does need some dictionary file modification, but you should make it so that it uses SEPARATE directory from the one that FR is using. Do NOT change anything in FR's dictionary directory. Is that clear enough? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 3:26 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos Upgrade. Seriously. Don't bother doing anything else until you upgrade. Uninstall 1.1.3, install freeradius2 package (and the corresponding freeradius2-mysql) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos sigh It would have helped to say that at the start. Delete the 1.1.3 version. Install freeradius2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi I switched to freeradius2. I did edit only sql.conf to the correct MySQL values and I did import schema.sql from sql/mysql/. I did add a user to the new tables and that is about all. Now I get the below, I did NOT edit any other settings, is there something that needs to be done so FR checks in the database like adding sql entries to authorize{} and session{} +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 247 to 127.0.0.1 port 60798 Waking up in 4.9 seconds. Cleaning up request 0 ID 247 with timestamp +18 Ready to process requests. Regards On Wed, May 23, 2012 at 11:49 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos sigh It would have helped to say that at the start. Delete the 1.1.3 version. Install freeradius2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 4:11 PM, Ali Jawad ali.ja...@splendor.net wrote: is there something that needs to be done so FR checks in the database like adding sql entries to authorize{} exactly. sites-available/default should be enough for pptpd since it doesn't use EAP. The comments on that file should be clear enough. Just uncomment sql on authorize section. and session{} only if you use simultaneous check. I suggest just ignore it for now. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 4:16 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, May 23, 2012 at 4:11 PM, Ali Jawad ali.ja...@splendor.net wrote: is there something that needs to be done so FR checks in the database like adding sql entries to authorize{} exactly. sites-available/default should be enough for pptpd since it doesn't use EAP. The comments on that file should be clear enough. Just uncomment sql on authorize section. ... and don't forget to read radiusd.conf as well. Read the commetns there, and uncomment the line that includes sql.conf (since you didn't mention it, you probably didn't do that either). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
hi, sql support isnt turned on by default as you need to have SQL server,schema etc need to ensure sql.conf is read and sql is enabled in the relevant sections however, given that you are installing from package you probably also need to install freeradius2-mysql or freeradius2-sql package too...which might setup some things for you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Thanks for your patience so far. I did edit include sql.conf and only edited authorize to uncomment sql line. Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! I did try as LOCAL and it says set CHAP, I also tried mschap ## Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} - test [sql] sql_set_user escaped user -- 'test' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'normalusers' ORDER BY id [sql] User found in group normalusers [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'normalusers' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 36343 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +8 Ready to process requests. My DB entries are : INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1, 'test', 'Cleartext-Password', '==', '123456'), INSERT INTO `radgroupcheck` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'normalusers', 'Auth-Type', '==', 'chap'); INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'normalusers', 'Framed-Compression', '=', 'Van-Jacobson-TCP-IP'), (2, 'normalusers', 'Framed-Protocol', '=', 'PPP'), (3, 'normalusers', 'Service-Type', '=', 'Framed-User'); INSERT INTO `radreply` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1, 'test', 'Framed-IP-Address', '=', '192.168.100.233'); INSERT INTO `radusergroup` (`username`, `groupname`, `priority`) VALUES ('test', 'normalusers', 1); On Wed, May 23, 2012 at 12:17 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, May 23, 2012 at 4:16 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, May 23, 2012 at 4:11 PM, Ali Jawad ali.ja...@splendor.net wrote: is there something that needs to be done so FR checks in the database like adding sql entries to authorize{} exactly. sites-available/default should be enough for pptpd since it doesn't use EAP. The comments on that file should be clear enough. Just uncomment sql on authorize section. ... and don't forget to read radiusd.conf as well. Read the commetns there, and uncomment the line that includes sql.conf (since you didn't mention it, you probably didn't do that either). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad *
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: Thanks for your patience so far. I did edit include sql.conf and only edited authorize to uncomment sql line. Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! Because you forced Auth-Type := CHAP. Don't do that. I did try as LOCAL and it says set CHAP, I also tried mschap It's MUCH better to *understand* what's going on. Trying random changes is terrible. Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 There's no password in this request. Use a RADIUS client that sends a password! Whatever RADIUS client you're using is broken. Don't use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi I did install freeradius2-mysql, configured /etc/raddb/sql.conf and included sql.conf in /etc/raddb/radius.conf and uncommented sql from authorize section of default. I did also import schema.sql from sql/mysql/. The queries show in the debug output but I am getting the error shown in the last email. Thanks Regards On Wed, May 23, 2012 at 12:46 PM, alan buxey a.l.m.bu...@lboro.ac.ukwrote: hi, sql support isnt turned on by default as you need to have SQL server,schema etc need to ensure sql.conf is read and sql is enabled in the relevant sections however, given that you are installing from package you probably also need to install freeradius2-mysql or freeradius2-sql package too...which might setup some things for you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 4:48 PM, Ali Jawad ali.ja...@splendor.net wrote: Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! I did try as LOCAL and it says set CHAP, I also tried mschap As Alan said, you shouldn't need to set Auth-Type manually. So don't do that ## Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Which client generates this? I highly suggest you try with radtest first. Once that works, you can try it with pptpd (or whatever client that you're going to use) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Thanks again I did remove Auth-Type entry from DB and error says now rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is : rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5 It's radiusclient config is : auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc/radiusclient/servers #dictionary /etc/raddb/dictionary dictionary /usr/share/radiusclient-ng/dictionary login_radius/usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login On Wed, May 23, 2012 at 12:54 PM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: Thanks for your patience so far. I did edit include sql.conf and only edited authorize to uncomment sql line. Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! Because you forced Auth-Type := CHAP. Don't do that. I did try as LOCAL and it says set CHAP, I also tried mschap It's MUCH better to *understand* what's going on. Trying random changes is terrible. Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 There's no password in this request. Use a RADIUS client that sends a password! Whatever RADIUS client you're using is broken. Don't use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi I got it to work at least half way, I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = 4FBCBB330F5000,User-Name = test' [acct_unique] Acct-Unique-Session-ID = 6bbdd9f2f808f872. ++[acct_unique] returns ok [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - 127.0.0.1 [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail]expand: %t - Wed May 23 11:25:55 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 Finished request 2. Cleaning up request 2 ID 27 with timestamp +15 Going to the next request Waking up in 4.7 seconds. However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails. Test example : Set in VPN client in Win 7 to require encryption and MSCHAPV2 - default options Set pptpd options to : -chap -mschap +mschap-v2 require-mppe I get the following in radius ++[sql] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Al0800-1200' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 1200 ++[logintime] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 45 to 127.0.0.1 port 60652 Waking up in 4.9 seconds. Cleaning up request 12 ID 45 with timestamp +591 Ready to process requests. In short it works for chap but not mschap, any input please ? Regards On Wed, May 23, 2012 at 1:13 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Thanks again I did remove Auth-Type entry from DB and error says now rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is : rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5 It's radiusclient config is : auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc
Re: Values for MySQL tables for pptpd ?
In btw, I do not have any Auth-Type settings now. Thanks On Wed, May 23, 2012 at 1:42 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi I got it to work at least half way, I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = 4FBCBB330F5000,User-Name = test' [acct_unique] Acct-Unique-Session-ID = 6bbdd9f2f808f872. ++[acct_unique] returns ok [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - 127.0.0.1 [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail]expand: %t - Wed May 23 11:25:55 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 Finished request 2. Cleaning up request 2 ID 27 with timestamp +15 Going to the next request Waking up in 4.7 seconds. However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails. Test example : Set in VPN client in Win 7 to require encryption and MSCHAPV2 - default options Set pptpd options to : -chap -mschap +mschap-v2 require-mppe I get the following in radius ++[sql] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Al0800-1200' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 1200 ++[logintime] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 45 to 127.0.0.1 port 60652 Waking up in 4.9 seconds. Cleaning up request 12 ID 45 with timestamp +591 Ready to process requests. In short it works for chap but not mschap, any input please ? Regards On Wed, May 23, 2012 at 1:13 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Thanks again I did remove Auth-Type entry from DB and error says now rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is : rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5 It's radiusclient config
RE: Help about debug mode and python
Thank you for the answer, it's was helpful :-) Vlad. -Original Message- From: freeradius-users-bounces+kolla=netxp...@lists.freeradius.org [mailto:freeradius-users-bounces+kolla=netxp...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: mercredi 16 mai 2012 08:49 To: FreeRadius users mailing list Subject: Re: Help about debug mode and python Phil Mayers wrote: http://bugs.python.org/issue4434 Warning: reading that bug will make you either sad or angry. Probably both. Use the static library, closing NOTABUG. Sigh. I believe it's fixed in Python 2.7. In my code, I worked around it by dlopen()ing libpython, as per the 1st suggestion in the above bug. I'll try adding that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 01:42:56PM +0300, Ali Jawad wrote: I got it to work at least half way, I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe That's a lot of changes in one go (unless you tested each one individually). I'd check you've got the right entries in the microsoft dictionary for radiusclient (MS-MPPE-Send-Key, MS-MPPE-Recv-Key etc). For what it's worth, we got l2tp/ipsec working recently with radiusclient. The pppd options include: refuse-pap refuse-chap refuse-mschap require-mschap-v2 and you can connect from Windows just fine. No need for CHAP/MSCHAP, or to disable encryption. I'd imagine pptp is similar (albeit the final solution less secure - I don't believe anyone has recommended pptp for new deployments for at least the last five years). However, radiusclient and radius.so are, from what I can tell, ancient and seem in rather need of an overhaul. The dictionary support is nasty, compared to the recent dictionary format. I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Even that is terrible. I'm inclined to fix it once and for all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote: Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng. Looks like I'll be looking at the freeradius-client code instead now... if I ever get time! Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi again I did do some more reading and finally got radius to authenticate mschap, I am using the users file to add users for the time being and no SQL. A user can authenticate properly See Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 100 with timestamp +136 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba MS-CHAP2-Response = 0x31004bfca25ae57e8617e1e2d3cebde28904c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 101 to 127.0.0.1 port 57868 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d433030354632344435303132433435414432344634334344343931374636363944453733 MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 4. but I get the following error on the pptpd side May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server Any input please ? Regards On Wed, May 23, 2012 at 3:17 PM, Matthew Newton m...@leicester.ac.ukwrote: On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote: Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng. Looks like I'll be looking at the freeradius-client code instead now... if I ever get time! Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
NM posted to quickly, secrets were wrong, fiddling around with Unsupported protocol 'IPv6 Control Protovol' (0x8057) received after that it should work, will definitively post it up in a howto. Regards On Wed, May 23, 2012 at 3:31 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi again I did do some more reading and finally got radius to authenticate mschap, I am using the users file to add users for the time being and no SQL. A user can authenticate properly See Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 100 with timestamp +136 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba MS-CHAP2-Response = 0x31004bfca25ae57e8617e1e2d3cebde28904c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 101 to 127.0.0.1 port 57868 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d433030354632344435303132433435414432344634334344343931374636363944453733 MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 4. but I get the following error on the pptpd side May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server Any input please ? Regards On Wed, May 23, 2012 at 3:17 PM, Matthew Newton m...@leicester.ac.ukwrote: On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote: Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng. Looks like I'll be looking at the freeradius-client code instead now... if I ever get time! Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server Any input please ? Fix the RADIUS shared secrets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more EAP/TTLS trouble
I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated Log follows, with secure bits edited out: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = -removed- shortname = localhost } -EDITED: Client entries removed- radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module exec from file /etc/freeradius/radiusd.conf exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module expr from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module expiration from file /etc/freeradius/radiusd.conf expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating module logintime from file /etc/freeradius/radiusd.conf logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module pap from file /etc/freeradius/radiusd.conf pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module chap from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_pam Module: Instantiating module pam from file /etc/freeradius/radiusd.conf pam { pam_auth = radiusd } Module: Linked to module rlm_eap Module: Instantiating module eap from file /etc/freeradius/eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /etc/ssl/private/-removed-_generic.key certificate_file = /etc/ssl/certs/-removed-_generic.crt CA_file = /etc/ssl/certs/-removed-_ca.crt dh_file = /etc/freeradius/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /etc/freeradius/certs/bootstrap cache { enable = no
Re: more EAP/TTLS trouble
Steve Hopps wrote: I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated This is pretty definitive: [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes huh?. It then sends an unknown CA back to the server. The solution is to add the CA to the client PC. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
The log shows the client is using PEAP and is failing at the certificate level - does the client have the CA for your server installed? You're also using 2.1.10 which is old and has bugs alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
On 23/05/12 16:16, Alan DeKok wrote: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes huh?. It then sends an unknown CA back to the server. The solution is to add the CA to the client PC. For what it's worth, it would be *really* handle to be able to trigger a log message (with controllable format) when this happened; possibly a trigger? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I find out the query error?
Hi there Alan DeKok-2, Just came by to say thanks for your kind response and to let you know that I fixed the problem by trying the querys manually until I got them all working. Thank you very much. Best Regards. -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-do-I-find-out-the-query-error-tp5713188p5713349.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I find out the query error?
Coizado wrote: Hi there Alan DeKok-2, Just came by to say thanks for your kind response and to let you know that I fixed the problem by trying the querys manually until I got them all working. Thank you very much. You're welcome. It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSHA512
Hi Are there any plans to support SSHA512 with the 4000 ish folds etc. as this is pretty much the default for most linux distros these days? Thanks JH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html