Invalid Operator on 64bit Systems (amd64)
Hi, just found a weird behavior on 64bit Systems (Ubuntu 8.04 LTS amd64) with freeradius 1.1.7 (Dist Package 1.1.7-1build4). I created a setup with Validity Ranges for usernames and/or realms (Data is stored in a mysql Database): - for the realm - | id | Realm | Attribute | op | Value | Type| | 178 | test | group-validity | = | 1388534400 | RadiusCheck | | 177 | test | group-validity | = | 1143849600 | RadiusCheck | - for the user - | id | User | Realm | Attribute| op | Value | Type| | 201 | user | test | account-validity | = | 1226448000 | RadiusCheck | | 202 | user | test | account-validity | = | 1860105600 | RadiusCheck | freeradius on amd64 refuses to accept my access request to the user u...@test: Sat Jul 18 12:19:55 2009 : Error: Invalid operator for item account-validity: reverting to '==' Sat Jul 18 12:19:55 2009 : Auth: Login incorrect: [u...@test] (from client local port 0) If I delete the validity for the username, a access request is still refused: Sat Jul 18 12:23:03 2009 : Error: Invalid operator for item group-validity: reverting to '==' Sat Jul 18 12:23:03 2009 : Auth: Login incorrect: [u...@test] (from client local port 0) If I delete the validity for the realm too, everything is ok: Sat Jul 18 12:25:28 2009 : Auth: Login OK: [u...@test] (from client local port 0) I found a question about Expiration/rlm_sql bug in 64-bit architecture here on the List dated two years ago. But no solution for the problem. So it might be a problem on 64bit Systems. I checked that with a fresh install of Ubuntu 8.04 LTS i386 (32bit) and freeradius also in Version 1.1.7 (same Dist Package Version 1.1.7-1build4), but as i386 Package of course. Config is the same as on the 64bit System (also with mysql as storage for the user credentials). The result is, that on 32bit Ubuntu, a access request is accepted, and account/group validity is checked correctly: Sat Jul 18 12:36:29 2009 : Auth: Login OK: [u...@test] (from client local port 0) The question is now, what can be done to get the Operators = and = working with freeradius 1.1.7 on amd64 Systems? TIA Bernd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL - support - module not loaded - radacct
Hello, I want to use freeradius 2.1.6 to store accounting data from a NAS in MySQL. First of all I installed mysql from source. Then I tried to install freeradius in the following both ways: - ./configure make make install - ./configure --with-mysql-include-dir=/usr/local/mysql/include/mysql --with-mysql-lib-dir=/usr/local/mysql/lib/mysql make make install - In both ways the configure looks as it should, I believe. I can also find the /usr/local/lib/rlm_sql_mysql.so. So I deleted the comment out sign in front of $INCLUDE sql.conf in radiusd.conf and also modified the access data of the mysql-server in sql.conf. However when I start the radius-server I can not see, that the rlm_sql_mysql - module is loading. I believe it is the certain module for store data to radacct - mysql - table. Please correct me, if I'm wrong (Sorry, I'm new to freeradius). In conclusion the radius-server is storing the account-data only on filesystem (/usr/local/var/log/radius/radacct/CLIENT-IP/detail-date) and not to mysql. :-( So I ask you, how can I enable radacct - mysql (how can I encourage freeradius to load rlm_sql_mysql)? Thanks for your answer in advance. Best regards, Bernd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: MySQL - support - module not loaded - radacct
Hello, I believe, that I found my answer in the http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg46743.h tml . ;-) Best regards, Bernd -Ursprüngliche Nachricht- Von: freeradius-users-bounces+b.hoffmann=satspeed...@lists.freeradi us.org [mailto:freeradius-users-bounces+b.hoffmann=satspeed...@lists. freeradius.org] Im Auftrag von Bernd Hoffmann Gesendet: Dienstag, 14. Juli 2009 11:56 An: freeradius-users@lists.freeradius.org Betreff: MySQL - support - module not loaded - radacct Hello, I want to use freeradius 2.1.6 to store accounting data from a NAS in MySQL. First of all I installed mysql from source. Then I tried to install freeradius in the following both ways: - ./configure make make install - ./configure --with-mysql-include-dir=/usr/local/mysql/include/mysql --with-mysql-lib-dir=/usr/local/mysql/lib/mysql make make install - In both ways the configure looks as it should, I believe. I can also find the /usr/local/lib/rlm_sql_mysql.so. So I deleted the comment out sign in front of $INCLUDE sql.conf in radiusd.conf and also modified the access data of the mysql-server in sql.conf. However when I start the radius-server I can not see, that the rlm_sql_mysql - module is loading. I believe it is the certain module for store data to radacct - mysql - table. Please correct me, if I'm wrong (Sorry, I'm new to freeradius). In conclusion the radius-server is storing the account-data only on filesystem (/usr/local/var/log/radius/radacct/CLIENT-IP/detail-date) and not to mysql. :-( So I ask you, how can I enable radacct - mysql (how can I encourage freeradius to load rlm_sql_mysql)? Thanks for your answer in advance. Best regards, Bernd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: MySQL - support - module not loaded - radacct
Hello, when I uncomment the sql in the accounting section, the logging seems to work. However the server does no more start with the init.d script. I can see a radiusd process per ps aux, but the server doesn't listen on the certain ports (netstat -lnpe shows not the wished result). When I start the server on commandline with the -X option, all works. Have someone an idea? Best regards, Bernd -Ursprüngliche Nachricht- Von: freeradius-users-bounces+b.hoffmann=satspeed...@lists.freeradi us.org [mailto:freeradius-users-bounces+b.hoffmann=satspeed...@lists. freeradius.org] Im Auftrag von Ivan Kalik Gesendet: Dienstag, 14. Juli 2009 12:21 An: FreeRadius users mailing list Betreff: Re: MySQL - support - module not loaded - radacct So I ask you, how can I enable radacct - mysql (how can I encourage freeradius to load rlm_sql_mysql)? Uncomment $INCLUDE for sql.conf in radiusd.conf. Uncomment sql in sections you want to use it in default (and others if needed) virtual server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: MySQL - support - module not loaded - radacct
Hello, what happends when you run with radiusd -X - does it all work? As I said, yes it is working fine. what does /var/log/radius/radiusd.log show? When I start radius with radius -X the log show nothing, but the last line of the output is Ready to process requests. and all is working fine. When I start radius with the init.d script server is working also fine and the output of the log is the following: Tue Jul 14 14:05:01 2009 : Info: Loaded virtual server inner-tunnel Tue Jul 14 14:05:01 2009 : Info: Loaded virtual server default Tue Jul 14 14:05:01 2009 : Info: Ready to process requests. The problem is, when I enable the sql - accounting by uncomment sql in the accounting section of /usr/local/etc/raddb/sites-enabled/default, the radius does only working fine by starting with radius -X. When I start the radius in this case (uncomment sql) with the init.d script, the radius is not working. As I saw from ps aux - output, one radius process started but netstat -lnpe shows no listen port (1812-1814). The logfile shows the following output: Tue Jul 14 14:53:04 2009 : Info: Loaded virtual server inner-tunnel Tue Jul 14 14:53:04 2009 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Tue Jul 14 14:53:04 2009 : Info: rlm_sql (sql): Attempting to connect to rad...@localhost:/radius Tue Jul 14 14:53:04 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Tue Jul 14 14:53:04 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Tue Jul 14 14:53:04 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Tue Jul 14 14:53:04 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Tue Jul 14 14:53:04 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Tue Jul 14 14:53:04 2009 : Info: Loaded virtual server default As you can see, the last line Ready to process requests is missing. what is your current SELinux setting? 'getenforce' is the name of the command. if its set to 'enforce' then set it to permissive and try running the init.d script again. I think prehaps that either a file is owned by root from when you were running it as root and therefore the daemon cannot run properly when started as a lower user - or SELinux is getting in the way I have no experience with SELinux. I'm using debian and I believe that SELinux support compiled in, but disabled by default. Furthermore I believe that this behaviour has nothing to do with SELinux, but the init.d script is working when sql accounting of radius disabled. Best regards, Bernd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: xpextensions question
I think my problem is not with the XPextensions file. So it should be the hotfix. I get 2 files. If I extract/install them, I see that one is the hotfix and one is a directory called symbols. I don't think that I can do anything wrong with the installation of the hotfix part (just agreeing to what it tells me shouldn't be so hard). So what does this symbols directory do? And where should it be copied to? I disabled validate server certificate on the client to test if it works this way. And I get an Access-Accept from the Server. But my connection is up for just a few seconds. What can I do to work around this? Regards Bernd -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Dienstag, 4. Dezember 2007 14:30 An: FreeRadius users mailing list Betreff: Re: xpextensions question Bernd wrote: Is there any further HOWTO or somebody who can give me detailed instruction on how to get PEAP authentication done with a WinXP Client? I've installed the microsoft hotfix for SP2, but I don't see what to do with this xpextensions file. See the Wiki and the comments in eap.conf in 1.1.7. The xpextensions issues are discussed there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticate by MAC address
I have a MySQL database to do it. I set the MACadress as UserName, op should be :=. What do I have to do with Value and Attribute? And are there any further settings to do in a conf. file? Bernd -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Samstag, 24. November 2007 11:52 An: FreeRadius users mailing list Betreff: Re: Authenticate by MAC address MAC authentication = MAC address sent as username MACaddress Auth-Type:= Accept Ivan Kalik Kalik Informatika ISP Dana 24/11/2007, Bernd [EMAIL PROTECTED] piše: Hi! I couldn't find anything like this in Wiki or FAQ, so I'm asking here. Is there any example for using freeRADIUS and authenticate by MAC address? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
xpextensions question
Is there any further HOWTO or somebody who can give me detailed instruction on how to get PEAP authentication done with a WinXP Client? I've installed the microsoft hotfix for SP2, but I don't see what to do with this xpextensions file. Thanks in advance - Bernd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate by MAC address
Hi! I couldn't find anything like this in Wiki or FAQ, so I'm asking here. Is there any example for using freeRADIUS and authenticate by MAC address? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still no authentication
I think I have a problem, but I don't know what to do to fix it - RADIUS is running, Certificates to do PEAP are created, copied, settings are done (eap.cnf, radiusd.cnf) and the MySQL Database is filled with a test user. When I run the Server it tells me it's ready to process requests. When I try to connect to my Network with a Laptop (certs installed) using PEAP (MSCHAPv2), the Laptop finds the WLAN, I am asked to type in my username and PW and - it does not work. RADIUS Debug tells me this: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.6:1027, id=36, length=256 User-Name = bnickaes NAS-IP-Address = 192.168.1.6 NAS-Identifier = BBi5 Framed-MTU = 1496 Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test Calling-Station-Id = 00-14-a5-3e-a8-ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020070198000661603010061015d03014736e9471b157a597019f0888c64f2ba 32b91e4e1399ed9a7e0d2583ec412d1f20af53175a1d6ac82c8f8fa4976c5f19f15efdc73564 f9bf04752c425b17feb14b001600040005000a000900640062000300060013001200630100 State = 0x1c573af9975491ac8be748bf8024ac41 Message-Authenticator = 0xb14c0d8f757b07ce5cdeda12c2f6a070 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 modcall[authorize]: module preprocess returns ok for request 12 modcall[authorize]: module chap returns noop for request 12 modcall[authorize]: module mschap returns noop for request 12 rlm_realm: No '@' in User-Name = bnickaes, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 12 rlm_eap: EAP packet type response id 2 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 12 radius_xlat: 'bnickaes' rlm_sql (sql): sql_set_user escaped user -- 'bnickaes' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 12 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 12 modcall: leaving group authorize (returns updated) for request 12 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 075b], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process
AW: AW: Still no authentication
The and so on ... bit is quite important to determine where and how did the conversation stop. Please post the whole debug. Ivan Kalik Kalik Informatika ISP I was told so :) But I'm also going to read it of course :) -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Sonntag, 11. November 2007 17:55 An: FreeRadius users mailing list Betreff: Re: AW: Still no authentication Bernd wrote: Client = Windows, yes Server = openSuSe Linux 10.2 When I install Odyssey Client I can authenticate and connect to my WLAN. Without it, it does not work. Yes. This is well known. Whole Debug: Why? Or, did you read the FAQ and documentation as I suggested? It looks like the answer is no, because otherwise the problem would be solved. Go read the FAQ and eap.conf. You're not going to solve the problem without reading it. So why are you trying things that we *know* won't work, when you have a solution in front of you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Still no authentication
No this debug is not from a accepted attempt. I just installed Odyssey to check if it works - and it works ;) Thanks -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Sonntag, 11. November 2007 18:13 An: FreeRadius users mailing list Betreff: Re: AW: Still no authentication Client = Windows, yes Server = openSuSe Linux 10.2 When I install Odyssey Client I can authenticate and connect to my WLAN. Without it, it does not work. That answers your question. Problem is with Windows not your configuration. Resolution is documented in eap.conf, FAQ etc. BTW this debug is from an accepted attempt (Odyssey?). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL Certificate Problem...
So I did the changes you told me. I can still not connect to my WLAN, but I
think thats because I have no certificates created or imported.
Debug Mode tells me this...
rad_recv: Accounting-Request packet from host 192.168.1.6:1028, id=16,
length=161
User-Name = bnickaes
NAS-Identifier = BBi5
Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test
Calling-Station-Id = 00-14-a5-3e-a8-ba
Acct-Status-Type = Stop
Acct-Session-Id = 416
Acct-Input-Octets = 1508
Acct-Output-Octets = 0
Acct-Input-Packets = 6
Acct-Output-Packets = 0
Acct-Delay-Time = 0
Acct-Session-Time = 6
Acct-Terminate-Cause = NAS-Request
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 32
modcall[preacct]: module preprocess returns noop for request 32
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.1.6,NAS-IP-Address =
192.168.1.6,Acct-Session-Id = 416,User-Name = bnickaes'
rlm_acct_unique: Acct-Unique-Session-ID = c32063e973b8db95.
modcall[preacct]: module acct_unique returns ok for request 32
rlm_realm: No '@' in User-Name = bnickaes, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 32
modcall[preacct]: module files returns noop for request 32
modcall: leaving group preacct (returns ok) for request 32
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 32
radius_xlat: '/var/log/radius/radacct/192.168.1.6/detail-20071102'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.6/detail-20071102
modcall[accounting]: module detail returns ok for request 32
modcall[accounting]: module unix returns noop for request 32
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'bnickaes'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module radutmp returns noop for request 32
radius_xlat: 'bnickaes'
rlm_sql (sql): sql_set_user escaped user -- 'bnickaes'
radius_xlat: 'UPDATE radacct SET FramedIPAddress = '',
AcctSessionTime = '6', AcctInputOctets = '1508',
AcctOutputOctets = '0', ? AcctStopTime =
FROM_UNIXTIME(UNIX_TIMESTAMP(`AcctStartTime`) + `AcctSessionTime` )
WHERE UserName = 'bnickaes' AND AcctStopTime= '-00-00
00:00:00' '
radius_xlat: '/var/log/radius/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: UPDATE radacct SET FramedIPAddress = '',
AcctSessionTime = '6', AcctInputOctets = '1508',
AcctOutputOctets = '0', ? AcctStopTime =
FROM_UNIXTIME(UNIX_TIMESTAMP(`AcctStartTime`) + `AcctSessionTime` )
WHERE UserName = 'bnickaes' AND AcctStopTime= '-00-00
00:00:00'
rlm_sql (sql): Released sql socket id: 3
modcall[accounting]: module sql returns ok for request 32
modcall: leaving group accounting (returns ok) for request 32 Sending
Accounting-Response of id 16 to 192.168.1.6 port 1028 Finished request 32
...and I think it's OK.
So I tried to create some certificates to get this finally done.
After I did what Tutorial for AD integration told me about creating self
signed certificates I run CA.all. So I type in all information and see this:
+ openssl ca -policy policy_anything -out newcert.pem -passin
+ pass:whatever -key whatever -extensions xpserver_ext -extfile
+ xpextensions -infiles newreq.pem
Using configuration from /etc/ssl/openssl.cnf Error opening CA private key
./cakey.pem 5010:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('./cakey.pem','r')
5010:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
+ cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever
Error opening input file newcert.pem
newcert.pem: No such file or directory
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin
+ pass:whatever -passout pass:whatever
Error opening input file cert-srv.p12
cert-srv.p12: No such file or directory
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out
+ cert-srv.der
Error opening Certificate cert-srv.pem
5013:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('cert-srv.pem','r')
5013:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load certificate
+ echo -e '\n\t\t##\n'
##
Maybe my fault is trivial, but I'm really a little clobbered over the head
with all this at the moment and I just got one week to get it done.
-
List info/subscribe/unsubscribe? See
AP Question
I called ZyXEL hotline to get to know if my AP ZyXEL G3000-H is able to send requests to authenticate users by MAC adress (don't think it is able to do it without any update or smth., because I haven't discovered any kind of setting to do that) They couldn't help me (great technical support ;)) So maybe one of you guys can tell me smth. about it? Perhaps one of you is working with that AP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AP Question
...OK...bad diction...^^ Of yourse I don't authenticate the user by MAC. Yes, I can use a local table, but I want to do it with freeRADIUS, so I'll use MSCHAPv2 Thank you for quick answer -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Donnerstag, 1. November 2007 20:49 An: FreeRadius users mailing list Betreff: Re: AP Question You don't authenticate users by MAC addresses - that (at best) identifies the machine, not who is using it. I think that AP does only MAC filtering from a local table. It doesn't send radius MAC authentication requests. Ivan Kalik Kalik Informatika ISP Dana 1/11/2007, Bernd [EMAIL PROTECTED] piše: I called ZyXEL hotline to get to know if my AP ZyXEL G3000-H is able to send requests to authenticate users by MAC adress (don't think it is able to do it without any update or smth., because I haven't discovered any kind of setting to do that) They couldn't help me (great technical support ;)) So maybe one of you guys can tell me smth. about it? Perhaps one of you is working with that AP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Basic usage: What do I do next to get this to work?
I'm new to RADIUS, too...and I'm trying do get this work the same way. I set up a WLAN and a RADIUS Server with a MySQL Database and a user authentication by username and password. I want to use PEAP (MSCHAPv2) and I read about a server certificate to install on my client computer to get it work? Of course, I could be wrong ;). But when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) What do you think? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 31. Oktober 2007 04:45 An: FreeRadius users mailing list Betreff: Re: Basic usage: What do I do next to get this to work? PS. Time to go to bed. Clear the Automatically use Windows logon blah, blah box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. You are on the right track with wireless. That's good to hear. Again, I just need to find the simplest implementation possible for starters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Basic usage: What do I do next to get this to work?
I'm trying to do it with openSSL - so no certificates to buy -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 31. Oktober 2007 13:35 An: FreeRadius users mailing list Betreff: Re: AW: Basic usage: What do I do next to get this to work? You will need to buy a server certificate then. Those will have root CA already installed on Windows. If you make your own users will need to import it. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: Bernd wrote: snip when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't been able to try the latest suggestions yet. (Probably tomorrow). I'm hoping to not have to deal with certificates unless it's completely automated for my users. Most of them have little or no computer skills beyond basic usage. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Basic usage: What do I do next to get this to work?
I think we do. Lately I tried to get PEAP MSCHAPv2 to work. All settings in conf.s and laptop are made like described in tutorial for AD integration. And I get a response in Debug Mode when I try to connect to my WLAN. It says this: rad_recv: Access-Request packet from host 192.168.1.6:1027, id=171, length=139 User-Name = bnickaes NAS-IP-Address = 192.168.1.6 NAS-Identifier = BBi5 Framed-MTU = 1496 Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test Calling-Station-Id = 00-14-a5-3e-a8-ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000d01626e69636b616573 Message-Authenticator = 0x90e3fac9ac07c6554cc915f9084b7e7e rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 Warning: Found 2 auth-types on request for user 'bnickaes' Sending Access-Challenge of id 171 to 192.168.1.6 port 1027 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xae0040259c6e0027d20f07497ad772e3 rad_recv: Access-Request packet from host 192.168.1.6:1027, id=172, length=256 User-Name = bnickaes NAS-IP-Address = 192.168.1.6 NAS-Identifier = BBi5 Framed-MTU = 1496 Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test Calling-Station-Id = 00-14-a5-3e-a8-ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020070198000661603010061015d0301472883f5c4aedc6e4983d6084e41a67f 7f0241f4463d2d4fd718ccdf9a8123b12008bc4f684a5c373d3851e80c2a33ad09d141a57835 6d335d892ac642491e6dec001600040005000a000900640062000300060013001200630100 State = 0xae0040259c6e0027d20f07497ad772e3 Message-Authenticator = 0xa1fa011f6381228ee1c9140adce8c222 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 Warning: Found 2 auth-types on request for user 'bnickaes' The output is much longer - many attempts, I think So I belief this is the problem, but I dont know how to solve it. Warning: Found 2 auth-types on request for user 'bnickaes' ? There is an entry auth-type in mySQL Database, but I can find only one auth-type option for my user bnickaes there. _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Doc. Caliban Gesendet: Mittwoch, 31. Oktober 2007 13:14 An: FreeRadius users mailing list Betreff: Re: AW: Basic usage: What do I do next to get this to work? Bernd wrote: snip when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't been able to try the latest suggestions yet. (Probably tomorrow). I'm hoping to not have to deal with certificates unless it's completely automated for my users. Most of them have little or no computer skills beyond basic usage. -Doc
Newbie Question o.O
Hi! I'm trying to set up a WLAN (5 APs) with a RADIUS Server (SuSe 10.2). RADIUS should authenticate the MAC Adresses of the WLAN Users to grant them access to the network. There are often new computers, which should get access to the Network immediately and without installing anything. RADIUS is running (APs in clients.conf listed, but not yet any further settings made), APs are set up and I can roam in my network all over the office. I use WPA2 PSK at the moment to cipher the WLAN. I have a MySQL Database to enter user information. Question: I just found some options with Certificates/PWs to authenticate users. Can I authenticate them just with their MAC? Where do I specify it in my Database? It's my first RADIUS Project and I don't think I'm a Stephen Hawking in RADIUS configuration... ;) Anyway...I'm thankful for every help I get. Thanks in advance Bernd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Newbie Question o.O
Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it. How do I know if they do? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 24. Oktober 2007 11:21 An: FreeRadius users mailing list Betreff: Re: Newbie Question o.O Bernd wrote: I'm trying to set up a WLAN (5 APs) with a RADIUS Server (SuSe 10.2). RADIUS should authenticate the MAC Adresses of the WLAN Users to grant them access to the network. Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it. I just found some options with Certificates/PWs to authenticate users. Can I authenticate them just with their MAC? Where do I specify it in my Database? Yes, you can authenticate them with the MAC. See what is in the RADIUS Access-Request from the NAS, then use that as keys for local policies. It's my first RADIUS Project and I don't think I'm a Stephen Hawking in RADIUS configuration... ;) Anyway...I'm thankful for every help I get. Unfortunately, you're being told to go read the NAS documentation. Then, if what you want is possible, come back here for more FreeRADIUS questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Newbie Question o.O
I'm sorry...I never worked with RADIUS, please consider that. I don't mind reading documentations :) - but I don't know where I can find the NAS documentation -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 24. Oktober 2007 12:38 An: FreeRadius users mailing list Betreff: Re: AW: Newbie Question o.O Bernd wrote: Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it. How do I know if they do? ... Unfortunately, you're being told to go read the NAS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
