Re: FR-1.1.2 dies with error
--- Alan DeKok [EMAIL PROTECTED] wrote: Alexander Serkin [EMAIL PROTECTED] wrote: Do you mean just comment out line 1012 in request_list.c ? Yes. I think i'll try this first because speeding up DB is not a trivial task by now. But it's the real source of the problem... How large a DB is this? And what type of link is there between FR and the DB? Unless there are, literally, (tens of) thousands of records and/or a *slow* link (think dial-up) and/or ancient hardware there should be some reasonable ways to speed up the DB response. Archiving of records and indexing are two that come to mind first. More complicated, but effective, would be clustering or optimization, even review of the DB version (deprecated?). Alan is correct, you are fixing (hiding) a symptom, and I can say from personal experience it *will* bite you in the butt at some point :) The worst part of it, too, will be that the new issue may not be clearly linkable back to the FR problem you have currently and you may not remember this piece of the puzzle. Patching also breaks your upgrade path... Just some friendly advice. Laker Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type discussion
See below... --- Alan DeKok [EMAIL PROTECTED] wrote: Phil Thompson [EMAIL PROTECTED] wrote: no doubt, however it is interesting that many people come to a point where they make such a setting, don't you find. At first, it appears to make sense to force MS-CHAP when you want to do MS-CHAP. Then, for some reason, everything else fails later and it's difficult to know why, because the server *is* doing what you told it to do. So you force it to do EAP, but then MS-CHAP breaks, and you're frustrated that it's so hard to configure. If you could clarify why that is and fix it you wouldn't have to shout in mailing lists. The reason for shouting it in mailing lists is that people *still* say it's a good thing to do, despite lots of documentation saying it's a bad idea, and near-daily messages on this list saying it's a bad idea. And your solution is... more documentation? Sorry, that won't help. The people who need it the most won't read it. I'm starting to think that removing Auth-Type from 2.0 is a good idea. Is it feasible to disable access to setting it, unless it explicitly added or enabled in the FR configuration, much like the various auth modules themselves? Then, at least, a warning could appear in the -X output indicating Manual AuthType access enabled so to immediately identify someone has already tried breaking their server :) Laker I have just verified it is not necessary by commenting it out, thanks. See? I think you're saying at http://deployingradius.com/documents/configuration/auth_type.html that a default auth-type is not necessary and should not be set. Is that so ? In which case having DEFAULT Auth-Type = System in the users file in the FreeRADIUS tarball helps to get us off on the wrong foot :-) Yes. That's been deleted in 2.0, and many of the modules updated, in order to make it even easier to get it to work. I think it's high time for 2.0. I've been waiting for a few fixes for entirely too long now... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
--- John Allman [EMAIL PROTECTED] wrote: Stefan Winter wrote: I'm searching through my dell wireless wlan card utility and i'm pretty sure i can't hide it. Are dell breaking any rfcs or other standards that i can take them up on? No. It's optional. If Dell doesn't do it, bad luck. But you can always install a supplicant that does it, for example at www.securew2.com (very nice supplicant, IMO). I'm very impressed. I installed this and all of my complaints and concerns are answered! Now, i'm assuming and hoping the linux wpa supplicant also supports this... Uh. You should consider that you will have _no_ link-layer encryption when using captive portals. And connections can be hijacked. And with a shared key, you have no accountability. And the shared key will flow over the net unencrypted, so anyone can pick it up and abuse your network. OTOH, what's so secret about a user name? User names are the _public_ parts of credentials, it's the passwords that are critical. If you really don't want usernames to be important at all, use EAP-TLS. The client certificate will identify you, no matter what garbage you put into the user name. Captive portals are a step back with regards to security. Well, i was going to use wpa2 with a preshared key which would provide the link-layer encryption (as i understand it) but then require a username and password as another step in case the key got leaked. You're right about the accountability, but are you sure about the shared key going over the net unencrypted? This doesn't sound right... Since we're talking about our ldap directory, which we use for pretty much *everything*, having a list of usernames gives an attacker a starting point for trying brute force attacking. This could also be used as a starting point for identity theft or spamming. EAP-TLS probably is the most secure way to do things though it does require installing certs. I'll definitely be giving it consideration Thanks again for all your help - i'm feeling pretty happy with my setup now, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If your time allows the RADIUS book from O'Reilly is an invaluable reference. It includes FreeRADIUS specifics as well. Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: can't connect to radius server
--- [EMAIL PROTECTED] wrote: I have tried running tcpdump, and I am getting packets from the client to the server: 09:38:42.376543 IP 10.10.1.1.bpmd 10.10.1.102.radius: RADIUS, Access Request (1), id: 0x00 length: 131 09:38:42.376543 IP 10.10.1.1.bpmd 10.10.1.102.radius: RADIUS, Access Request (1), id: 0x00 length: 129 Here is the output I get when I start the server in debug mode: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm:
Re: can't connect to radius server
Comments below --- [EMAIL PROTECTED] wrote: Hi, I think I have my radius server configured properly (I followed the configuration advice in http://tldp.org/HOWTO/html_single/8021X-HOWTO/). I can get it running (using radiusd -X) and see all the expected output. Please post this output, even if it's just the server startup info. I have also configured my AP to point to the correct location, and it is pingable from the radius server. So, the AP is configured with the RADIUS server's IP, you have configured your FR clients.conf file with the APs information and the shared secret is correct on both devices? Does your AP have any ping functionality? If so, can it ping the RADIUS server? Does the AP provide any logging data indicating it connected to the RADIUS server? Sounds suspiciously as if the RADIUS box's firewall settings may be at fault. Laker However, when I try to connect, user validation always fails. And the radius server (which is in debug mode) doesn't show me anything. It's like nothing is connecting to it at all. I also tried to test it using NTRadPing, and his won't connect either. Any help or suggestions here would be appreciated. I am running version 1.1.1 of freeRADIUS. Thanks, Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius unstable
--- Bill Schoolfield [EMAIL PROTECTED] wrote: I have posted two requests to this list concerning MySQL issues and FreeRadius. To date I haven't gotten a single response. As I can also use /etc/password and /etc/shadow, I've decided for now to drop using MySQL (e.g. use Auth-Type := System). So hopefully my new problem is now more common. I've tried making updates to the users file for this but I'm still getting no authenticate method (Auth-Type) configuration found. What am I getting wrong here? In the users file I have: DEFAULT Auth-Type := System, Simultaneous-Use == 1 Fall-Through = Yes Here's the log piece: Acct-Session-Id = 606B User-Name = bill User-Password = bill NAS-IP-Address = 127.0.0.1 NAS-Port-Id = 32 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Mon May 8 23:50:01 2006 : Debug: Processing the authorize section of radiusd.conf Mon May 8 23:50:01 2006 : Debug: modcall: entering group authorize for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Mon May 8 23:50:01 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Mon May 8 23:50:01 2006 : Debug: modcall[authorize]: module chap returns noop for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Mon May 8 23:50:01 2006 : Debug: modcall[authorize]: module mschap returns noop for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Mon May 8 23:50:01 2006 : Debug: rlm_realm: No '@' in User-Name = bill, looking up realm NULL Mon May 8 23:50:01 2006 : Debug: rlm_realm: No such realm NULL Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Mon May 8 23:50:01 2006 : Debug: modcall[authorize]: module suffix returns noop for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Mon May 8 23:50:01 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Mon May 8 23:50:01 2006 : Debug: modcall[authorize]: module eap returns noop for request 1 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Mon May 8 23:50:01 2006 : Debug: users: Matched entry DEFAULT at line 79 Mon May 8 23:50:01 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Mon May 8 23:50:01 2006 : Debug: modcall[authorize]: module files returns ok for request 1 Mon May 8 23:50:01 2006 : Debug: modcall: group authorize returns ok for request 1 Mon May 8 23:50:01 2006 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Mon May 8 23:50:01 2006 : Debug: auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You need to post your ENTIRE debug and radiusd.conf. However, looks like you don't have any entries in the authentication section of your server config, like unix if you're using /etc/password, et al. I'm pretty sure your Simultaneous-Use should be using := not == Also, if that is your only entry in users, the Fall-Through is redundant. Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Locations and configuring 2 different methods of Access
You may be wanting something more like a captive portal for some of your gateways. Try googling captive portal. I use chillispot myself; http://www.chillispot.org I have two wireless networks. One is secured with EAP-PEAP and auths users against our Active Directory via RADIUS (ntlm_auth) for employees. The other is open, but has no direct connection to our main LAN. A captive portal server (chillispot in my case) routes between the public wireless and private wired network to provide only Internet access to the public users (guests, vendors, customers, etc) by explicitly routing all of their traffic out the T1 hanging off our private router. Hope that helps. Laker --- James [EMAIL PROTECTED] wrote: we are sterring away from the original question here. if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself? The short answer is to read the documentation for the gateway software. If it says that the gateway can do this, AND it can be configured through RADIUS, then it SHOULD say which RADIUS attribute, and what value to use. That's exactly the part that I cannot find an answer to Alan, that's why I posted here to see if anyone has anything related to this. That's all the help I will be needing from you , Thank you for your time. now lets keep in mind that there are multiple locations here and therefor are multiple gateways, all I want to know is of there is a way to allow just some of the gateways, not all, to give access without username/password authentication. Now you're disagreeing with yourself again. This confuses the issue, and makes it difficult for anyone to solve the problem, because you keep changing the story about what the problem is. a) people ALWAYS use RADIUS to authenticate before they get on the net. b) people ALWAYS get a pretty web portal before they access the net c) people SOMEHOW get past the web portal to get real net access You want to change (b) so that SOME people get a web portal, sometimes. The paragraph I quoted above says you want to change requirement (a). Which is it? I don't think you're clear on what you're trying to do. Or, you're not describing it in a consistent and clear way. I do admit, I could not make it clear enough for you to understand, but no worries, I gave it a shot anyways. Once again, I do thank you for your time Alan. If there is someone else besides Alan out there who is trying to achieve the same thing, I would love to hear from them. Thank you all and thank you Alan. James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting disconected
Is it *always* 6 minutes, or does it vary? What kind of connection? Wired, wireless, DSL, etc... Event Viewer contain any info? Laker --- debik [EMAIL PROTECTED] wrote: I have problem with my freeradius. I'm getting connected but after 6 minutes Win XP xlient is getting disconected. I have looked in to radius debug and theres no stop message swnt to the client. On the client I haver run ethereal to look for some kind of packet, but i didn't find anything. So what could be the reason ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
--- YvesDM [EMAIL PROTECTED] wrote: On 4/12/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0= | These are *not* clear-text passwords. They're encrypted passwords. Change the attribute name to Crypt-Password, and it should work. Alan DeKok. Tnx for the reply, but it didn't solve my problem. mysql select * from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | steve| User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 | | 2 | maureen | Crypt-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 | | 3 | john | Crypt-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ | ++--++++ 3 rows in set (0.00 sec) mysql quit Bye radius:/usr/local/etc/raddb# radtest john test localhost 1812 testing123 Sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=213, length=20 radius:/usr/local/etc/raddb# radtest maureen test localhost 1812 testing123 Sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=219, length=20 radius:/usr/local/etc/raddb# Any other suggestions? Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Try switching everything back to clear text, with User-Password attribute and *clear text passwords* and see if anybody can auth that way. Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin ippool administraton
Has there been any consideration to using an XML config file? Laker --- Olaf Sch�fer [EMAIL PROTECTED] wrote: But the configuration information like range-start etc. is still stored in the radiusd.conf. My idea was to put these configuration information for each ippool into the mysql-db. That may be harder to do. But if you can create a patch, it will be welcome. I'm afraid this exceeds my abilities :( Thus I resigned to the fact and have started to parse the radiusd.conf via PHP. Olaf Schaefer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conflicts/duplicates need
--- Duane Cox [EMAIL PROTECTED] wrote: Well I believe Alan is correct, that it must be related to the database because I have 2 radius servers both sharing the same database, and they both experience this outage at the exact same time. It lasts for about 45 seconds every several hours. I'm using unixODBC and MSSQL database, the database server is running on a dual proc system and 2 gigs of ram. During some of these outages (early morning) no one is using the database, only freeradius. I think I am going to have to check the performance monitors on the MSSQL server to see if there are any spikes or hangs during this time. (I don't think my problem is freeradius, freeradius is just suffering from the condition) But I've noticed that I get a period every few hours when freeradius doesn't authenticate. I'm not sure what the problem is, but here is the log as captured in /var/log/radiusd Any idea what could be causing this? Hi Duane Good to see you using FreeRADIUS :-) Probably you have a cron script of some kind running a report or vacuum on your database and it is not responding to RADIUS. Are you using the database for something else as well? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - Is the outage consistent? Is the a DB replication or backup scheduled at the time the outage occurs? Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrade path to v1.1.1
If you could extend on this a bit... would migrating the pieces from a diff of the old (working) and new (freshly installed) config files work or would it be better to just print out the working copies and manually tweak the necessary pieces? tia, Laker --- Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I am running a version of FreeRadius 1.0.0. Is there a patch path to upgrade to v1.1.1? Or must I rebuild completely from source? You must rebuild completely from source. There is no patch path. You will probably also have to update your config files, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Failed messages to MySQL -Unsupported Acct-Status-Type
Are there any fundamental problems with modifying rlm_sql to allow an arbitrary number (and potentially source) of additional queries in relation to how it interacts with the core FR server? What I'm saying is, are there any known issues or caveats preventing this functionality from being added or is it just resources and project priorities? Thanks, Laker --- Alan DeKok [EMAIL PROTECTED] wrote: Alan [EMAIL PROTECTED] wrote: I just can't get failed messages with Acct Status Type of 15 placed in a MySQL database. The rlm_sql driver outputs an error message referring to an unsupported status type, but I would like to know if it is possible to write this information into the database. FreeRadius currently writes to a flat file. Please help. The rlm_sql module currently supports only few status types for queries. Adding more queries to the configuration file won't help, because the source code won't look for them. You'll have to edit the source code to support new queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf
There is definitely a password problem. But it may be due to *where* your logging in from, rather than the password. Are FR and MySQL on the same box? Have you double checked with the mysql client that you can login to the database (on the machine where mysql is installed). From a command prompt just type mysql -p, enter the password. If there is no error, something else more serious is amiss or you do not have [EMAIL PROTECTED] configured in the DB where zz is the host where mysql is installed. Laker --- Atkins, Dwane P [EMAIL PROTECTED] wrote: Why is it that when I run a radiusd -X, I always come back with errors on saying that it cannot connect to the mysql server: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'localhost' (using password: YES)' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. I have put this in my sql.conf like so: # Connect info server = localhost login = radius password = x # Database table configuration radius_db = radius mailto:[EMAIL PROTECTED] What am I doing wrong? I have followed a number of whitepapers to install this and most of them say the same thing. I downloaded freeradius and mysql-server using the 'yum install' option. Now, when I do a ./configure on freeradius, do I need to do it with a -with-mysql option? Should I try this on something other than FC4? I am opened to options. Thanks Dwane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap don't work
--- pelusa vali [EMAIL PROTECTED] wrote: first of all, thanks so much alan for your quick response Hi, hi everybody, i have problems using freeradius 1.0.5, i cann't get it works as i hope. well i installed freeradius in my server and tried to see if clients can authenticate, so first tried test over server, my ip is 192.168.10.1, i generate certificates to use TLS. this is my users file: mec01 Auth-Type := EAP dont do this. just dont do this at all. read the docs. excuse me, i read many tutorials and all of them says this is correct, so please could you refer me to right doc?? may be freeradius docs? exactly which? and again thanks for your answer. The server can determine the correct AuthType based on the packet contents. Explicitly setting the auth overrides the detection process and usually breaks things. It really is all in the docs provided with the software and on the FR site. I can attest from personal experience that overthinking the set up does more harm than good :) Laker ___ Charla con tus amigos en l�nea mediante MSN Messenger: http://messenger.latam.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Handler failed in EAP/peap
Try uncommenting with_ntdomain_hack = yes in the mschap config. The WORKGROUP\\ needs to be stripped. Which happens automatically when that config is enabled. Laker --- Agus Supriyadi [EMAIL PROTECTED] wrote: On 2/28/06, Laker Netman [EMAIL PROTECTED] wrote: It looks like you didn't include the domain info by having --domain=%{mschap:NT-Domain} in your ntlm_auth command line in the mschap section of your radius.conf file. Thanks Laker,,, You're right.. after I added --domain=%{mschap:NT-Domain} to ntlm_auth,, script failed error is gone. But There's new error occured, It looks like this: BEGIN ERROR --- rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 28 --- END ERROR --- The full debug message of the request just like this: === BEGIN DEBUG === rad_recv: Access-Request packet from host 128.16.100.2:21646, id=106, length=144 User-Name = WORKGROUP\\agus Framed-MTU = 1400 Called-Station-Id = 0012.43f9.07f0 Calling-Station-Id = 0040.96a6.0915 Service-Type = Login-User Message-Authenticator = 0xceeac013eeaa43fc5650c013e93f651c EAP-Message = 0x0201001301574f524b47524f55505c61677573 NAS-Port-Type = Wireless-802.11 NAS-Port = 491 NAS-IP-Address = 128.16.100.2 NAS-Identifier = iSpot Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module preprocess returns ok for request 28 modcall[authorize]: module chap returns noop for request 28 modcall[authorize]: module mschap returns noop for request 28 rlm_realm: No '@' in User-Name = agus, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 28 rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 28 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 28 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 28 modcall: leaving group authenticate (returns invalid) for request 28 auth: Failed to validate the user. === END DEBUG === Is that because eap performing certificate CN check with user-name attrib but not with the hostname of the server? (Just my guess) -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS d(-) s:- a--- C++(+++)$$ UL$$ P+? L++$$ !E--- W++ !N !o !K-- w !O M !V PS PE !Y PGP t 5 X R tv b DI D G e h r y --END GEEK CODE BLOCK-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Handler failed in EAP/peap
SEE BELOW: --- Agus Supriyadi [EMAIL PROTECTED] wrote: Dear All, I've got a problem with my freeradius. I've installed freeradius 1.1.0. I'm gonna using EAP/PEAP and MSCHAPv2. The radius returned Access-Reject message when I try to authenicate user. This is the debug message from freeradius: --- BEGIN DEBUG --- rad_recv: Access-Request packet from host 128.16.100.2:21645, id=112, length=219 User-Name = agus Framed-MTU = 1400 Called-Station-Id = 0012.43f9.07f0 Calling-Station-Id = 0040.96a6.0915 Service-Type = Login-User Message-Authenticator = 0x035385584153738e930ae5647bba4e77 EAP-Message = 0x020900561900170301004bbeba44dea711ccc50b11d2b66d81c5ee2f2254128135c4bfbc0c8f56c11d93419377cb9061b873416e21389346112ea96d1078b7ad8db16c64b70d812a071923b02819bd681a5902ead889 NAS-Port-Type = Wireless-802.11 NAS-Port = 208 State = 0xbe8af775ecd2998b486819e32c8c5eb3 NAS-IP-Address = 128.16.100.2 NAS-Identifier = iSpot Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = agus, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 9 length 86 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 7 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to agus PEAP: Adding old state with e5 7c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = agus, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 9 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 7 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding Auth-Type = MS-CHAP modcall[authorize]: module etc_smbpasswd returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 7 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for agus with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 60 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=agus --challenge=b7bc51d8fa48dfc5 It looks like you didn't include the domain info by having
Re: rlm_perl
Check out http://www.activestate.com/ They have a couple of products that do what you want. Laker --- Chris Knipe [EMAIL PROTECTED] wrote: Hi, Is there any way to get rlm_perl to work with binary code, instead of source? I currently have a perl script executing via rlm_perl that does some fancy stuff in authentication and accounting. Due to popular demand, I now have 3rd parties interested in this code, but I don't feel it is secure enough to provide these vendors with the open source perl code. I don't believe I can accomplish with rlm_exec what I do in rlm_perl, so I'm kinda hoping that someone would have a solution here for me that would allow rlm_perl (or a similar module perhaps), to execute compiled code. Hope I make sense, and that someone can shed some light and pointers for me. Thanks, Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restricting access to a NAS
I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file. Is anyone doing this and could provide a sample config layout? Thx, Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
possible radtest parameter issue
I am trying to use radtest to check some changes I'm making in my FR users file. My goal is to be able to let visitors use our wifi network for Internet access by authorizing them against a generic user/password combo in users like guest wireless, while everyone in the company, who is actually connecting to resources on our LAN, authorize/authenticate against our Active Directory (which is already working). I read the radtest man file and Googled for some examples, so I think my syntax is accurate. Am I correct that radtest, by use of the optional nasname, can make FR behave as if the Access-Requests are coming from a different NAS than the host upon which it is being run? Either way the results are not what I anticipated. When I run the following from a terminal on my FR box: radtest test test radserver.my.domain 10 secret ap.my.domain I get this reply: Sending Access-Request of id 191 to 192.168.12.210:1812 User-Name = test User-Password = test NAS-IP-Address = RADSERVER NAS-Port = 10 Framed-Protocol = PPP I didn't think the Framed-Protocol attribute should appear unless the optional value following secret was an integer 0. This looks to me like the ap.my.domain is being taken as [ppphint] rather than [nasname]. This seems incorrect to me since ppphint and nasname are both listed as optional, which I concluded means exclusive of one another. Is that right? I expanded my tests. Adding a zero after secret (radtest test test radserver.my.domain 10 secret 0 ap.my.domain) produced the following: Sending Access-Request of id 105 to 192.168.12.210:1812 User-Name = test User-Password = test NAS-IP-Address = ap.my.domain NAS-Port = 10 Framed-Protocol = PPP So now the NAS-IP-Address attribute is populated, but the Framed-Protocol attribute is still appearing, even though I explicitly placed a zero at the ppphint parameter position. And it's a hostname in NAS-IP-Address, rather than an IP address :) Neither seems right. Is there a common misconfiguration I could look for elsewhere? Here is the last thing that happened I'm not sure about: Sending Access-Request of id 105 to 192.168.12.210:1812 User-Name = test User-Password = test NAS-IP-Address = ap.my.domain NAS-Port = 10 Framed-Protocol = PPP Re-sending Access-Request of id 105 to 192.168.12.210:1812 User-Name = test User-Password = )\346\216Axj\002\322\264\361\330-12Q\242 NAS-IP-Address = ap.my.domain NAS-Port = 10 Framed-Protocol = PPP Re-sending Access-Request of id 105 to 192.168.12.210:1812 User-Name = test User-Password = )\346\216Axj\002\322\264\361\330-12Q\242 NAS-IP-Address = ap.my.domain NAS-Port = 10 Framed-Protocol = PPP Re-sending Access-Request of id 105 to 192.168.12.210:1812 User-Name = test User-Password = )\346\216Axj\002\322\264\361\330-12Q\242 NAS-IP-Address = ap.my.domain NAS-Port = 10 Framed-Protocol = PPP The output from radiusd -X is always: Ignoring request from unknown client 192.168.12.210:32773 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.12.210:32773, id=105, length=62 Ignoring request from unknown client 192.168.12.210:32773 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.12.210:32773, id=105, length=62 Ignoring request from unknown client 192.168.12.210:32773 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.12.210:32773, id=105, length=62 Ignoring request from unknown client 192.168.12.210:32773 What caused the User-Password field to change? Each time I rerun the command, the User-Password is munged differently, but stays munged the same way on subsequent resends until I break out of radtest, if that makes sense. Based on the debug output it doesn't look like FR acted on the request at all. I have NTRadPing and the test works as expected from my desktop (which is configured in clients.conf), but it's not ideal as it doesn't match what I'm really trying to test (access through a wifi AP) and I do not have the resources available to configure a standalone test machine outside of our AD/domain. Anyway, I'm curious what the purpose of nasname is. And now, I'm hoping someone can explain why I'm seeing the above results from radtest. BTW, I am running FR 1.0.5 (compiled from source) on Fedora Core 4. TIA, Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing a signed SSL certificate
Yes, it's PEAP over wifi with XP supplicants. I will query the CA as to whether that oid is included. Regards, Laker --- Ben Thompson [EMAIL PROTECTED] wrote: On Fri, 2005-12-02 at 10:03 -0800, Laker Netman wrote: I am considering use of a CA-signed SSL certificate. Comodo (instantssl.com) offers an Intranet SSL certificate good on a single, internal host. All of their documentation refers to set up with a web server or for email verification. Would it also work with FR? Are you doing PEAP on a wireless network with Windows clients? If so, you need to check that the certificate includes the server authentication oid 1.3.6.1.5.5.7.3.1 in the enhanced usage section. Cheers Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installing a signed SSL certificate
I am considering use of a CA-signed SSL certificate. Comodo (instantssl.com) offers an Intranet SSL certificate good on a single, internal host. All of their documentation refers to set up with a web server or for email verification. Would it also work with FR? There signed certificates are returned as .crt files, is this the same as the cert-srv.pem referenced in the self-signed tutorial? TIA, Laker. __ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Yikes :) Lookee here... radzap -N 63.215.26.177 -P S406 -u rod XXX.XXX.XXX.XXX:1646 secret XXX.XXX.XXX.XXX should be your *RADIUS* server IP. Not NAS, not client and, FWIW, secret should be the secret configured in your clients.conf. And I definitely think that -P S406 should just be -P 406 Laker --- Radius [EMAIL PROTECTED] wrote: S406 is an S and not a 5 -N is for the Nas IP (according to the man.) - Original Message - From: Scott O'Connell [EMAIL PROTECTED] To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Sent: Thursday, December 01, 2005 2:56 PM Subject: RE: RadZap -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Radius Sent: Thursday, December 01, 2005 1:44 PM To: FreeRadius users mailing list Subject: Re: RadZap Your man says this. radzap [-d raddb_directory] [-N nas_ip_address] [-P nas_port] [-u user] [-U user] server[:port] secret radzap -d /usr/local/etc/raddb -N 63.215.26.177 -P S406 -u ^ Isn't that an S instead of 5? rod 1645 secret Still brings me back to the help screen. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, December 01, 2005 1:06 PM Subject: Re: RadZap Radius [EMAIL PROTECTED] wrote: I would type radzap -N 63.215.26.177 S406 secret Which is wrong. Please READ the help the man page. It keeps telling me it can't locate that IP address. Yes, you're using the command incorrectly. S406 is NOT the IP address of the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I strip netbios-style domain name from User-Name?
My FR server is successfully receiving Access-Requests from my wifi AP (XP supplicant) using PEAP/EAP-TLS. However, the received User-Name is formatted Domain\\User. I have read the docs regarding realms and proxy.conf and believe the following should work: (In radiusd.conf) realm MY-DOMAIN-NAME { format = prefix delimiter = \\ ignore_default = yes ignore_null = yes } (In proxy.conf) realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } I have also tried realm MY-DOMAIN-NAME rather than DEFAULT in proxy.conf with no difference. with_ntdomain_hack is set to no wherever referenced, as it is my understanding using the realms module is the preferred method (?) My ldap filter is: filter = (sAMAccountName=%u) and running with -X I get the following: rad_recv: Access-Request packet from host 192.168.12.231:2057, id=0, length=156 User-Name = MY-DOMAIN-NAME\\username NAS-IP-Address = 192.168.12.231 Called-Station-Id = 000d0b6b9250 Calling-Station-Id = 000e356529b4 NAS-Identifier = 000d0b6b9250 NAS-Port = 56 Framed-MTU = 1400 State = 0x9eafe6f8023c0c59423b42f6c92b96f4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xc8ce70994f2aba8a00f4ba8561979c20 ... then ... rlm_ldap: - authorize rlm_ldap: performing user authorization for MY-DOMAIN-NAME\\username radius_xlat: '(sAMAccountName=MY-DOMAIN-NAME)' radius_xlat: 'CN=Users,DC=mydomain,DC=branch,DC=corp' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=Users,DC=mydomain,DC=branch,DC=corp, with filter (sAMAccountName=MY-DOMAIN-NAME) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed Authenticating via (hard-wired) telnet works as expected and %u contains the username without any domain prefix, of course. A suggestion as to what I may have missed would be appreciated. TIA, Laker __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wireless+freeradius+AD
Comments below. --- Alan DeKok [EMAIL PROTECTED] wrote: Laker Netman [EMAIL PROTECTED] wrote: First: We do not allow anonymous binding to our AD LDAP. So, for testing to date, I have used Administrator and the associated password in the config file. Obviously this is less than ideal :) What is the best or better alternative? Allowing anonymous bind? Creating a bind-only user for auth purposes? The server needs to bind to AD only to get group information. If you can configure a user on AD that is permitted only to do that, that would be the best thing. Not sure I understand. To my knowledge, currently our AD doesn't contain any info that would differentiate a wireless user from one who is wired. Based on the authenticating NAS (which is identifiable as wired vs wireless at least to RADIUS) how could I tie that to an AD group? If this is possible, where is the FAQ describing the setup process? Am I correct that the NAS passes the username and password to FR in cleartext? Not for wireless. So, when I see cleartext passwords (provided to RADIUS via NAS auth dialogs) in a radiusd -X output to the terminal it's due to the fact that they have already been decoded via the symmetric NAS-RADIUS key? Is there any method to send/receive the password between FR and AD encrypted? SSL. A URL or path to the RADIUS doc supporting this would be appreciated. Lastly, as I mentioned earlier, I have googled, read, googled, read, a *lot* of info. Is there a CONCISE site anywhere on the web the defines everything needed without leaving out the *one* critical piece that actually makes it work? ;-) I'm not sure what you mean by that. The HOWTO's describe how to configure wireless with FreeRADIUS, and LDAP. Follow the instructions and they will work. Do you know what you want from wireless and AD? It sounds like the one critical piece you're looking for is something to solve a problem you haven't articulated. Alan DeKok. My statement was intentionally flippant, though not meant to be disrepectfully so. It is the culmination of much frustration at finding lots of tangible data to make a functional system, yet, all of the pages tend to end with the cliche (paraphrasing now) and some other settings we all know it needs... We who? I'm not stupid, but I'm not perfect. THAT'S why I'm seeking help (not judgement) from the list. If there are useful docs I haven't found, tell me. If I don't fully understand what I'm reading and ask for help, either help me or don't. Please refrain from the holier than thou routine. I have read the majority of your posts since 2002 Mr. DeKok. Clearly, you are quite knowledgable regarding RADIUS. However, your disdain for the mortals who wish to use a tool, rather than wonder at its mystical intricacies is evident on repeated occasions in your responses. So not everyone is as clever as you... insult or help, which produces a better outcome? Laker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wireless+freeradius+AD
Hi all. I have been running freeradius for quite a while now to authenticate dial-up users through our Cisco 3660. Additionally, I configured several of our internal devices for AAA. This has all worked quite well and I have been using a MySQL backend. Now I am getting ready to deploy a wireless network in our facility and need to lock it down. My idea is to have our users authenticate and authorize against our active directory. Then, to provide access to guests, just create a bogus wireless user that doesn't exist in the AD, so radius falls back to a different auth method (sql) to let the user at least get on and get an address from our dhcp. I basically have this model working through regular telnet and PPP right now, less the wireless piece. I have successfully set up authentication to AD, but I have some questions and concerns. I have done quite a bit of research on this and read the pertinent files in the /doc folder included with the FR software. So, I hope my questions make sense. First: We do not allow anonymous binding to our AD LDAP. So, for testing to date, I have used Administrator and the associated password in the config file. Obviously this is less than ideal :) What is the best or better alternative? Allowing anonymous bind? Creating a bind-only user for auth purposes? Am I correct that the NAS passes the username and password to FR in cleartext? Is there any method to send/receive the password between FR and AD encrypted? If I want to use WPA with TKIP (or preferably AES) do I *have* to have a supplicant? Most hosts will be XP, though there is a slim chance I may have to deal with others. Lastly, as I mentioned earlier, I have googles, read, googled, read, a *lot* of info. Is there a CONCISE site anywhere on the web the defines everything needed without leaving out the *one* critical piece that actually makes it work? ;-) Thanks in advance, Laker __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html