Storing Realms on database
Currently we store realms on a SQL database and a cron script updates proxy.conf. This is ugly and unstable due to the required restart of FreeRADIUS. There is a native method to store Realms on a SQL database like users, groups, clients, ip pools and huntgroups? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap: default_profile not expanded
Is the default_profile setting in modules/ldap supposed to expand runtime variables? I tried to set: default_profile = cn=default,ou=%{Realm},ou=profiles,dc=mc,dc=com but on the logs I see: rlm_ldap: performing search in cn=default,ou=%{Realm},ou=profiles,dc=mc,dc=com rlm_ldap: object not found If I set: default_profile = cn=default,ou=company,ou=profiles,dc=mc,dc=com it works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Doubt about default and inner-tunnel
I use FR 2.1.1 for WPA authentication, using TTLS+MSCHAPv2 and LDAP to store users and passwords (in LM/NT hash format). I tried several configurations: Configuration 1: - no changes in sites-enabled/default; - in sites-enabled/inner-tunnel uncommented ldap in authorize and Auth-Type LDAP in authenticate. Result: users get access even with an incorrect password. Why? Configuration 2: - in sites-enabled/default uncommented ldap in authorize and Auth-Type LDAP in authenticate; - no changes in sites-enabled/inner-tunnel. Result: users aren't authenticated. Configuration 3: - in sites-enabled/default uncommented Auth-Type LDAP in authenticate; - in sites-enabled/inner-tunnel uncommented ldap in authorize. Result: it seems to work correctly, users get access only with a correct password. I can't understand well the flow of the process between the two virtual servers :( smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS first connection works, other won't
Alan DeKok wrote: Giovanni Lovato wrote: Mmmm... After a little more investigation, I think it's the AP that cause the problem: it receive an Access-Accept but ignores it, sends another Access-Request and FR correctly generates an Access-Reject because of the duplicate request. So it's not a FR issue, but if someone has an advice on how to debug this, any help will be appreciated! Hmm... I think I see what's happening. The NAS is broken... it not only ignores the Access-Accept, but when it re-transmits the previous request, it does so with a *new* RADIUS Id. This means that the code in FreeRADIUS to detect retransmissions isn't used... and the packet is processed as a new request. If the NAS wasn't broken, it would re-transmit the request using the same RADIUS Id, and FreeRADIUS would send the same (saved) Access-Accept back, without doing any additional processing. The best advice is to replace the NAS. It's broken. Thank you very much, your explanation is perfectly clear. The NAS is a D-Link DWL-G700AP with a modified firmware (Wive). I'm trying it because I need accounting and the original firmware doesn't send accounting packets. I'll try to replace the daemon which does AAA on the NAS OS and see if the issue persists. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS first connection works, other won't
Alan DeKok wrote: Giovanni Lovato wrote: I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm using Ubuntu. When I try to connect, first user, (on the logs, heruan) connect successfully, but subsequent users (e.g. jamila) won't. If I restart freeradius, and try to connect first with jamila and then with heruan, jamila connects and heruan doesn't. The only error I'm able to see on the log is: 798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed. ? Session resumption is done on a per-user basis. Session resumption for one user does NOT affect other users. The only way that this can happen is if you use one user name for the first session, and then using the *same* SSL data, try to authenticate using a different User-Name. All I can say is I can't reproduce this on my system. Mmmm... After a little more investigation, I think it's the AP that cause the problem: it receive an Access-Accept but ignores it, sends another Access-Request and FR correctly generates an Access-Reject because of the duplicate request. So it's not a FR issue, but if someone has an advice on how to debug this, any help will be appreciated! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS first connection works, other won't
I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm using Ubuntu. When I try to connect, first user, (on the logs, heruan) connect successfully, but subsequent users (e.g. jamila) won't. If I restart freeradius, and try to connect first with jamila and then with heruan, jamila connects and heruan doesn't. The only error I'm able to see on the log is: 798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed. 799-[eap] Freeing handler 800-++[eap] returns reject 801-Failed to authenticate the user. 802-Using Post-Auth-Type Reject 803-+- entering group REJECT {...} But I really don't know what it means. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=125 User-Name = heruan NAS-IP-Address = 192.168.22.1 Called-Station-Id = 00c049d3f40e Calling-Station-Id = 002268c0eb93 NAS-Identifier = 00c049d3f40e NAS-Port = 184 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b0168657275616e Message-Authenticator = 0x4bd473610ad7dcfdcb6b1016a23acb10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = heruan, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for heruan [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}})) - (|(uid=heruan)(cn=heruan)) [ldap] expand: dc=aldu,dc=net - dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.laurelin.aldu.net:389, authentication 0 rlm_ldap: bind as cn=radius,dc=aldu,dc=net/RaD-802.1X to ldap.laurelin.aldu.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword - NT-Password == 0x30... rlm_ldap: sambaLmPassword - LM-Password == 0x35... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user heruan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x010100160410faf366dabc0e2d2eada92aed8a1beef5 Message-Authenticator = 0x State = 0xf46f03b2f46e07fbc157e3e44121daf3 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 0 ID 1 with timestamp +11 User-Name = heruan NAS-IP-Address = 192.168.22.1 Called-Station-Id = 00c049d3f40e Calling-Station-Id = 002268c0eb93 NAS-Identifier = 00c049d3f40e NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f46e07fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060315 Message-Authenticator = 0x24f629997ec0167cb1d9418bb69bf17a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = heruan, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for heruan [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}})) - (|(uid=heruan)(cn=heruan)) [ldap] expand: dc=aldu,dc=net - dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=aldu,dc=net, with filter
Debugging access point behaviour
First of all, this is not a FR problem. I use FR 2.1.0 and it works very well! BTW, I'm trying to configure an access point to authenticate against FR, but the process fails. Maybe someone here can tell me where is the issue, so I attach the log of FR... Some details: OS: Debian Lenny FR version: 2.1.0 Authentication backend: LDAP Authentication method: WPA2-EAP TLS Note: authentication works well with other access points. Thank you! -- Giovanni Lovato [EMAIL PROTECTED] rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=126, length=169 User-Name = heruan NAS-IP-Address = 0.0.0.0 NAS-Port = 0 Called-Station-Id = 6c576976 Calling-Station-Id = 002268c0eb93 NAS-Identifier = Realtek Access Point. 8181 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020b0168657275616e Message-Authenticator = 0x10e69b5ef3ecf07fb56f44023213e72b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = heruan, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop [ldap_telperion] performing user authorization for heruan WARNING: Deprecated conditional expansion :-. See man unlang for details WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name})) - (|(uid=heruan)(cn=heruan)) expand: dc=aldu,dc=net - dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldaps://ldap.aldu.net, authentication 0 rlm_ldap: setting TLS CACert File to /export/ssl/AlduNetworkCA.crt rlm_ldap: setting TLS Cert File to /export/ssl/crts/radius.aldu.net.crt rlm_ldap: setting TLS Key File to /export/ssl/keys/radius.aldu.net.key rlm_ldap: bind as cn=radius,dc=aldu,dc=net/RaD-802.1X to ldaps://ldap.aldu.net rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan)) [ldap_telperion] Added User-Password = {SSHA}...omitted... in check items [ldap_telperion] No default NMAS login sequence [ldap_telperion] looking for check items in directory... rlm_ldap: sambaNtPassword - NT-Password == 0x...omitted... rlm_ldap: sambaLmPassword - LM-Password == 0x...omitted... [ldap_telperion] looking for reply items in directory... [ldap_telperion] user heruan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_telperion] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 126 to 192.168.11.6 port 3072 EAP-Message = 0x010100160410fd40decb184fb0fc23a60c70f3a86edc Message-Authenticator = 0x State = 0xecb4974becb5936c21163977cb2ae20c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=127, length=176 User-Name = heruan NAS-IP-Address = 0.0.0.0 NAS-Port = 0 Called-Station-Id = 6c576976 Calling-Station-Id = 002268c0eb93 NAS-Identifier = Realtek Access Point. 8181 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02010006030d State = 0xecb4974becb5936c21163977cb2ae20c Message-Authenticator = 0x5f7eb55227aaa419cce4154003eb5363 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = heruan, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's
accsessionid in SQL schemas is too short
In SQL schemas, accsessionid as VARCHAR(32) is too short, some NAS (e.g. Juniper ERX) send to RADIUS long Acct-Session-Id (up to 48 chars). I manually set it to VARCHAR(64) and now it seems to work correctly. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems running FreeRadius 1.1.7 on Linux
Raghu Narasimhan wrote: Linux machine. Installed FreeRadius 1.1.7 Problems running it. Why such an old version? smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expanding LDAP default_profile
Maybe I'm wrong, but it seems default_profile option in LDAP configuration is not exandend, for example: default_profile = cn=default,ou=profiles,ou=%{Realm},dc=example,dc=com How can I make default_profile expanding? Thanks! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] FreeRADIUS 2.0.5 Debian dpkg-buildpackage error
Giovanni Lovato wrote: # dpkg-buildpackage -b -uc dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 2.0.5-0 dpkg-buildpackage: source changed by Alan DeKok [EMAIL PROTECTED] dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 2.0.5-0 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . 01-radiusd-to-freeradius not applied to ./ . rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] rm config.sub mv config.sub.dist config.sub || true [ -f config.guess.dist ] rm config.guess mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... failed. make: *** [patch-stamp] Error 1 The error on the patch is at lines 47-48 in debian/patches/01-radiusd-to-freeradius.dpatch, change -#user = nobody -#user = nobody to -#user = radius -#user = radius then dpkg-buildpackage will compile fine (it may be necessary to do a fresh untar). smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.0.5 Debian dpkg-buildpackage error
orion wrote: 2008/6/13 Giovanni Lovato [EMAIL PROTECTED]: # dpkg-buildpackage -b -uc dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 2.0.5-0 dpkg-buildpackage: source changed by Alan DeKok [EMAIL PROTECTED] dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 2.0.5-0 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . 01-radiusd-to-freeradius not applied to ./ . rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] rm config.sub mv config.sub.dist config.sub || true [ -f config.guess.dist ] rm config.guess mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... failed. make: *** [patch-stamp] Error 1 hi there. download freeradius as a non-root user. untar the archive. chmod +x -R the untared folder cd to the folder issue dpkg-buildpackage -b -uc as a non-root user. then su and install the deb packages created one directory up. Why should I set execute permission to all the tree? It makes no sense. Though, the error still occurs. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2.0.5 Debian dpkg-buildpackage error
# dpkg-buildpackage -b -uc dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 2.0.5-0 dpkg-buildpackage: source changed by Alan DeKok [EMAIL PROTECTED] dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 2.0.5-0 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . 01-radiusd-to-freeradius not applied to ./ . rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] rm config.sub mv config.sub.dist config.sub || true [ -f config.guess.dist ] rm config.guess mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... failed. make: *** [patch-stamp] Error 1 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different LDAP base DN for different realms
I have an LDAP directory organized as follows: dc=example,dc=org |-ou=first | \-ou=people | \-uid=john | |-ou=second | \-ou=people | \-uid=john | \-ou=third \-ou=people \-uid=john I would like to tell FR to do look in the appropriate OU based on the relam the user authenticates, for example: [EMAIL PROTECTED] will try to bind on uid=john,ou=people,ou=first,dc=example,dc=org [EMAIL PROTECTED] on uid=john,ou=people,ou=second,dc=example,dc=org ans so on... How can I achieve this with virtual servers or unlang? Thank you very much! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign Ip-Pool based on NAS-Ip-Address
I would like to assign IP addresses from pools based on which NAS the request comes from. Can I achieve this? Users are stored in LDAP and NAS on SQL. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Alan DeKok wrote: Giovanni Lovato wrote: I would like to assign IP addresses from pools based on which NAS the request comes from. Can I achieve this? Users are stored in LDAP and NAS on SQL. See the sqlippool module. What key on sqippool table should I set to make FR choose a pool based on NAS-IP-Address? The scenario is: 1. a NAS requires access for a user; 2. if FR doesn't find a Framed-IP-Address on user attributes, it should assign an IP from a pool depending which NAS the request comes from. I tried to set `nasipaddress' key on sqippool table but FR seems ignore it... smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: undefined symbol: sql_get_socket
Phil Mayers wrote: Nicolas Goutte wrote: Am 27.05.2008 um 18:20 schrieb Giovanni Lovato: Alan DeKok wrote: Giovanni Lovato wrote: I compiled deb packages from 2.0.4 sources. I would use rlm_sqlippool but I get this message: symbol lookup error: /usr/lib/freeradius/rlm_sqlippool-2.0.4.so: undefined symbol: sql_get_socket How can I solve that? Link the server statically: $ ./configure --disable-shared Then again, Debian might only have shared versions of some libraries (e.g. Perl), so this might not work, either. It doesn't work, `ld' complains about unavailable static libraries. What I can't understand is why other module that use MySQL aren't affected by this problem! Try to use nm(1) on the .so files and see if the symbol is different in the two libraries. Why? It will be, because it's meant to be. I have just checked FreeRadius 2.0.2 on Mac and the symbols are indeed different. One time T (text section symbol) for rlm_sql.so but U (undefined) for rlm_sqlippool.so Because rlm_sqlippool imports it from rlm_sql As for what this difference exactly means and where to try to fix this, I do not know. Sorry. It means nothing. It's normal. Do you mean it has nothing to do with the undefined symbol error when launching freeradius? I still can't understand why other modules that use MySQL aren't affected by this issue, may it be a missing inclusion in the Makefile? smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
undefined symbol: sql_get_socket
I compiled deb packages from 2.0.4 sources. I would use rlm_sqlippool but I get this message: symbol lookup error: /usr/lib/freeradius/rlm_sqlippool-2.0.4.so: undefined symbol: sql_get_socket How can I solve that? smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Items in Ldap-Group
Ranner, Frank MR wrote: -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Giovanni Lovato Sent: Saturday, 1 March 2008 11:23 To: FreeRadius users mailing list Subject: Reply-Items in Ldap-Group I wish to assign various Reply-Items to a group defined in LDAP, and then configuring FreeRADIUS to fetch those Reply-Items whenever a user belonging to that group authenticates. Is that possible? Thank you! You can use an indirect method: In users you can specify: DEFAULT Ldap-Group == netops, User-Profile:='cn=netops,ou=profiles,dc=example' Ok, thank you very much. Can I place that `User-Profile' attribute directly in the LDAP user dn? I tried but it didn't work. I wish not to modify `users' file, but only LDAP if possible! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Items in Ldap-Group
Giovanni Lovato wrote: Ranner, Frank MR wrote: -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Giovanni Lovato Sent: Saturday, 1 March 2008 11:23 To: FreeRadius users mailing list Subject: Reply-Items in Ldap-Group I wish to assign various Reply-Items to a group defined in LDAP, and then configuring FreeRADIUS to fetch those Reply-Items whenever a user belonging to that group authenticates. Is that possible? Thank you! You can use an indirect method: In users you can specify: DEFAULT Ldap-Group == netops, User-Profile:='cn=netops,ou=profiles,dc=example' Ok, thank you very much. Can I place that `User-Profile' attribute directly in the LDAP user dn? I tried but it didn't work. I wish not to modify `users' file, but only LDAP if possible! I found a very simple way to do this: 1. in radiusd.conf uncomment: profile_attribute = radiusProfileDn 2. in LDAP entries, add `radiusProfileDn' attribute and fill it with the DN of the entry where RADIUS Reply-Items are defined. Bye, Giovanni Lovato smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Juniper ERX dictionary
We need to use a dictionary for JunOS 8.2, but the syntax seems to be non-standard and FreeRADIUS can't recognize it: http://pastebin.com/m6916d351 How can I translate that dictionary or make FreeRADIUS recognize it? Thank you, G.L. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper ERX dictionary
Bjørn Mork wrote: Giovanni Lovato [EMAIL PROTECTED] writes: We need to use a dictionary for JunOS 8.2, JUNOS and JUNOSe are two very different things. Both can use radius however. Based on the subject and link you posted, I assume you're talking about JUNOSe 8.2. but the syntax seems to be non-standard and FreeRADIUS can't recognize it: http://pastebin.com/m6916d351 That's not a FreeRADIUS dictionary. There is no standard. How can I translate that dictionary or make FreeRADIUS recognize it? Do you need to use any attributes not already defined in the dictionary.erx coming with FreeRADIUS? If so, add it and provide a bug report with a patch. The syntax should be pretty self-explanatory. There's also a dictionary(5) man page in FreeRADIUS. I didn't know there was a dictionary.erx in FreeRADIUS sources, it works perfecly thanks! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Signal -HUP
Alan DeKok wrote: Dmitry A. Sysoev wrote: Good afternoon! Why the radiusd (ver 2.0.3+ cvs) with killall -HUP radiusd is not reload configuration files? Because it doesn't. It's hard to do right. And no, Apache doesn't handle HUP, either. It just *looks* like it handles HUP. It really re-starts itself from scratch. If you need FreeRADIUS to reload the configuration files, then stop re-start it. How can I check for syntax errors on configuration files without starting FreeRADIUS? There exists something like ISC DHCPD -T option? smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Items in Ldap-Group
Ivan Kalik wrote: Yes. DEFAULT Ldap-Group == whatever reply, reply Thanks, but I meant if I could store that reply-items directly in LDAP attributes. It works for users, for example: dn: uid=testuser,dc=example,dc=org uid: testuser ... objectClass: radiusProfile radiusFramedIPAddress: 192.0.2.1 When 'testuser' authenticates, FreeRADIUS correctly replies with Framed-IP-Address to the NAS. I wish to store some reply-items on a group: dn: cn=testgroup,dc=example,dc=org cn: testgroup member: testuser1 member: testuser2 member: testuser3 ... radiusReplyItem: Mikrotik-Rate-Limit := 128k so that all members of 'testgroup' gets that reply-item! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Items in Ldap-Group
I wish to assign various Reply-Items to a group defined in LDAP, and then configuring FreeRADIUS to fetch those Reply-Items whenever a user belonging to that group authenticates. Is that possible? Thank you! smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
Walter Gould wrote: Please excuse me if this has already been covered in the docs or the FAQ (I looked - but nothing jumped out at me). In accounting packets coming from Cisco Catalyst 6513 switches, the NAS-IP-Address = 0.0.0.0. Does anybody know why and if this can be changed? I have tried modifying the aaa accounting commands on the switch, but has not seemed to fix it. On our 3750 series switches, this doesn't happen and the correct switch/NAS ip address is listed in the NAS-IP-Address attribute field. # ip radius source-interface interface Bye, G.L. -- mail: [EMAIL PROTECTED] web: http://heruan.my.aldu.net smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Identity does not match User-Name, setting from EAP Identity.
I'm trying to get Windows XP authenticating using logon username/password. # freeradius -X [...] rad_recv: Access-Request packet from host 192.168.12.3:1048, id=0, length=217 Message-Authenticator = 0xdbb... Service-Type = Framed-User User-Name = TELPERION\\heruan Framed-MTU = 1488 Called-Station-Id = 00-19-5B-XX-XX-XX:Telperion Calling-Station-Id = 00-13-02-XX-XX-XX NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x02... NAS-IP-Address = 192.168.12.3 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = heruan, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 0 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module files returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for heruan radius_xlat: '(|(uid=heruan)(cn=heruan))' radius_xlat: 'dc=aldu,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan)) rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaNTPassword as NT-Password, value 0DBF... op=21 rlm_ldap: Adding sambaLMPassword as LM-Password, value 5388... op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user heruan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 1 modcall: leaving group authenticate (returns invalid) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.12.3:1048, id=0, length=217 Sending Access-Reject of id 0 to 192.168.12.3 port 1048 I wonder what Identity does not match User-Name, setting from EAP Identity. means... Enabling/disabling ntdomain_hack on mschap module didn't change anything :( G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identity does not match User-Name, setting from EAP Identity.
[EMAIL PROTECTED] wrote: users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 What's in these entries in users file? My `user' file is the default coming with FreeRADIUS: 153: DEFAULT Auth-Type = System Fall-Through = 1 172: DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes Have you got Auth-Type:=EAP somewhere? No, I read it should be automatic, isn't it? Thank you, G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS ,after access-challenge nothing happen
[EMAIL PROTECTED] ha scritto: http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with_a_Windows_machine Ivan Kalik Kalik Informatika ISP Dana 22/6/2007, stefek143 [EMAIL PROTECTED] piše: Hi I have a little problem with authenticate using EAP/TLS on freeradius. After Access Challenge freeradius not display Reject or Accept, only going to the begin and repeat the same operation. What`s wrong ?? as NAS i`m using CISCO catalyst 2950 and client supplicant WinXP. I'm affected by the same issue, following FAQ hints didn't help me. I signed server cerficate using: # openssl ca -policy policy_anything -out certs/radius-cert.pem -extensions xpserver_ext -extfile xpextensions -infiles reqs/radius-req.pem but Windows stills silently failing authentication. Giovanni Lovato -- www.aldu.net/~heruan [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
check-config option
On http://wiki.freeradius.org/index.php/FAQ, question 6.10 I read: quote With FreeRADIUS you can simply use: radiusd -C to check the configuration. [...] /quote But when I try to do that: code # radiusd -C radiusd: invalid option -- C Usage: radiusd [-a acct_dir] [-d db_dir] [-l log_dir] [-i address] [-p port] [-AcfnsSvXxyz] /code I'm using FreeRADIUS 1.1.6. G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check-config option
[EMAIL PROTECTED] wrote: Hi, quote With FreeRADIUS you can simply use: radiusd -C to check the configuration. [...] gone deprecated So how could I check configuration before sighupping the process? I try a script called ``check-radiusd-config'' but it gives me: # check-radiusd-config Radius server configuration looks OK. also when configuration IS NOT OK! Any other new method or option to do that? G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping users and clients
Kostas Kalevras wrote: O/H Giovanni Lovato έγραψε: Hi all. We have a set of Cisco routers and a pool of users in an LDAP directory. At this time routers are configured to request authentication to FreeRadius, which binds to LDAP and grants access to user on successfully binding. We need to create groups of routers and groups of users, granting accesso to certain groups of routers only to certain groups of users. Can we do that using FreeRadius? groups of routers = huntgroups ldap module provides functionality for group handling. Thank you, that is exactly what I mean :) Can I also define huntgroups on LDAP? I see radiusNASIpAddress and radiusHuntgroupName on Radius schema for LDAP. G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Item from LDAP groups
Can I get a Reply-Item from LDAP groups? For example: dn: uid=testuser,ou=people,dc=domain,dc=tld uid: testuser ... dn: cn=testgroup,ou=groups,dc=domain,dc=tld cn: testgroup ... objectClass: radiusprofile radiusReplyItem: Cisco-AVPair := shell:priv-lvl=5 so that every user of testgroup gets a priv-lvl of 5? Thank you, G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Grouping users and clients
[EMAIL PROTECTED] wrote: Groups of users - usergroup table (standard SQL schema) Groups of devices - huntgroups file No way to store huntgroups directives on LDAP or SQL? G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grouping users and clients
Hi all. We have a set of Cisco routers and a pool of users in an LDAP directory. At this time routers are configured to request authentication to FreeRadius, which binds to LDAP and grants access to user on successfully binding. We need to create groups of routers and groups of users, granting accesso to certain groups of routers only to certain groups of users. Can we do that using FreeRadius? Thank you, G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault on PAP calling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm using FreeRADIUS 1.1.4 compiled from sources on Debian Etch. I backend against LDAP with hashed password. Now I'm trying to configure authentication to use with WPA, but it segfaults on calling PAP: # radiusd -Xxxx 21 ... rad_recv: Access-Request packet from host 192.168.1.250:3074, id=0, length=125 User-Name = testuser NAS-IP-Address = 192.168.1.250 Called-Station-Id = 00c0... Calling-Station-Id = 001... NAS-Identifier = 00c... NAS-Port = 223 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020... Message-Authenticator = 0x431... Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 modcall[authorize]: module preprocess returns ok for request 0 modsingle[authorize]: calling chap (rlm_chap) for request 0 modsingle[authorize]: returned from chap (rlm_chap) for request 0 modcall[authorize]: module chap returns noop for request 0 modsingle[authorize]: calling mschap (rlm_mschap) for request 0 modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 modcall[authorize]: module mschap returns noop for request 0 modsingle[authorize]: calling suffix (rlm_realm) for request 0 rlm_realm: No '@' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL modsingle[authorize]: returned from suffix (rlm_realm) for request 0 modcall[authorize]: module suffix returns noop for request 0 modsingle[authorize]: calling eap (rlm_eap) for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modsingle[authorize]: returned from eap (rlm_eap) for request 0 modcall[authorize]: module eap returns updated for request 0 modsingle[authorize]: calling files (rlm_files) for request 0 users: Matched entry DEFAULT at line 152 modsingle[authorize]: returned from files (rlm_files) for request 0 modcall[authorize]: module files returns ok for request 0 modsingle[authorize]: calling ldap (rlm_ldap) for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=aldu,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.laurelin.aldu.net:389, authentication 0 rlm_ldap: bind as cn=radius,dc=aldu,dc=net/PASSWORD to ldap.laurelin.aldu.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=aldu,dc=net, with filter (uid=testuser) rlm_ldap: checking if remote access for testuser is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value {md5}rL0Y20zC+Fzt72VPzMSk2A== op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 modcall[authorize]: module ldap returns ok for request 0 modsingle[authorize]: calling pap (rlm_pap) for request 0 Segmentation fault Some configuration snippets (maybe not useful, but the entire file would have been too long I guess): radiusd.conf: ... modules { .. pap { auto_header = yes } ... } ... authorize { ... ldap pap } authenticate { Auth-Type PAP { pap } ... } ... If I revert the password to clear-text on LDAP, it runs fine and authenticate. Any ideas? Thank you, Giovanni Lovato - -- www.aldu.net/~heruan [EMAIL PROTECTED] ldaps://pgpkeys.aldu.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFygRYaWLXrn9dopwRAjqCAJ9S0ztPnbdnFh4rR5UDkUt25Ix8lACfbBAf 7FY2dwyMEGVi8LTkvuIvhNs= =HQjo -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] Segmentation fault on PAP calling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Giovanni Lovato wrote: I'm using FreeRADIUS 1.1.4 compiled from sources on Debian Etch. I backend against LDAP with hashed password. Now I'm trying to configure authentication to use with WPA, but it segfaults on calling PAP: # radiusd -Xxxx 21 ... [CUT] Solved: just bind Password-With-Header (and not User-Password!) attribute to userPassword in ldap.attrmap: checkItem Password-With-HeaderuserPassword Greetings, G.L. - -- www.aldu.net/~heruan [EMAIL PROTECTED] ldaps://pgpkeys.aldu.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFynOhaWLXrn9dopwRAlSFAJ4wmJOe7tX3pss5qzBsD1cGo4e5LgCcD5pF jPzqYtJl83lQaHZfUK11w2E= =P6cn -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html