Re: EAP-TLS constant disconnects
Phil, thank you for your reply! I've tried to debug as you suggest. I run wireshark on the remote side + tcpdump on the server side. The results are really interesting and not expected. As the client is disconnected, it sends an auth request to the server. Server gets the request and after a successful authentication it sends back Access-Accept. Client gets this message. However, immediately after a successful authantication, it starts with the authentication process again and it loops like that. In the test time Access-Accept was granted 7 times, but client was still without connection and retrying. For tests I used a linux client on the remote side. After running dhclient for a couple of times the connection is usualy restored, sometimes it even takes to take down the interface and bring it up again to restore the connection. As of my understanding this does not prove a weak wifi as a reason for failure, as it does not prove that it is not the cause for trouble. Additionaly, there seems te be something else, besides wireless, which I can't explain, so feel free to commend and sugest! Regards! On Fri, Nov 23, 2012 at 10:54 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 11/23/2012 08:03 AM, Uros Kolar wrote: Hi all! We've been using freeradius 2.1.12 with EAP-TLS authentication. The problem we experience is constant disconnects of the clients. After an some time (it seems like the intervals are random) of usage the connection drops. I don't have a debug output, since the server is in production allready and because of the valid traffic it's hard to efficiently debug it that way. A similar problem was allready reported some years ago (without an answer - at least not in that thread): http://bit.ly/10o9xkG The issue described in that post is symptomatic of wireless problems - interference, low signal, etc. - not RADIUS problems. The EAP Identity retries he mentions are on the *wireless* side i.e. the AP asking the client to start a re-auth. You problem also sounds like wireless to me; FreeRADIUS either: * receives auth requests and sends an accept * receives auth requests and sends a reject * receives auth requests that the client never completes It doesn't somehow magically disconnect the client (well, unless you're using the CoA functionality and you *ask* it to). I would suggest starting the debugging at the wireless side. Wait for a report of a disconnect, then search your logs. You could also start a rolling tcpdump on the RADIUS server of all auth traffic, and then search it for an auth request - I bet you don't see one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with freeradius + openldap for AP authentication
Hiya
I need some help to configure freeradius with openldap. I have a ldap database
which stores password in SSHA format, so i choose PAP for authentication. I
want to use freeradius to authenticate
on a netgear Wifi access point.
(http://deployingradius.com/documents/protocols/compatibility.html)
I've set up the AP in client freeradius in clients.conf, with a secret and
shortname
like in documentation.
Next i've put auto_header = yes in pap.conf
And uncomment the line ldap to activate module in /site-enable/default
When i start server in debug mode, authorization works fine but server have
problems
to authentication step and i don't understand why
Here is the debug comments :
rad_recv: Access-Request packet from host 192.168.0.201 port 32774, id=85,
length=169
User-Name = cyril
NAS-IP-Address = 192.168.0.201
NAS-Identifier = hello
NAS-Port = 0
Called-Station-Id = 4C-60-DE-D2-22-61:easyBridge2
Calling-Station-Id = 7C-C5-37-14-16-C9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11b
EAP-Message = 0x020e016e6c61746869657265
Message-Authenticator = 0x2bf3ec3446adc97ea15c4c160ee8b0bbThu Nov 22
15:04:36 2012 :
Wed Nov 21 18:39:17 2012 : Info: [ldap] looking for reply items in directory...
Wed Nov 21 18:39:17 2012 : Info: [ldap] user cyril authorized to use remote
access
Wed Nov 21 18:39:17 2012 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Nov 21 18:39:17 2012 : Info: ++[ldap] returns ok
Wed Nov 21 18:39:17 2012 : Info: ++[expiration] returns noop
Wed Nov 21 18:39:17 2012 : Info: ++[logintime] returns noop
Wed Nov 21 18:39:17 2012 : Info: [pap] Normalizing NT-Password from hex encoding
Wed Nov 21 18:39:17 2012 : Info: [pap] Normalizing SSHA1-Password from base64
encoding
Wed Nov 21 18:39:17 2012 : Info: [pap] Found existing Auth-Type, not changing
it.
Wed Nov 21 18:39:17 2012 : Info: ++[pap] returns noop
Wed Nov 21 18:39:17 2012 : Info: Found Auth-Type = PAP
Wed Nov 21 18:39:17 2012 : Info: +- entering group PAP {...}
Auth: [pap] Attribute Password is required for authentication.
Thu Nov 22 15:04:36 2012 : Info: ++[pap] returns invalid
Thu Nov 22 15:04:36 2012 : Info: Failed to authenticate the user.
Thu Nov 22 15:04:36 2012 : Auth: Login incorrect: [cyril/via Auth-Type = PAP]
(from client WNAP320 port 0 cli 44-A7-CF-CD-C5-C7)
Thu Nov 22 15:04:36 2012 : Info: Using Post-Auth-Type Reject
Thu Nov 22 15:04:36 2012 : Info: +- entering group REJECT {...}
Thu Nov 22 15:04:36 2012 : Debug: expand: %{User-Name} - cyril
Thu Nov 22 15:04:36 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
Thu Nov 22 15:04:36 2012 : Info: ++[attr_filter.access_reject] returns updated
Thu Nov 22 15:04:36 2012 : Info: Delaying reject of request 5 for 1 seconds
Thu Nov 22 15:04:36 2012 : Debug: Going to the next request
Thu Nov 22 15:04:36 2012 : Debug: Waking up in 0.9 seconds.
Thu Nov 22 15:04:37 2012 : Info: Sending delayed reject for request 5
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with freeradius + openldap for AP authentication
Hiya I need some help to configure freeradius with openldap. I have a ldap database which stores password in SSHA format, so i choose PAP for authentication. I want to use freeradius to authenticate on a netgear Wifi access point. (http://deployingradius.com/documents/protocols/compatibility.html) I've set up the AP in client freeradius in clients.conf, with a secret and shortname like in documentation. Next i've put auto_header = yes in pap.conf And uncomment the line ldap to activate module in /site-enable/default When i start server in debug mode, authorization works fine but server have problems to authentication step and i don't understand why Here is the debug comments : rad_recv: Access-Request packet from host 192.168.0.201 port 32774, id=85, length=169 User-Name = cyril NAS-IP-Address = 192.168.0.201 NAS-Identifier = hello NAS-Port = 0 Called-Station-Id = 4C-60-DE-D2-22-61:easyBridge2 Calling-Station-Id = 7C-C5-37-14-16-C9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11b EAP-Message = 0x020e016e6c61746869657265 Message-Authenticator = 0x2bf3ec3446adc97ea15c4c160ee8b0bbThu Nov 22 15:04:36 2012 : Since your 802.1x supplicant does not send a User-Password it seems that you configured some kind of EAP (802.1x) in the network authentications settings of your client (notebook). You also have a EAP-Message attribute in your Access- Request packet. And according to the protocol compatibility matrix you mentioned, SSHA and *EAP will not work. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Hi, The results are really interesting and not expected. how long does the process take? what are your NAS timers and FreeRADIUS timers? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files Authentication problem
Hi
On Mon, Nov 26, 2012 at 08:17:21AM +0100, alexdhel...@free.fr wrote:
Thanks for your answer.
I've just re-read what you're doing - you're looking up the
lowercase password in the users file instead of the username (e.g.
you're ignoring the username), but then your password check
is between User-Password and Cleartext-Password, as usual.
Try something like this in your sites-enabled/default, after
preprocess:
update request {
User-Password := %{tolower:%{User-Password}}
}
But, at the moment, we must keep this Auth-Type, to be compatible
wirth an old version of freeradius, we couldn't update at the
moment.
No, you still don't need it. The PAP module will do it for you -
read the debug output.
Matthew
(waiting for 3.x so that Auth-Type := Local will actually break
things at last).
On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhel...@free.fr wrote:
00c51180d29c Auth-Type := Local, Cleartext-Password := 00c51180d29c
Alcatel-Lucent-Auth-Group = 4
As the debug log says, Remove Auth-Type := Local from the above.
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Hi, I've interrupted the test after the described process was allready going on for 2 min. Don't know exactly what timers you mean. I checked time setings on servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to GMT. Please correct me if that's not what you meant. On Mon, Nov 26, 2012 at 10:29 AM, alan buxey a.l.m.bu...@lboro.ac.ukwrote: Hi, The results are really interesting and not expected. how long does the process take? what are your NAS timers and FreeRADIUS timers? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewrite_calling_station_id not working
On 26 Nov 2012, at 00:50, Fajar A. Nugraha l...@fajar.net wrote: On Mon, Nov 26, 2012 at 5:44 AM, aaron...@comcast.net wrote: I'm using ubuntu 10.4, FreeRADIUS Version 2.1.8 I noticed this WARNING: Unknown module tolower in string expansion % in the rejected log. I have searched for a tolower program but can not find one to install. What package is tolower part of ? What am I missing? As Alan said, upgrade. Or, you know, remove the tolower call. It's hex, hex is hex no matter what the case. It's only in there for direct string comparisons. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Hi, I've interrupted the test after the described process was allready going on for 2 min. Don't know exactly what timers you mean. I checked time setings on servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to GMT. Please correct me if that's not what you meant. I mean the number of seconds you have for eg RADIUS authentication, failure time, cleapup delay etc. also, if your clients and RADIUS server dont have correct time synchonisation then things will go wrong. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files Authentication problem
On Mon, Nov 26, 2012 at 12:13:06PM +0100, alexdhel...@free.fr wrote:
Thanks, it's working now.
That's good.
I will try with PAP as soon as I have more time.
There's nothing to try - your debug log shows that PAP is already
being called (it's in be default), so all you need to to is remove
the auth-type := local from your config. It will work exactly as
it does now.
Setting Auth-Type like this has been deprecated for *years*, and
is only likely to cause you problems some time in the future.
There are very few situations where it should be set manually.
Matthew
On Mon, Nov 26, 2012 at 08:17:21AM +0100, alexdhel...@free.fr wrote:
Thanks for your answer.
I've just re-read what you're doing - you're looking up the
lowercase password in the users file instead of the username (e.g.
you're ignoring the username), but then your password check
is between User-Password and Cleartext-Password, as usual.
Try something like this in your sites-enabled/default, after
preprocess:
update request {
User-Password := %{tolower:%{User-Password}}
}
But, at the moment, we must keep this Auth-Type, to be compatible
wirth an old version of freeradius, we couldn't update at the
moment.
No, you still don't need it. The PAP module will do it for you -
read the debug output.
Matthew
(waiting for 3.x so that Auth-Type := Local will actually break
things at last).
On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhel...@free.fr wrote:
00c51180d29c Auth-Type := Local, Cleartext-Password := 00c51180d29c
Alcatel-Lucent-Auth-Group = 4
As the debug log says, Remove Auth-Type := Local from the above.
Matthew
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS constant disconnects
Thanks for the additional info on timers. Here are the values, hope i didn't leave out something. Basically we left them set to default. timer expire for eap is 60 cleanup delay is se to 5 reject delay to 1 max request time is 30 uros On Mon, Nov 26, 2012 at 12:14 PM, alan buxey a.l.m.bu...@lboro.ac.ukwrote: Hi, I've interrupted the test after the described process was allready going on for 2 min. Don't know exactly what timers you mean. I checked time setings on servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to GMT. Please correct me if that's not what you meant. I mean the number of seconds you have for eg RADIUS authentication, failure time, cleapup delay etc. also, if your clients and RADIUS server dont have correct time synchonisation then things will go wrong. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: trouble with encrypted password
Dear all, i solved trouble with MD5 encryption. Indeed, to encrypt password with MD5 , i use external fonctions (thanks to Dirk van der Walt) written in perl in order to use radcrypt. Cheers. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: trouble with encrypted password Date: Fri, 16 Nov 2012 12:54:09 + hello everybody, i ve got trouble with encrypted password. I want to manage users with password wich are more longer than 8 caracters. When i use radcrypt (based on crypt), it doesn't work. It's normal due to limitation of crypt. I must cut password to 8 caracters for make running. When i use radcrypt with MD5 encryption , it doesn't run : indeed the encrypted string generated by MD5 radcrypt is more than 16 caracters. How can i use encrypted password without limited password to 8 caracters ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user's default login time
Hi, all when I add user to file /etc/freeradius/files in the vpn authentication server. so I want to the folloing things about user. 1. how long will user automatic login off( which file can I check the time) 2.how cant I teminat session by manual 3.when login with wrong password, the user can be locked out and can email to inform user 4.users default actived time the above funtion need user mysq module? thanks- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewrite_calling_station_id not working
Upgrading fixed it. Thanks. Sent from my U.S. Cellular® Android-powered device -Original message- From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Mon, Nov 26, 2012 00:50:57 GMT+00:00 Subject: Re: rewrite_calling_station_id not working On Mon, Nov 26, 2012 at 5:44 AM, aaron...@comcast.net wrote: I'm using ubuntu 10.4, FreeRADIUS Version 2.1.8 I noticed this WARNING: Unknown module tolower in string expansion % in the rejected log. I have searched for a tolower program but can not find one to install. What package is tolower part of ? What am I missing? As Alan said, upgrade. Easy way using my ppa: https://launchpad.net/~freeradius/+archive/stable Or build yourself from source: http://wiki.freeradius.org/building/Build#Building-Debian-packages -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure Huntgroups
Hi, I have configure multiple hunt groups for different purposes like VPN (VPN Server IP), Netflow Services (Netflow Server IP) and hence define their respective group in Window Active directory platform. Now, i need to provide time base VPN access to some users so i made a group in active directory and configure its respective file ntlm_auth4 so now onwards one huntgroup and two ntlm_auth group, one for normal vpn access and one for timebase. But this configuration is not working and every time its going to check in ntlm_auth2 condition. Kindly advice. DEFAULT Auth-Type := ntlm_auth4,Huntgroup-Name == vpn, Login-Time := Sa-Su0800-1300 Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth3,Huntgroup-Name == netflow Fall-Through = Yes DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn Fall-Through = Yes DEFAULT Auth-Type = ntlm_auth Regards, Arshad Ahmed Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Running Error
Hi,i am facing problem in freeradius i m already using freeradius it was working fine now i re-install radius and now when i start radius with radiusd -X command it is giving following error please help me in this Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = yes proxy: default_fallback = no proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 0 security: status_server = no main: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupSegmentation fault ragards:Qasim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
