Re: Issue with MSCHAP
Roger thanks On Nov 5, 2012 11:35 PM, Fajar A. Nugraha l...@fajar.net wrote: On Mon, Nov 5, 2012 at 6:47 PM, Ryan Summey ryan.sum...@gmail.com wrote: Thank you for the help guys really appreciate it. Is there anyway to automate this? My best advice would be to read Advanced Bash-Scripting Guide, as well as Awk Introduction Tutorial – 7 Awk Print Examples (hint: use Google), and combine that with smbencrypt tool Of course you could also use whatever-programming-languange-of-your-choice to do the same thing. For example, http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with MSCHAP
Thank you for the help guys really appreciate it. Is there anyway to automate this? On Nov 5, 2012 12:54 AM, Fajar A. Nugraha l...@fajar.net wrote: On Mon, Nov 5, 2012 at 6:26 AM, Ryan Summey ryan.sum...@gmail.com wrote: What do i need to do to enable nt-hash rather than pap? That question should be: how do I put nt-hash password in the db? IIRC the attribute name is NT-Password (you use this instead of Cleartext-Password as attribute in radcheck), and you create it using smbecrypt (part of FR): # smbencrypt password LM Hash NT Hash E52CAC67419A9A224A3B108F3FA6CB6D8846F7EAEE8FB117AD06BDD830B7586C In that example you put 8846F7EAEE8FB117AD06BDD830B7586C as value in radcheck. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with MSCHAP
yeah i haven't touched anything just setup ubuntu server + pptp + freeradius + mysql thats it. My phone is android and in the vpn settings it has pptp options but i cant select eap-ttls .. its ppp encryption(MPPE) and that uses mschapv2 i believe. How would i get this to work using a encrypted password? Ok so the is On Sun, Nov 4, 2012 at 5:47 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Is there any tutorials on how to do this ? choose EAP-TTLS/PAP on the client. so long as you havent butchered your eap.conf (of mods-enabled/eap on FR 3.x) then it will just work. (EAP-TTLS is one of the EAP methods that FR natively supports) you can use eapol_test (part of wpa_supplicant package) to verify any EAP authentications are operative against your server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with MSCHAP
Yes this is VPN sorry for the confusion... DB is a mysql and isnt hosted locally. I created it at my hosting company. I setup a virtual machine with ubuntu server on my desktop with everything i need. This all works with clear-text passwords from my phone. What do i need to do to enable nt-hash rather than pap? On Sun, Nov 4, 2012 at 6:12 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, yeah i haven't touched anything just setup ubuntu server + pptp + freeradius + mysql thats it. ah. VPN stuff - you should have clarified the pointers about TTLS etc from others was for enterprise wireless (WPA2/AES - aka WPA/RADIUS) 2 step approach - secure access to the DB in the first instance, second would be to use eg NT-HASH rather than PAP for storage. where is the DB? same host as the RADIUS? ensure only the processes that need access have access and ensure only the account that needs privileges gets read access. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1X + FreeRADIUS + LDAP issue
On Mon, Dec 12, 2011 at 6:30 PM, Ryan Garland she...@gmail.com wrote:
Thanks for the response, Alan.
It turns out part of my issue was certificate related. This has been
resolved, but eapol_test continues to fail for a different reason.
However, I am having trouble determining a fix.
Attached is the eapol_test configuration, debug output, FreeRADIUS
configuration debug output.
It appears that the relevant portion of the FreeRADIUS debug output is:
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
EAP-Message = 0x04010004
Message-Authenticator = 0x
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user ryan
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
I am having an even more difficult time deciphering the eapol_test
debug output - I just see the EAP failure from the radius server.
I have also tried commenting out 'virtual_server = inner-tunnel' in
the ttls section of eap.conf to force it to use default (as the
documentation inside the default virtual server would seem to imply
I should do) and I get the same result. I may be mis-reading it,
however.
Do you see something glaringly wrong? I appreciate any insight you can
provide.
Sorry, I should have been more clear.
I'm not sure what my options are with regards to Cleartext-Password
and using EAP-MD5, if that is indeed what is causing the failure.
I am attempting to get eapol_test to work since it sounds like this
should be my first priority. The OS X supplicant continues not to
respond to the Access-Challenge even though its profile is set up with
the corrected ca.der - but, one step at a time.
-RG
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1X + FreeRADIUS + LDAP issue
On Mon, Dec 12, 2011 at 7:12 PM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, Dec 13, 2011 at 9:37 AM, Ryan Garland she...@gmail.com wrote: Sorry, I should have been more clear. I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure. Then don't use EAP-MD5. If TTLS-PAP works for wireless, use the same one for wired. There should be an option to select which authentication method to use for wired 802.1x. Ok, I changed auth type to PAP in the eapol_test configuration and it worked. Thanks, I didn't realize it was as simple as changing the phase2 auth type. However, my original problem persists. My supplicant continues not to respond to the FreeRADIUS Access-Challenge. Keep in mind I am using the same .mobileconfig on my OS X Lion machine and my iPhone 4S (IOS 5) and TTLS+PAP works fine for Wireless. I am not sure how to tell which authentication method the supplicant is using for Wired as I can only see authentication protocols listed under the Wi-Fi section of the profile generated using the iPhone Configuration Utility (I was led to believe that the same profile can work with both Wired and Wireless 802.1X, hence me being stumped). If there is not an issue with FreeRADIUS as far as the experts on this list can tell from the debug output in my original post (the Wired failure attachment), then I may have to look elsewhere for input (Apple support forums perhaps? Ugh :P) Thanks again for your assistance thus far. -RG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
distributed database
I'm looking at implementing freeradius w/MySQL for auth accounting with a single master database and multiple (initially two) radius servers (slaves). The idea is that the slaves will run freeradius and the master will be integrated with the billing system. The slaves can download an exact copy of the masters radcheck radreply tables at frequent intervals. - That bit is easy. The difficulty arises when trying to run a distributed session table and also trying to implement some sort of replication so the slaves can push their radacct table back up to the master while avoiding PK conflicts. I'm considering one of the two solutions 1) Make the ID column in both the session table and radacct a NEWID / GUID / statistical key or 2) Add a SlaveID int column to both tables and use a joint ID,SlaveID Primary Key. Does anyone have any experience with either or does anyone have any thoughts on the matter? Regards, Ryan Williams - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting - limits
Hello anonymous! You can write a custom SQL query and include it when authenticating the user to determine if the user has or has not downloaded in excess of 1GB. Assuming of course that you're storing the accounting data in an SQL database. Regards, Ryan Williams - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Opposite of Expiraton attribute?
http://wiki.freeradius.org/Rlm_logintime Regards, Ryan Williams Network Engineer -Original Message- From: freeradius-users-bounces+ryan=integritynet.com...@lists.freeradius.org [mailto:freeradius-users-bounces+ryan=integritynet.com.au@lists.freeradius.o rg] On Behalf Of George Chelidze Sent: Friday, 17 June 2011 4:02 PM To: freeradius-users@lists.freeradius.org Subject: **Filtered as SPAM** Re: Opposite of Expiraton attribute? On 06/17/2011 09:23 AM, Matthew George wrote: Is there an attribute that is the opposite of expiration? I'm trying to setup accounts to have a specific login time range. For example; Start-Time = 5 June 2011 00:00:00 Expiration == 5 June 2011 02:00:00 I've been hunting googling for hours but I've been unable to find an attribute that would let me specific a start-time or a valid-after attribute. Any suggestions? check modules/logintime BR, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alvarion BreezeMAX 4Motion Service Profiles
I have a working solution.
For Alvarion to assign service profiles to subscribers through FreeRADIUS
the Filter-Id attribute must be provided in the Access-Accept in the
following format.
Filter-Id = SP=sp1:MSF=msf1;
Where sp1 is the name of the pre-configured service profile and msf1 is the
name of the pre-configured multiple service flow profile.
I can confirm that this format works with both the 4Motion and the BreezeMAX
extreme product lines from Alvarion.
Thanks to everyone for your assistance.
-Original Message-
From: Ryan Williams [mailto:r...@integritynet.com.au]
Sent: Friday, 13 May 2011 11:40 AM
To: 'freeradius-users@lists.freeradius.org'
Subject: Alvarion BreezeMAX 4Motion Service Profiles
Has anyone been able to get the Alvarion BreezeMAX to apply a service
profile for a subscriber through radius?
or has anyone been able to get debug logging out of the BreezeMAX perhaps
via syslog?
I believe I've got the service interfaces, service groups etc configured the
same in both products.
The BreezeMAX works if I disable RADIUS but doesn't work with the following
radius reply.
The following access accept works with the Alvarion 4Motion product but not
with the BreezeMAX.
Sending Access-Accept of id 13 to 10.12.15.50 port 49154
Session-Timeout = 3600
Termination-Action = RADIUS-Request
Filter-Id = SP1
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = {am=1}t...@test.com.au
WiMAX-MSK =
0x18bffebb46ac2e95ee730b7ecc0eaa5eb4b586fe29e5113f97f1ab794b4405f9d77aaa432c
bb91eb9e4d3ea7e65dded2bb765e18491c62530cf3edee80c644a1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alvarion BreezeMAX 4Motion Service Profiles
Thanks Alan, I'm already running the master branch of Freeradius (as of two days ago). I have FreeRadius working with an Alvarion 4 Motion product but not with the Alvarion BreezeMax product. It seems to be ignoring my Access-Accept. Regards, Ryan Williams -Original Message- From: freeradius-users-bounces+ryan=integritynet.com...@lists.freeradius.org [mailto:freeradius-users-bounces+ryan=integritynet.com.au@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Friday, 13 May 2011 3:09 PM To: FreeRadius users mailing list Subject: Re: Alvarion BreezeMAX 4Motion Service Profiles Ryan Williams wrote: Has anyone been able to get the Alvarion BreezeMAX to apply a service profile for a subscriber through radius? Yes. Go to http://git.freeradius.org, and follow the instructions for downloading the git master branch. Then, edit share/dictionary to: - delete the $INCLUDE of the wimax alvarion dictionaries - add $INCLUDE dictionary.wimax.alvarion dictionary.alvarion.wimax (really) At that point it should be possible to return the non-standard attributes needed by Alvarion. The following access accept works with the Alvarion 4Motion product but not with the BreezeMAX. They appear to have completely different code bases, and completely different needs for RADIUS. sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alvarion BreezeMAX 4Motion Service Profiles
Has anyone been able to get the Alvarion BreezeMAX to apply a service
profile for a subscriber through radius?
or has anyone been able to get debug logging out of the BreezeMAX perhaps
via syslog?
I believe I've got the service interfaces, service groups etc configured the
same in both products.
The BreezeMAX works if I disable RADIUS but doesn't work with the following
radius reply.
The following access accept works with the Alvarion 4Motion product but not
with the BreezeMAX.
Sending Access-Accept of id 13 to 10.12.15.50 port 49154
Session-Timeout = 3600
Termination-Action = RADIUS-Request
Filter-Id = SP1
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = {am=1}t...@test.com.au
WiMAX-MSK =
0x18bffebb46ac2e95ee730b7ecc0eaa5eb4b586fe29e5113f97f1ab794b4405f9d77aaa432c
bb91eb9e4d3ea7e65dded2bb765e18491c62530cf3edee80c644a1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failing when using *...@domain.com
I was trying to follow your suggestions, I was just confused about them. I wasn't sure what I needed to be adding to inner-tunnel. I did end up adding a line to proxy.conf, but it was just a blank entry for the testlab.netrealm. After that, authentication worked when using the u...@realmformat. I have other issues with it at this point, which I believe is outside the scope of the original problem. I am still not 100% on the inner-tunnel settings I need to configure, however I am still trying to figure it out. I read through inner-tunnel but just ended up getting a bit more confused than I already was. What did my message say? If you're not going to follow my suggestions, I don't see why you're asking questions on this list. I wasn't trying to ignore your advice, again, I was just confused. Thanks for the help, though. On Wed, Oct 20, 2010 at 1:03 AM, Alan DeKok al...@deployingradius.comwrote: Ryan Garrett wrote: There must be something I am not understanding, as I am unclear on what I need to be adding to proxy.conf. You need to inform the server that u...@realm should be treated the same as user. And from what I can tell, inner-tunnel doesn't need to be touched with the way I am configuring, or is that incorrect? In 2.1.10, read raddb/sites-available/inner-tunnel. Test that with radtest and dad...@testlab.net mailto:dad...@testlab.net. Once that works, PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failing when using *...@domain.com
Alan,
There must be something I am not understanding, as I am unclear on what I
need to be adding to proxy.conf. And from what I can tell, inner-tunnel
doesn't need to be touched with the way I am configuring, or is that
incorrect?
If my realm is testlab.net, do I just need an entry that is:
realm testlab.net {
}
? Or am I still not getting something?
On Mon, Oct 18, 2010 at 1:56 AM, Alan DeKok al...@deployingradius.comwrote:
Ryan Garrett wrote:
I have a test account setup within a test domain.
The username is dadmin. If I authenticate with just dadmin it works
fine, I get an access accept response and I am up and running.
OK.
However, if I try dad...@testlab.net
authentication is rejected.
Because names are just strings. The strings dadmin and
dad...@testlab.net are different.
My main concern is the fact that during the
process, it says testlab.net was not found, using
NULL for the Realm.
Yes... because you didn't configure the realm. See raddb/proxy.conf.
In 2.1.10, read raddb/sites-available/inner-tunnel. Test that with
radtest and dad...@testlab.net. Once that works, PEAP will work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest issue
The NAS-IP-Address field should be set to whatever you are using as your supplicant, most likely your switch. On Fri, Oct 15, 2010 at 4:15 AM, Sujith Paily K suj...@sparksupport.comwrote: I have installed freeradius2 freeradius2-utils on centos5.5 using yum. I did the basic configuration and test with radtest - radtest testing password 127.0.0.1 10 testing123 Sending Access-Request of id 221 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 216.34.94.184 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=221, length=2 - I dont understand NAS-IP-Address = 216.34.94.184 my hostname is node3.localhost. So expected NAS-IP-Address is node3.localhos right? What is wrong?I dont find an the ip 216.34.94.184 in my machine -- Thanks and Regards, Sujith Paily K http://SparkSupport.comhttp://www.google.com/url?sa=Dq=http://SparkSupport.comusg=AFQjCNEs6_09BzHZlbxsPEEJA7u3m8FIQg| http://migrate2cloud.comhttp://www.google.com/url?sa=Dq=http://migrate2cloud.comusg=AFQjCNHfkXv1LOsVi3L6UR_dP5cuf0w1qw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA2 802.1X PEAPv0/EAP-MSCHAPv2
= 0x80109fb1806886dec5fe36c0b7659309
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 1.2.3.4 port 1812, id=157,
length=101
User-Name = billgates
NAS-IP-Address = 1.2.3.4
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 01-23-45-67-89-AB
State = 0x80109fb1806886dec5fe36c0b7659309
EAP-Message = 0x027800060300
Message-Authenticator = 0x5acdbbd8d404e0ff100969933c8254b3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = billgates, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 120 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry billgates at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - billgates
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 157 to 1.2.3.4 port 1812
EAP-Message = 0x04780004
Message-Authenticator = 0x
Waking up in 3.9 seconds.
Cleaning up request 2 ID 156 with timestamp +74
Waking up in 0.9 seconds.
Cleaning up request 3 ID 157 with timestamp +74
Ready to process requests.
TIA,
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
The dictionary.airespace file should probably be updated. Airespace is now owned by Cisco and the VSAs that are published are different from those included with the FR distribution. See http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080891919.shtml for additional details. I've included the copy of the dictionary.airespace file that I'm using. -r # -*- text -*- # # As found on the net. # # $Id$ # VENDOR Airespace 14179 BEGIN-VENDORAirespace ATTRIBUTE Airespace-Wlan-Id 1 integer ATTRIBUTE Airespace-QOS-Level 2 integer ATTRIBUTE Airespace-DSCP 3 integer ATTRIBUTE Airespace-8021p-Tag 4 integer ATTRIBUTE Airespace-Interface-Name5 string ATTRIBUTE Airespace-ACL-Name 6 string VALUE Airespace-QOS-Level Bronze 3 VALUE Airespace-QOS-Level Silver 0 VALUE Airespace-QOS-Level Gold1 VALUE Airespace-QOS-Level Platinum2 END-VENDOR Airespace On (09/02/09 10:46), Alan DeKok wrote: It's been a while since 2.1.6, and it's getting close to time for 2.1.7. In order to ensure the stability of the software, we need your help. Please download the pre release of 2.1.7 from: http://git.freeradius.org/pre/ Build it, install it, and see if there are issues. The directory also includes Debian packages for Ubuntu 8.0.4. If there are no issues, we can release 2.1.7 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ryan Steinmetz Lead Security/Systems Administrator Infrastructure Engineering Rochester Institute of Technology 585.475.5663 PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
Tseveen, Add radiusd_enable=YES to /etc/rc.conf. -r On (03/30/09 09:16), Tseveendorj wrote: Hello, I was installed FreeRADIUS 2.1.3 on FreeBSD 6.4 . I want FreeRADIUS comes up when the system is rebooting. Thank you. Sincerely, Tseveen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ryan Steinmetz Lead Security/Systems Administrator Finance Administration Systems Technology Rochester Institute of Technology 585.475.5663 PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: oracle
Oracle stored procedures have worked fine for me. Thanks, Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alexandre Chapellon Sent: Monday, November 17, 2008 7:33 PM To: FreeRadius users mailing list Subject: oracle Does anyone already used oracle stored proc as auth queries? Is it known to worl or known not to work? regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attribute would not pass using PEAP, but work using MD5
Hi,
I'm using wired 802.1x to authenticate user using eap md5 and eap
peap. the problem rise when using peap, the radius attribute (tunnel
private group id) didn't pass to the switch. but if we use md5, the
server will pass the attribute. I suspect something missing on inner
tunnel config (I only change 1 line at authorization section that's
adding ldap module ), btw i'm using 2.0.5
debug for peap :
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 100
EAP-Message = 0x0201000c0174657374696e67
Message-Authenticator = 0x24f65e66f58f3fbc5672fd7460764248
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry DEFAULT at line 183
++[files] returns ok
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testing
expand: (uid=%u) - (uid=testing)
expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0
rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to
192.168.11.17:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by uid
rlm_ldap: Added User-Password = Testing10 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time
== WK0800-1800
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x3139373530313942423345344631324146413133423832443930424146414137
rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password ==
0x3244353534353037374437423744324136443341363237433832344630323946
rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute
Calling-Station-Id == 00-16-36-5a-f1-e4
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 = 101
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute
Tunnel-Type:0 = VLAN
rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute
Framed-Protocol = PPP
rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute
Service-Type = Framed-User
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_instance10] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
++[checkval] returns ok
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'WK0800-1800'
rlm_logintime: timestr returned accept
rlm_logintime: Session-Timeout set to: 24660
++[logintime] returns ok
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
} # server nispdot1x
Framed-Compression = Van-Jacobson-TCP-IP
Tunnel-Private-Group-Id:0 = 101
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type =
Re: Freeradius Accounting using different virtual server
In 2.1.0 you can create a home_server that points to a virtual server. This means you don't need extra listen sections. Then I really need to upgrade it Why does it *not work* to create multiple detail modules? See the FAQ for it doesn't work. Alan DeKok. Sorry for not posting the configuration but it has solved already. adding module at accounting module rather different than at authentication or authorization section Thanks Alan -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Accounting using different virtual server
Hi, I'm using freeradius 2.0.5... many client authenticate againt us that is segmented by realm ( / IPASS). the server will strip the username realm and proxying to localhost with different port number ( so i create many listen section with point to their own virtual server ) ex like this : realm test1/username -- will go to 127.0.0.1:1912( auth) 127.0.0.1:1913 (acct) using virtual server link1 realm test2/username -- will go to 127.0.0.1:2012 ( auth) 127.0.0.1:2013 (acct) using virtual server link2 .. etc for 127.0.0.1 I'm using per socket client to differentiate each client the problem rise when I want to differentiate each virtual server accounting ( radutmp, radwtmp, and detail file), because using default accounting file each realm will be muddle into one file. In module authorization and authentication I can create many instance ex( ldap1 ldap2 ldap3), but *not work* at accounting module ex ( detail1 detail2 detail3 ). is there a way to do this? could someone give some example? Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius not sending access-deny
Hello, I recently discovered that my Freeradius 1.1.7 install is no longer sending access-deny messages for bad passwords. This causes the device to mark the radius server as down and move on to the next one, or just marks it as down. I know its probably something I did in the config, but for the life of me can't figure out how I managed to cause that. Everything else on the install works great, just for the exception of no access-deny packets ever move. Any ideas? Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius not sending access-deny
That setting was at the default of 1, I tried setting to zero, no affect.
Here is the debug output with first a successful user followed by the same
user with a bad pwd.
--
rad_recv: Access-Request packet from host 10.15.251.232:1387, id=6,
length=62
User-Name = test
User-Password = test
Message-Authenticator = 0x0adeae0c4cb8659e2aaede3adb6009a3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_realm: No '\' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module ntdomain returns noop for request 0
users: Matched entry DEFAULT at line 1
users: Matched entry test at line 33
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=***,dc=**,dc=**'
radius_xlat: '(uid=test)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.2.16.156:389, authentication 0
rlm_ldap: bind as cn=ITDRADIUSC,ou=USERS,ou=ITD,dc=nd,dc=gov/X27wireless45
to 10.2.16.156:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=***,dc=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=***,dc=**,dc=***'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=***,**=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test] (from client NetworkEquipment port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829
modcall[post-auth]: module reply_log returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 6 to 10.15.251.232 port 1387
NS-Admin-Privilege = Root-Admin
APC-Service-Type = 1
Service-Type = Administrative-User
Cisco-AVPair = shell:priv-lvl=15
Filter-Id = unlim
Extreme-Shell-Command = Enable
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--
rad_recv: Access-Request packet from host 10.15.251.232:1337, id=5,
length=62
User-Name = test
User-Password = test2
Message-Authenticator = 0x9bb6290c9d5e7dcffeeafe87e2c65b40
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_realm: No '\' in User-Name = test, looking up realm NULL
Re: PEAP mschapv2 using xp native supplicant
I've changed the lm and nt password using hash one, and now it works thanks Alan And here we have it. Those are NOT valid lmPassword or ntPassword fields. You are putting the clear-text password into those fields. The clear-text password belongs in the userPassword field. Delete the lmPassword and ntPassword fields from the DB. They're wrong. -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
Ryan Setiawan H wrote:
Please post ALL of the debug output. I suspect that you are doing the
ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE.
...
repost forgot change subject
I'm sorry I didn't include all the debug, because it was so large...
anyway here the debug :
As I suspected... you are doing the LDAP lookups *outside* of the
tunnel. See raddb/sites-available/inner-tunnel. Ensure that the
references to ldap are uncommented.
Alan DeKok.
Hi, I've uncomment the ldap section at inner-tunnel also make sure at
eap.conf default eap type peap, but still don't work. I've tried to make
the eap session directly go to inner-tunnel server at client.conf, but i
think it's not good idea and also don't work. any other ways? or am I
miss something?
Thanks
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: Invalid LM-Password
rlm_mschap: Invalid NT-Password
rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
} # server nispdot1x
EAP-Message =
0x010a00261900170301001ba41a64fc5858e400f6380342e22751610df4070fb87d66fcd1dcbb
Message-Authenticator = 0x
State = 0x252558f1222f410baf9655c23dbf74f3
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
State = 0x252558f1222f410baf9655c23dbf74f3
EAP-Message =
0x020a00261900170301001ba49c9266682a7900ffd51675496e5519722e108c0e7a1eaf33a31a
Message-Authenticator = 0xeaa952199e0cb6c5e3852ba39433eed3
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not
accept liability for any claims arising as a result of the use of this medium
for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
rlm_mschap: Invalid LM-Password rlm_mschap: Invalid NT-Password Well, that should be a hint. How about trying to add a user password in the users file? An example is in the FAQ. when using users file it just work, the problem rose when using ldap backend. In ldap database, I've added the attribute LM-Password and NT-Password, and also add them in check item at ldap.attrmap -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
The passwords you've added are invalid. The debug message is telling
you that.
Perhaps you could try posting WHAT you entered as LM-Password and
NT-Password. Odds are you entered invalid ones. Because the debug
message is telling you that they're invalid.
Here the attribute at LDAP server for user testing
dn: uid=testing,ou=dialup,dc=zzz,dc=com
dialupAccess: dialup
gidNumber: 1000
uid: testing
userPassword: Testing10
objectClass: posixGroup
objectClass: radiusprofile
objectClass: uidObject
objectClass: top
objectClass: sambaAccount
radiusTunnelType: VLAN
radiusTunnelMediumType: IEEE-802
cn: testing
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
rid: 1
radiusTunnelPrivateGroupId: 101
radiusCallingStationId: 00-16-36-5a-f1-e4
radiusLoginTime: WK0800-1800
lmPassword: Testing10
ntPassword: Testing10
You are making it difficult for anyone to help you. Giving out as
little information as possible in every message is counter-productive.
Alan DeKok.
Sorry Alan, I don't intend to do that and make it difficult. it just
usually people don't like a lot text show up and make them bored to read
it, so I pick the message which I conclude have to do with the problem...
I include all debug below... thanks for your help
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
EAP-Message = 0x0201000c0174657374696e67
Message-Authenticator = 0x58d7a85d7797a6a111db87923f69e24a
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry DEFAULT at line 183
++[files] returns ok
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testing
expand: (uid=%u) - (uid=testing)
expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by uid
rlm_ldap: Added User-Password = Testing10 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time
== WK0800-1800
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x54657374696e673130
rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password ==
0x54657374696e673130
rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute
Calling-Station-Id == 00-16-36-5a-f1-e4
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 = 101
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute
Tunnel-Type:0 = VLAN
rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute
Framed-Protocol = PPP
rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute
Service-Type = Framed-User
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_instance10] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
++[checkval] returns ok
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'WK0800-1800'
rlm_logintime: timestr returned accept
rlm_logintime: Session-Timeout set to: 31800
++[logintime] returns ok
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
Re: Help needed for radrelay under 1.1.3
Hi Alan, Thanks for the advice. Will look into upgrading to 2.0.5. As this is production system, will need to plan for it. Best Regards, Ryan Date: Tue, 12 Aug 2008 17:45:37 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Help needed for radrelay under 1.1.3 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Ryan wrote: Need some help on radrelay for 1.1.3 if possible. Upgrade to 2.0.5. The radrelay functionality is integrated into the server core, and works much better than 1.1.x. Have tried running radrelay in debug mode but was not able to find any error other than the following rad_verify: Received Accounting-Response packet from client xxx.xxx.xxx.xxx port 1813 with invalid signature (err=2)! (Shared secret is incorrect.) Well... fix that. Really. It's making radrelay not work. Both radius are running 1.1.3. The error is rather strange as I'm sure that the shared secret is correct. (a) the shared secret is wrong. (b) the MD5 libraries on the system are broken (c) the memory on the system is corrupt. Pick one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed for radrelay under 1.1.3
Hi All, Need some help on radrelay for 1.1.3 if possible. I have a radius setup whereby there are two radius, one for authorization/authentication and one for accounting. The one doing authorization/authentication will relay the accounting detail using radrelay to the other radius which will update to sql. Currently I'm having some problem with the relaying, it does not seems to be working as the detail file which is suppose to be cleared as entries are relayed is getting filled up. I noticed that the radrelay process is not forking the detail.work file at all. Have tried running radrelay in debug mode but was not able to find any error other than the following rad_verify: Received Accounting-Response packet from client xxx.xxx.xxx.xxx port 1813 with invalid signature (err=2)! (Shared secret is incorrect.) Both radius are running 1.1.3. The error is rather strange as I'm sure that the shared secret is correct. Best Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 40, Issue 3
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
} # server nispdot1x
EAP-Message =
0x010a00261900170301001bf310bdd3b5003f17e6b384f8d72a7a9c7a874b3b2ae817450b07cd
Message-Authenticator = 0x
State = 0x1fa720c117ad3925bd7da50678295fc0
Finished request 12.
Going to the next request
Waking up in 4.6 seconds.
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
State = 0x1fa720c117ad3925bd7da50678295fc0
EAP-Message =
0x020a00261900170301001bc69a12bf5d23b5dedc2c6c8d537f8577436b7bded7dee8eb290178
Message-Authenticator = 0x2a7e10fb4deef91301ba11f38f970f39
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port
1 cli 00-16-36-5a-f1-e4)
} # server nispdot1x
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 4 ID 9 with timestamp +540
Cleaning up request 5 ID 10 with timestamp +540
Waking up in 0.1 seconds.
Cleaning up request 6 ID 11 with timestamp +540
Cleaning up request 7 ID 12 with timestamp +540
Cleaning up request 8 ID 13 with timestamp +540
Cleaning up request 9 ID 14 with timestamp +540
Cleaning up request 10 ID 15 with timestamp +540
Cleaning up request 11 ID 16 with timestamp +540
Cleaning up request 12 ID 17 with timestamp +540
Waking up in 1.0 seconds.
Cleaning up request 13 ID 18 with timestamp +540
Ready to process requests.
Thank You
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk
Re: PEAP mschapv2 using xp native supplicant
] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "testing", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 9 length 66
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client
dotix port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
} # server nispdot1x
EAP-Message =
0x010a00261900170301001bf310bdd3b5003f17e6b384f8d72a7a9c7a874b3b2ae817450b07cd
Message-Authenticator = 0x
State = 0x1fa720c117ad3925bd7da50678295fc0
Finished request 12.
Going to the next request
Waking up in 4.6 seconds.
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = "ProCurve Switch 2650"
User-Name = "testing"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-1c-2e-73-85-00"
Calling-Station-Id = "00-16-36-5a-f1-e4"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x1fa720c117ad3925bd7da50678295fc0
EAP-Message =
0x020a00261900170301001bc69a12bf5d23b5dedc2c6c8d537f8577436b7bded7dee8eb290178
Message-Authenticator = 0x2a7e10fb4deef91301ba11f38f970f39
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testing", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client
dotix port 1 cli 00-16-36-5a-f1-e4)
} # server nispdot1x
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 4 ID 9 with timestamp +540
Cleaning up request 5 ID 10 with timestamp +540
Waking up in 0.1 seconds.
Cleaning up request 6 ID 11 with timestamp +540
Cleaning up request 7 ID 12 with timestamp +540
Cleaning up request 8 ID 13 with timestamp +540
Cleaning up request 9 ID 14 with timestamp +540
Cleaning up request 10 ID 15 with timestamp +540
Cleaning up request 11 ID 16 with timestamp +540
Cleaning up request 12 ID 17 with timestamp +540
Waking up in 1.0 seconds.
Cleaning up request 13 ID 18 with timestamp +540
Ready to process requests.
Thank You
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP mschapv2 using xp native supplicant
Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2 the debug : - rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == Wk0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. anyone can help?Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
oh and also when using users file the PEAP just run with no problem, the problem rise only when using LDAP Thanks Ryan Setiawan H wrote: Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2 the debug : - rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == Wk0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. anyone can help?Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Hello everyone, I am having an issue where when a user attempts to authenticate the following error is logged: Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow FreeRADIUS receives appropriate information as to whether or not the credentials used were correct, but it also throws that error which I suspect is an easy fix. Unforunately, I'm not sure why it can't set that option correctly. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius crashing issue - malloc failures?
Hi everyone, I seem to be having a problem with FreeRADIUS crashing. This time, it crashed on Saturday. I noticed it was down this morning and was able to bring it back up. This time difference allowed me to go through the log and see what happened when it crashed on Saturday. Here's the snippet from the log.. I'd appreciate any assistance in debugging this issue. Sat Jul 26 09:13:15 2008 : Error: TLS_accept:error in SSLv3 read client hello C Sat Jul 26 09:13:15 2008 : Error: rlm_eap: SSL error error:140A1041:SSL routines:SSL_BYTES_TO_CIPHER_LIST:malloc failure Sat Jul 26 09:13:15 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Jul 26 09:13:15 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:14:20 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:16:55 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:19:30 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:20:05 2008 : Error: TLS_accept:error in SSLv3 read client hello C Sat Jul 26 09:20:05 2008 : Error: rlm_eap: SSL error error:140A1041:SSL routines:SSL_BYTES_TO_CIPHER_LIST:malloc failure Sat Jul 26 09:20:05 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Jul 26 09:20:05 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:22:10 2008 : Error: rlm_eap: SSL error error:1409C041:SSL routines:SSL3_SETUP_BUFFERS:malloc failure Sat Jul 26 09:22:10 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Jul 26 09:22:10 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:22:45 2008 : Error: rlm_eap: SSL error error:1409C041:SSL routines:SSL3_SETUP_BUFFERS:malloc failure Sat Jul 26 09:22:45 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Jul 26 09:22:45 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:23:50 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:24:25 2008 : Error: rlm_eap: SSL error error:1409C041:SSL routines:SSL3_SETUP_BUFFERS:malloc failure Sat Jul 26 09:24:25 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Sat Jul 26 09:24:25 2008 : Auth: Login incorrect: [pcoyle] (from client aruba port 2 cli 0019E3D52103) Sat Jul 26 09:26:36 2008 : Error: Discarding duplicate request from client aruba:32794 - ID: 243 due to unfinished request 991655 Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: freeradius crashing issue - malloc failures?
- Original Message - From: Alan DeKok Sent: 07/28/08 02:21 pm To: FreeRadius users mailing list Subject: Re: freeradius crashing issue - malloc failures? Ryan Pugatch wrote: I seem to be having a problem with FreeRADIUS crashing. This time, it crashed on Saturday. I noticed it was down this morning and was able to bring it back up. This time difference allowed me to go through the log and see what happened when it crashed on Saturday. Here's the snippet from the log.. I'd appreciate any assistance in debugging this issue. ... Sat Jul 26 09:13:15 2008 : Error: rlm_eap: SSL error error:140A1041:SSL routines:SSL_BYTES_TO_CIPHER_LIST:malloc failure Your system is running out of memory. This is bad. If you're not using 2.0.5, upgrade to 2.0.5. Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: freeradius crashing issue - malloc failures?
Sat Jul 26 09:13:15 2008 : Error: rlm_eap: SSL error error:140A1041:SSL routines:SSL_BYTES_TO_CIPHER_LIST:malloc failure Your system is running out of memory. This is bad. If you're not using 2.0.5, upgrade to 2.0.5. Alan DeKok. Alan, Thanks for the response. From what I can tell, my system isn't running out of memory. There are plenty of other processes that would mess up if that were happening. That being said, I'm running 1.1.7, so I suspect I'm due for an upgrade, anyway. I'm curious as to why Red Hat's repositories still only have version 1.1.3, though. Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: freeradius crashing issue - malloc failures?
Sorry for the duped messages.. looks like my webmail client freaked out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Alan wrote: hi, as Alan stated - your NAS doesnt seem to be getting the responses from your server. some ACL or routing issue? (stick a sniffer directly in front of the switch...if you need to, you may need to have a 'port mirror' or somesuch from the switch that feeds that switch if traffic is on a mgmt VLAN and .1q trunking is involved etc. dont worry about the errors from the ./configure - unless you are using any of those technologies (postgresql, oracle, TNC or IKEv2) - your server is 'normal' alan -- Hi all, it's partially solve... I'm using a server as radius server and as vlan trunk that feed the switch tagged packet, also the server become gateway... after I using other server for radius, it work yeah the 1.1.7 radius is on other machine ( that's why it works )... so it's clear this not about freeradius version. thank alot all for your time Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about EAP using 1.1.7 and 2.0.3
Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 and procurve switch, sadly it doesn't work. but when I 'am using freeradius 1.1.7 it works smoothly I've tried not only using native windows XP SP 2 supplicant but also wpa_supplicant. both don't work using freeradius2. I've also tried reinstall the freeradius 2.0.3 ( i'm forget using mercurial ), I thought I misconfigure something..but. even using fresh from the oven configuration still just don't work. , here are the debug: Sending duplicate reply to client test port 1024 - ID: 4 Cleaning up request 2 ID 4 with timestamp +46 Ready to process requests. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-58-c7 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x023a000c0174657374696e67 Message-Authenticator = 0x55d6fa8c198752bd6c62c351b234a57b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 58 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 102 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x013b001604101fee1ce904aea0659f790123de5bc761 Message-Authenticator = 0x State = 0x9e1dcf679e26cbc870b5fae6a11d133d Finished request 3. Going to the next request Waking up in 4.9 seconds. Sending duplicate reply to client test port 1024 - ID: 4 --- any clue what is it ? Cleaning up request 3 ID 4 with timestamp +56 Ready to process requests. from the wpa_supplicant's debug it broke right before EAP message method, so it (the supplicant) doesn't receive any MD5 Challenge from radius. anyone have same problem? really appreciate for any help Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. Hi Alan, Thanks for the reply, I've Update to freeradius 2.0.5, but still didn't show result, the debug still the same, here are the debug : rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = 0xf267668d55a632d7f6ff3b2b94735eca +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 97 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 61 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x016200160410706dc9d0aeae1c2c1fe2d41a5f8cc84a Message-Authenticator = 0x State = 0xba2a19f0ba481d03bf0d1926ffd8f60a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Sending duplicate reply to client local port 1024 - ID: 27 Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Cleaning up request 0 ID 27 with timestamp +164 Ready to process requests. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = --- I'm not sure it will help but i include the configure warning for 2.0.5 config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting chmod: check-radiusd-config: No such file or directory configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. - I'm using default configuration, just only change client.conf and users. there is clue, when I saw debug from 1.1.7 the second access request has different id but in this debug, it had same id ( that's is 27 ) maybe because
Re: [Fwd: LDAP CHAP born again]
Alan DeKok wrote: Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. in time I will try install it, but if i can't make this ( LDAP CHAP ) clear... definitely I will encounter the same problem again :) 2.0.5 has many, many fixes that aren't in 1.1.7. Some things that are difficult to impossible in 1.1.7 are easy in 2.0.5. Alan DeKok. right now I have already installed 2.0.3 because the dependency just like 1.1.7 :D waw lot of change I see ... but here we go the debug User-Name = testing CHAP-Password = 0xee8f74f97f724f06e54a9862f98ccef299 +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) - (uid=testing) expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0 rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.17:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: Password header not found in password Testing10 for user testing rlm_ldap: Added User-Password = Testing10 in check items --cut-- added user-password = Testing10 in check item this is the debug output difference compare to 1.1.7 --cut-- rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type CHAP +- entering group CHAP rlm_chap: login attempt by testing with CHAP password rlm_chap: Using clear text password Testing10 for user testing authentication. rlm_chap: chap user testing authenticated succesfully ++[chap] returns ok Login OK: [testing/CHAP-Password] (from client local port 0) Finished request 0. Going to the next request Waking up in 4.9 seconds. It's just work :D thanks Alan however there is this strange string Please update your configuration so that the known good clear text password is in Cleartext-Password, and not in User-Password. after I digging the freeradius.org, I see people also have this minor problem, and in a mail you say to change the attribute userpassword to cleartext-password. but in openldap schema v3 there isn't any attribute called cleartext-password... is there any explanation for this ... everyone if you don't mind :) . still digging in openldap forum :) Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: LDAP CHAP born again]
Hi all,
I've research googling about LDAP and CHAP :D, but until now
still don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 :
rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
length=48
User-Name = testing
CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
cut--.
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by dialupAccess
rlm_ldap: Password header not found in password Testing1 for user testing
---cut---
* as you can see the radius module rlm_ldap can see the password for
user testing, here the next one
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '/' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module IPASS returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by testing with CHAP password
rlm_chap: Could not find clear text password for user testing
modcall[authenticate]: module chap returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
cut-
*this is classic problem, but until now there wasn't any straight answer
for this one
based on the faq on
http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F,
it is possible for using chap with ldap backend, also there is clue
where parameter like
password_header = {clear}
password_attribute = userPassword
password_radius_attribute = User-Password
must be set but how?
i'm still trying to read the code ( like rlm_chap.c ) to see what
attribut does rlm_chap read for the password that was passed by the
module ldap. but it is so arcane and debuging code twice hard as
writing the code at first place
anyone has solution for this matter?
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not
accept liability for any claims arising as a result of the use of this medium
for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: LDAP CHAP born again]
Hi Alan, thanks for your reply
Alan Dekok wrote :
If the LDAP server gives FreeRADIUS the clear-text password, then CHAP
should work.
yes the LDAP server already gave clear text password, you can see in the debug
below
rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
length=48
User-Name = testing
CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
cut--.
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by dialupAccess
rlm_ldap: Password header not found in password Testing1 for user testing
And does CHAP work for this user?
no... what I mean is the module ldap (rlm_ldap) could see the password for user
testing that is Testing1 ( yes this is the password )
the LDAP should pass this clear text password ( Testing1 ) for module CHAP to
authenticate
also there is clue
where parameter like
password_header = {clear}
password_attribute = userPassword
password_radius_attribute = User-Password
must be set but how?
in the ldap section of radiusd.conf, where the LDAP parameters are
configured.
yes I've configure that string in radiusd.conf section ldap...
for password_attribute, clearly it must contain userPassword ( attribute the LDAP server keeps the password )
but how about password_radius_attribute ? from the faq
password_radius_attribute is radius attribute where the user password will be
stored after being extracted from LDAP
is password_radius_attribute should contain string User-Password or Clear-text
Password or maybe CHAP-Password? what attribute does CHAP read for authentication?
i'm still trying to read the code ( like rlm_chap.c ) to see what
attribut does rlm_chap read for the password that was passed by the
module ldap. but it is so arcane and debuging code twice hard as
writing the code at first place
Don't read the code. It won't help you.
yeah... it killing me ( the code ) :D
anyone has solution for this matter?
Try installing 2.0.5 in a separate directory and configuring it. Odds
are it will work.
in time I will try install it, but if i can't make this ( LDAP CHAP ) clear...
definitely I will encounter the same problem again :)
Thank You
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not
accept liability for any claims arising as a result of the use of this medium
for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stripping domain from username (for wifi authentication on Windows XP)
Hello everyone, I am using freeradius to have my wifi network use my LDAP credentials for authentication. However, Windows has this glorious default setting that automatically passes the domain username and password to the radius server to authenticate for wifi access. While I can easily uncheck a box to make that behavior not happen, it would be great if I could just have radius accept those credentials. The windows domain and radius both use the same LDAP directory. The only issue is Windows sends the username as DOMAIN\\username. Is it possible to have freeradius ignore the DOMAIN\\ part of the username? Thanks in advance. Ryan Pugatch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: stripping domain from username (for wifi authentication on Windows XP)
- Original Message -
From: [EMAIL PROTECTED]
Sent: 11:10 am
To: FreeRadius users mailing list
Subject: Re: stripping domain from username (for wifi authentication on
Windows XP)
Hi,
Hello everyone,
I am using freeradius to have my wifi network use my LDAP credentials
for
authentication. However, Windows has this glorious default setting
that
automatically passes the domain username and password to the radius
server
to authenticate for wifi access. While I can easily uncheck a box to
make
that behavior not happen, it would be great if I could just have radius
accept those credentials. The windows domain and radius both use the
same
LDAP directory. The only issue is Windows sends the username as
DOMAIN\\username. Is it possible to have freeradius ignore the
DOMAIN\\
part of the username?
yes, check the configuration files for the prefix part.
are you using 1.1.x or 2.0.x? if 1.1.x you can
also you the rewrite module to copy User-Name to Stripped-User-Name
and then blow away the DOMAIN\\ part - or any preceeding STUFF\\
if you use 2.0.x then use unlang to do the same job efficiently
when and where you need it.
alan
-
Alan,
Thanks for the response. I'm using 1.1.x. Currently, I have ldap
filter definined as:
filter =
(uid=%{Stripped-User-Name:-%{User-Name}})
I have enabled with_ntdomain_hack on preprocess.
However, since doing that, I am receiving the following error:
Tue May 13 11:34:39 2008 : Error: rlm_eap: Identity does not match
User-Name, setting from EAP Identity.
Tue May 13 11:34:39 2008 : Auth: Login incorrect: [rpugatch] (from client
aruba port 3 cli 001F3A4CE09E)
This worked before enabling with_ntdomain_hack. It seems like the
username is now being stripped properly, but it isn't matching something
properly. Unfortunately, I don't seem to understand exactly what is
going wrong.
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: stripping domain from username (for wifi authentication on Windows XP)
- Original Message -
From: Alan DeKok
Sent: 02:32 pm
To: FreeRadius users mailing list
Subject: Re: stripping domain from username (for wifi authentication on
Windows XP)
Ryan Pugatch wrote:
...
Thanks for the response. I'm using 1.1.x. Currently, I have ldap
filter definined as:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
I have enabled with_ntdomain_hack on preprocess.
Don't.
Use: filter = (uid=%{mschap:User-Name:-%{User-Name}}
The MS-CHAP module is smart enough to know about horrible Microsoft
DOMAIN\user things.
Alan DeKok.
-
Worked like a charm. Thank you, Alan.
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible to update radius reply with additional attributes that are dynamic
Hi, I have a radius running on 1.1.3 with authentication via LDAP. Does anyone knows if it is possible to add attributes to the radius reply based on the radiusClass from LDAP as well as the NAS-IP? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to limit user access to different types of authentication?
Hi Alan, Thanks for the update. I have read through man unlang as well. Overlooked on the part on the additional Cisco-AVPair attribute as it was only available after authentication is done. I have worked around it using the proxy-inner-tunnel method to terminal the EAP on the front radius and then proxy MS-CHAP to an internal radius that will do an LDAP bind with an additional attribute. As the front radius will also handle EAP requests that will not be handled by the internal radius, will it just proxy the EAP request based on the domain or it will terminate and forward to my internal radius instead? Thanks/Regards, Ryan On Fri, Apr 18, 2008 at 4:44 PM, [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to Date: Fri, 18 Apr 2008 07:55:42 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Possible to limit user access to different types of authentication? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Ryan wrote: Did some further searching on the listing and noticed that it is possible to do a string compared in the authorize and authenticate sections. $ man unlang However running radius in debug mode will return the following error. (Attribute Cisco-AVPair was not found) Because the attribute isn't in the request. Go look at the packet that the server received. There is no such attribute in it. I know that it is possible to match the Cisco-AVPair in the users file. Can we do the same in the authorize/authenticate sections as well? Yes. This is documented in the unlang man page. But if the attribute isn't in the request, you can't compare it to anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to limit user access to different types of authentication?
Did some further searching on the listing and noticed that it is
possible to do a string compared in the authorize and authenticate
sections.
As users using PAP are connecting via one SSID and users using
802.1x(PEAP) are connecting using another SSID, I figure out that I
can have a configuration with two different ldap settings, one
checking just userPassword and another checking userPassword as well
as an additional attribute via the parameter 'access_attr =
EAPaccess'.
Added the configuration as follows under authorize and authenticate
sections in the site-enabled/default file.
if (Cisco-AVPair == ssid=mynetwork) {
ldap1
}
else {
ldap
}
However running radius in debug mode will return the following error.
(Attribute Cisco-AVPair was not found)
I know that it is possible to match the Cisco-AVPair in the users
file. Can we do the same in the authorize/authenticate sections as
well?
Thanks/Regards,
Ryan
On Wed, Apr 16, 2008 at 10:04 PM, Ryan [EMAIL PROTECTED] wrote:
Hi All,
I'm currently using 2.0.3 with authentication via LDAP. Currently I
have situation whereby there is a requirement to explore on limiting
access to the various types of authentication available.
Is it possible to configure to do so? That is some users can
authenticate using just PAP and some other users can connect using
EAP-PEAP?
Thanks/Regards,
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible to limit user access to different types of authentication?
Hi All, I'm currently using 2.0.3 with authentication via LDAP. Currently I have situation whereby there is a requirement to explore on limiting access to the various types of authentication available. Is it possible to configure to do so? That is some users can authenticate using just PAP and some other users can connect using EAP-PEAP? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
I enabled MS-CHAP on the radius whereby the request is to be proxied to. Using the configuration mentioned in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069292.html as a guide, I was able to configure the radius to proxy the request as plain MS-CHAP however encounter some problems when the response is returned. Will address this in a separate message as the subject is no longer appropriate. Regards, Ryan On Mon, Mar 24, 2008 at 10:30 AM, Ryan [EMAIL PROTECTED] wrote: Ok, thanks for pointing this out. I suppose I will have to either enable EAP on the radius for the EAP request to be proxied or have MSCHAP configured on it. Though using EAP will means I need to recompile the radius as I'm using the source packages. The radius that I need to proxy to runs 1.1.7 with LDAP. Do you have any advise on which will be a better approach? Thanks/Regards, Ryan You can't do that. Inner tunnel for PEAP is EAP-MSCHAPv2 and you can proxy that. You can't transform that into PAP. If you have a look at the thread you have quoted you will see that his users were using EAP-TTLS PAP not PEAP. Ivan Kalik Kalik Informatika ISP Dana 22/3/2008, Ryan [EMAIL PROTECTED] pi?e: Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself. Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly? Thanks/Regards, Ryan Ryan wrote: Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication outside of the tunnel, and authentication inside of the tunnel as independent authentications. Do you have *specific* questions? Asking how does it work is rather open-ended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Terminate EAP-PEAP client connection at FreeRadius and proxy(forward) request as MS-CHAP
the State variable. rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler ++[eap] returns invalid PEAP: Can't handle the return code 4 rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid -- Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Ok, thanks for pointing this out. I suppose I will have to either enable EAP on the radius for the EAP request to be proxied or have MSCHAP configured on it. Though using EAP will means I need to recompile the radius as I'm using the source packages. The radius that I need to proxy to runs 1.1.7 with LDAP. Do you have any advise on which will be a better approach? Thanks/Regards, Ryan You can't do that. Inner tunnel for PEAP is EAP-MSCHAPv2 and you can proxy that. You can't transform that into PAP. If you have a look at the thread you have quoted you will see that his users were using EAP-TTLS PAP not PEAP. Ivan Kalik Kalik Informatika ISP Dana 22/3/2008, Ryan [EMAIL PROTECTED] pi?e: Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself. Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly? Thanks/Regards, Ryan Ryan wrote: Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication outside of the tunnel, and authentication inside of the tunnel as independent authentications. Do you have *specific* questions? Asking how does it work is rather open-ended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself. Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly? Thanks/Regards, Ryan Ryan wrote: Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication outside of the tunnel, and authentication inside of the tunnel as independent authentications. Do you have *specific* questions? Asking how does it work is rather open-ended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works? Thanks/Regards Ryan On Thu, Mar 20, 2008 at 9:12 PM, Ryan [EMAIL PROTECTED] wrote: Hi All, I'm having a problem trying to configure proxy from one radius to another. Users are connecting using 802.1x with EAP/PEAP. There are two groups of users, one group are authenticated on the main radius using local LDAP. However for the second group of users, they have to be authenticated via the radius proxy. The problem is the radius proxy does not have EAP configured and its not an option to reconfigure it with EAP. From the threads, I found something similar in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069230.html applies as well, will this applies to my situation as well? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi All, I'm having a problem trying to configure proxy from one radius to another. Users are connecting using 802.1x with EAP/PEAP. There are two groups of users, one group are authenticated on the main radius using local LDAP. However for the second group of users, they have to be authenticated via the radius proxy. The problem is the radius proxy does not have EAP configured and its not an option to reconfigure it with EAP. From the threads, I found something similar in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069230.html applies as well, will this applies to my situation as well? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP with LDAP for 802.1x authentication
I have installed smbldap-tools and tried to modify existing LDAP records using smbldap-usermod after updating the smbldap.conf and smbldap_bind.conf to connect to the LDAP but I keep getting an error that user cannot be found. Using ldapsearch, syslog shows Feb 28 17:54:42 advert slapd[5679]: connection_get(10) Feb 28 17:54:42 advert slapd[5679]: == bdb_bind: dn: cn=admin,o=com Feb 28 17:54:42 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:54:42 advert slapd[5679]: connection_get(10) Feb 28 17:54:42 advert slapd[5679]: SRCH o=com 2 0 Feb 28 17:54:42 advert slapd[5679]: 0 0 0 Feb 28 17:54:42 advert slapd[5679]: filter: ((objectClass=advert-account)(uid=samba_servers)) Feb 28 17:54:42 advert slapd[5679]: attrs: But using smbldap-usermod, syslog shows Feb 28 17:57:25 advert slapd[5679]: connection_get(10) Feb 28 17:57:25 advert slapd[5679]: == bdb_bind: dn: cn=admin,o=com Feb 28 17:57:25 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:57:25 advert slapd[5679]: connection_get(10) Feb 28 17:57:25 advert slapd[5679]: SRCH o=com 2 2 Feb 28 17:57:25 advert slapd[5679]: 0 0 0 Feb 28 17:57:25 advert slapd[5679]: filter: ((?=undefined)(uid=samba_servers)) Feb 28 17:57:25 advert slapd[5679]: attrs: Feb 28 17:57:25 advert slapd[5679]: Feb 28 17:57:25 advert slapd[5679]: bdb_idl_fetch_key: [b49d1940] Feb 28 17:57:25 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:57:25 advert slapd[5679]: connection_get(10) This is not a freeradius issue but can someone advise what could be the problem? Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP with LDAP for 802.1x authentication
Passwords are currently encrypted in LDAP. In this case, am I correct to say that I will need to add both nt hash and NT-Password to LDAP using smb-ldap related tools for it to work with PEAP? Will samba be required to be configured on my LDAP server? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine auth without cert - EAP-PEAP/MSCHAPV2
I've been experimenting with machine auth without using a cert, but I seem to be stuck on the fact that FreeRadius will not authenticate a local user. I see the request come across through debugging with a username of host/mymachine.mydomain.com, and no password, and in my users file I have host/mymachine.mydomain.com Cleartext-Password=, Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0 Filter-ID = WIRELESS-USER, Fall-Through = 0 but for some reason it never authenticates... I've tried every both without the MS-CHAP option, that doesn't seem to change it. Also tried User-Password instead of cleartext password, no change. Any suggestions? Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring radrelay using proxy.conf in v2.0.1
Upgraded to 2.0.2 and got the radrelay working using proxy.conf Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP with LDAP for 802.1x authentication
Hi All, Understand that it is not possible to authenticate using EAP-PEAP against OpenLDAP due to encrypted password. Can someone advise on how exactly OpenLDAP needs be configured so that it can be used in EAP-PEAP? I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that to do so additional attributes needs to be added to LDAP. Is this the only way? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring radrelay using proxy.conf in v2.0.1
Dear Everyone, Need some advise/help on configuring the proxy.conf to replicate the radrelay function that was available in v1.1.3. However was not able to find any information so far as the radrelay has been deprecated in v2.0.1. Previously I had use /usr/local/bin/radrelay -n name_of_radius_server detail-combined -f to relay the details to another radius server. How will the configuration be done in proxy.conf in v2.0.1? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Name is required for authentication.
Ryan Pugatch wrote: Alan DeKok wrote: That isn't the full output of radiusd -X. There's a lot missing. Full output below. You are editing the User-Name in one of the modules. Why? To my knowledge, I'm not, or not on purpose anyway. I redid my configuration file, as I believe there was a mistake somewhere. However, it seems to be that now preprocess is causing radiusd to segfault. I ran radiusd under gdb to get more information.. so if anyone has a clue as to why preprocess is making radiusd segfault, let me know! Thanks. (gdb) run Starting program: /usr/local/sbin/radiusd -X -f (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1208002880 (LWP 5404)] Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = @libdir@ main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is @libdir@ Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/openldap/homer.key tls: certificate_file = /etc/openldap/homer.crt tls: CA_file = /etc/openldap/cacert tls: private_key_password = suppressed tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = suppressed ldap: port = 389 ldap: net_timeout = 1
Re: rlm_ldap: Attribute User-Name is required for authentication.
Alan DeKok wrote:
That isn't the full output of radiusd -X. There's a lot missing.
Full output below.
You are editing the User-Name in one of the modules. Why?
To my knowledge, I'm not, or not on purpose anyway.
radiusd -X -f output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = @libdir@
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is @libdir@
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded LDAP
ldap: server = suppressed
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=Manager,dc=tripadvisor,dc=com
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = suppressed
ldap: basedn = ou=People,dc=tripadvisor,dc=com
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = userPassword
ldap: access_attr = uid
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort
segfault when router attempts to authenticate against radiusd - modcall: entering group authorize for request 0
Greetings, I'm attempting to have my Linksys WRT54GL (running DD-WRT v23 SP2) use WPA RADIUS against a FreeRADIUS server (FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu) and subsequently have the FreeRADIUS server use our existing LDAP directory (OpenLDAP v2.2.13-4). It appears when a user tries to connect to the router and enters their credentials, freeradius segfaults: Ready to process requests. rad_recv: Access-Request packet from host 192.168.42.23:2055, id=0, length=129 User-Name = rpugatch NAS-IP-Address = 192.168.42.23 Called-Station-Id = 0018f8c16a5a Calling-Station-Id = 0017f2e7032a NAS-Identifier = 0018f8c16a5a NAS-Port = 14 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020d017270756761746368 Message-Authenticator = 0x229f552c4b2805f9bd66bce70bdecd54 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Segmentation fault I'm guessing that the radius server may be having trouble getting the user data from the LDAP directory, however I'd like to get more information as to what is causing radiusd to die. I would appreciate any help I could get. Thanks, Ryan Pugatch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [resolved] segfault when router attempts to authenticate against radiusd - modcall: entering group authorize for request 0
Ryan Pugatch wrote: Greetings, I'm attempting to have my Linksys WRT54GL (running DD-WRT v23 SP2) use WPA RADIUS against a FreeRADIUS server (FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu) and subsequently have the FreeRADIUS server use our existing LDAP directory (OpenLDAP v2.2.13-4). It appears when a user tries to connect to the router and enters their credentials, freeradius segfaults: Ready to process requests. rad_recv: Access-Request packet from host 192.168.42.23:2055, id=0, length=129 User-Name = rpugatch NAS-IP-Address = 192.168.42.23 Called-Station-Id = 0018f8c16a5a Calling-Station-Id = 0017f2e7032a NAS-Identifier = 0018f8c16a5a NAS-Port = 14 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020d017270756761746368 Message-Authenticator = 0x229f552c4b2805f9bd66bce70bdecd54 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Segmentation fault I'm guessing that the radius server may be having trouble getting the user data from the LDAP directory, however I'd like to get more information as to what is causing radiusd to die. I would appreciate any help I could get. Thanks, Ryan Pugatch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nevermind, cleaned up my radiusd.conf and seemed to have solved this issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap: Attribute User-Name is required for authentication.
Hello, While I resolved my previous issue with radiusd segfaulting, I'm now running in to a new issue. I'm attempting to have my Linksys WRT54GL (running DD-WRT v23 SP2) use WPA RADIUS against a FreeRADIUS server (FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu) and subsequently have the FreeRADIUS server use our existing LDAP directory (OpenLDAP v2.2.13-4). When a user tries to connect to the access point and the access point contacts the radius server, the following happens: Ready to process requests. rad_recv: Access-Request packet from host 192.168.42.23:2050, id=0, length=129 User-Name = rpugatch NAS-IP-Address = 192.168.42.23 Called-Station-Id = 0018f8c16a5a Calling-Station-Id = 0017f2e7032a NAS-Identifier = 0018f8c16a5a NAS-Port = 14 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020d017270756761746368 Message-Authenticator = 0xe1b0b05b118ebe49d6b79b7569de75b1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: Attribute User-Name is required for authentication. modcall[authorize]: module ldap returns invalid for request 0 modcall: leaving group authorize (returns invalid) for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- This is most likely an issue with my configuration, however, I'm not sure what the issue is. I'd appreciate any help I can get. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
I haven't figured out what port 1814 is actually used for. Is there anything I could do to disable the proxy port on one or both of the servers? What would I loose? The ability to send packets to other servers. 1814 is used when FreeRADIUS is acting as a RADIUS client (i.e. proxy). Am I right to assume the only time data should be read on port 1814 is when there is a reply to a proxied request? Specifically freeradius proxied a auth/acct packet on port 1814 and the home server replied on port 1814. The only data that should show up on 1814 is that reply from the home server? Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
On Fri, 2007-11-02 at 14:33 +0100, Alan DeKok wrote: Ryan Melendez wrote: I'm not positive that select is lying about data being available. It could be that there is data when select is called, but _something_ out of line grabs it before recvfrom() can get to it. Like what? There is nothing else listening on that IP address/port. The socket API makes sure of that. I wish I knew. One thing I specifically mention is that the two radius servers are bound to two different virtual interfaces with unique IPs. So both servers are running on the same physical interface. My only guess at this point is that something is going on with how virtual interfaces work under the hood. So something lower than the socket API... So I'm now wondering if there is something fundamentally wrong with how the kernel treats two udp sockets: 1)listening on the same port 2)bound to two different IPs, one of which is a VIF on the same physical interface 3)in two entirely different processes I'm inclined to say hell no, but stranger things have happened. Again, this only started happening when I began running two radiusd processes on different interfaces on a multihomed system. I also have radrelay binding to one interface and replicating acct packets to the other process. Hmm... even 1.1.x can have one process listen on multiple interfaces. Why not try that? I need to replicate acct data. I have radrelay replicating the data from the detail file of one sever to the other server bound to a virtual interface. This is the only way I found I could replicate the data while still getting the failover/unique proxy/timeout requirements. The second radius server only gets acct packets via radrelay originally sent to the first radius server. I haven't figured out what port 1814 is actually used for. Is there anything I could do to disable the proxy port on one or both of the servers? What would I loose? Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
On Wed, 2007-10-31 at 08:13 +0100, Alan DeKok wrote: Ryan Melendez wrote: recvfrom() blocks on datagram sockets just like any other type of socket unless it gets a S0_RCVTIMEO or the O_NONBLOCK is set (in which case you would receive an error). Hmm... I guess I hadn't run into that before, because select() never lied about data being available. The simplest solution on your system is to set O_NONBLOCK on the sockets. But that is just a work-around for the kernel bug (i.e. race condition). If data is ready on a socket, it means that data is ready... blocking on the recvfrom() after telling the application that data is ready is not very nice. I'm not positive that select is lying about data being available. It could be that there is data when select is called, but _something_ out of line grabs it before recvfrom() can get to it. The only time I've ran into this in the past(not freeradius) is when some flavor of read is called on the socket outside the select loop (bad programming). I can't see anywhere this is happening in freeradius. Again, this only started happening when I began running two radiusd processes on different interfaces on a multihomed system. I also have radrelay binding to one interface and replicating acct packets to the other process. I suspect you are correct that some race condition in the kernel possibly regarding pthread. I'm going to continue investigating, I'll make the socket non-blocking as a last resort. If anyone has experienced this problem before, or has any suggestions please let me know. Thanks, Ryan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
On Thu, 2007-10-18 at 01:10 +0200, Alan DeKok wrote: Ryan Melendez wrote: I've had FreeRADIUS Version 1.1.0 hang twice recently. The core dumps are very similar in that it appears that main is waiting on some stuff from port 1814. Honestly I don't know what 1814 is really for (proxy port?) but it seems as if fd_isset says so we should expect some data on that socket. Unless something _else_ had already received that data. 1814 is for proxying, yes. And it shouldn't hang... it should do *something* at least. I hadn't noticed this before I added radrelay and another radiusd process on the same box. Both radiusd processes are bound to different virtual interfaces and radrelay is duplicating acct packets from one to the other. It's not obvious why there would be a race condition on that socket, but my guess is something is going on there. It seems as though both radiusd processes are using the same descriptors for each of their three sockets. I've included some debug info from the core files. The descriptors are local to the process, and don't mean anything. Is this a know bug or can it be fixed with a configuration change? It sounds like a kernel bug to me. recvfrom() on a UDP socket *always* returns quickly. If there's no data, it returns immediately with an error. If there is data it returns the data. If recvfrom() hangs, then it's not the fault of the application. And there's nothing the application can do to fix it. recvfrom() blocks on datagram sockets just like any other type of socket unless it gets a S0_RCVTIMEO or the O_NONBLOCK is set (in which case you would receive an error). http://www.opengroup.org/onlinepubs/95399/functions/recvfrom.html If no messages are available at the socket and O_NONBLOCK is not set on the socket's file descriptor, recvfrom() shall block until a message arrives. If no messages are available at the socket and O_NONBLOCK is set on the socket's file descriptor, recvfrom() shall fail and set errno to [EAGAIN] or [EWOULDBLOCK]. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd deadlock on recvfrom on port 1814
Hey,
I've had FreeRADIUS Version 1.1.0 hang twice recently. The core dumps
are very similar in that it appears that main is waiting on some stuff
from port 1814. Honestly I don't know what 1814 is really for (proxy
port?) but it seems as if fd_isset says so we should expect some data on
that socket. Unless something _else_ had already received that data.
I hadn't noticed this before I added radrelay and another radiusd
process on the same box. Both radiusd processes are bound to different
virtual interfaces and radrelay is duplicating acct packets from one to
the other. It's not obvious why there would be a race condition on that
socket, but my guess is something is going on there. It seems as though
both radiusd processes are using the same descriptors for each of their
three sockets. I've included some debug info from the core files.
Is this a know bug or can it be fixed with a configuration change?
Thanks,
Ryan
--
Process One:
(gdb) print *(rad_listen_t *) mainconfig.listen
$1 = {next = 0x458023e8, ipaddr = 486477016, type = RAD_LISTEN_AUTH,
port = 1812, fd = 3}
(gdb) print *(rad_listen_t *) mainconfig.listen-next
$2 = {next = 0x4580eef8, ipaddr = 486477016, type = RAD_LISTEN_ACCT,
port = 1813, fd = 4}
(gdb) print *(rad_listen_t *) mainconfig.listen-next-next
$3 = {next = 0x0, ipaddr = 486477016, type = RAD_LISTEN_PROXY, port =
1814, fd = 5}
Process Two:
gdb) print *(rad_listen_t *) mainconfig.listen
$2 = {next = 0x8117fe0, ipaddr = 145944, type = RAD_LISTEN_AUTH,
port = 1812, fd = 3}
(gdb) print *(rad_listen_t *) mainconfig.listen-next
$3 = {next = 0x8117ff8, ipaddr = 145944, type = RAD_LISTEN_ACCT,
port = 1813, fd = 4}
(gdb) print *(rad_listen_t *) mainconfig.listen-next-next
$4 = {next = 0x0, ipaddr = 145944, type = RAD_LISTEN_PROXY, port =
1814, fd = 5}
Process One:
(gdb) info threads
* 6 process 11191 0x0804d145 in main (argc=1166077688, argv=0xbfffd0c0)
at radiusd.c:1323
5 process 19865 0x401c8d0b in [EMAIL PROTECTED] ()
from /lib/tls/libpthread.so.0
4 process 19864 0x401c8d0b in [EMAIL PROTECTED] ()
from /lib/tls/libpthread.so.0
3 process 19863 0x401c8d0b in [EMAIL PROTECTED] ()
from /lib/tls/libpthread.so.0
2 process 19862 0x401c8d0b in [EMAIL PROTECTED] ()
from /lib/tls/libpthread.so.0
1 process 19861 0x401c8d0b in [EMAIL PROTECTED] ()
from /lib/tls/libpthread.so.0
(gdb) bt
#0 0x401c99fe in recvfrom () from /lib/tls/libpthread.so.0
#1 0x4004e6d1 in rad_recv (fd=5) at radius.c:1044
#2 0x0804d145 in main (argc=1166077688, argv=0xbfffd0c0) at
radiusd.c:1323
(gdb) print *(rad_listen_t *) listener
$22 = {next = 0x0, ipaddr = 486477016, type = RAD_LISTEN_PROXY, port =
1814, fd = 5}
(gdb) frame 1
#1 0x4004e6d1 in rad_recv (fd=5) at radius.c:1044
1044radius.c: No such file or directory.
in radius.c
(gdb) info locals
packet = (RADIUS_PACKET *) 0x4780dc38
saremote = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = \000\000\000\000\000\000\000}
totallen = 263
salen = 16
attr = (uint8_t *) 0x0
count = -1073758352
host_ipaddr = \000\000\000\000۾\005\b
seen_eap = 0
data = stuff...
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP test client?
JRadius simulator will do MSCHAPv2 very well... http://jradius.org/wiki/index.php/JRadiusSimulator On 7/12/07, Hugh Messenger [EMAIL PROTECTED] wrote: Phil Mayers said: On Thu, 2007-07-12 at 11:46 -0500, Hugh Messenger wrote: Has anyone ever come across a RADIUS test client which supports MSCHAP? If you mean plain MS-CHAP, you can do it with radclient. Since, with plain MS-CHAP, the NAS generates the challenge and sends it to the radius server with the response. Since the response for any given challenge is the same, you can just capture a chal/resp pair (e.g. in debug mode) and replay it an arbitrary number of times. Ah HAH! That is exactly what I needed, thankyou. If you mean EAP/MS-CHAP (or EAP/PEAP/MS-CHAP) you can use eapol_test from wpa_supplicant. That's next month, as part of our baby-steps migration to FR. For now it's just our PPPOE clients. Then dialup. Then funky stuff. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [meta] admin tools and utilities
Haven't tried ntradping, but jradiussimulator does a great job of being a simulated radius client. http://jradius.org/wiki/index.php/JRadiusSimulator On 6/28/07, Hugh Messenger [EMAIL PROTECTED] wrote: Forgive me if meta-discussions are frowned upon. I was just wandering what tools and utilities (not shipped with freeradius) people find useful in day to day admin and testing. My vote goes to NTRadPing, a fully featured Windows take on the standard UN*X radping. Freebie, from http://www.dialways.com/download/. Very intuitive UI for creating, saving, loading and executing auth and accounting queries. Configurable dictionary file. I'd be lost without it. Something I'd really like to find is an 'unsolicited' test service, simulating a NAS listening on 1700, to help diagnose disconnect request issues. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and users file
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := secret as below, i get this when starting... /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute Cleartext-password Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module files. radiusd.conf[1589] Failed to parse authorize section. On 6/20/07, Alan DeKok [EMAIL PROTECTED] wrote: Matt Cobb wrote: Tried: cobb Cleartext-Password:=secret same result: Please post the ENTIRE debug output. Trust me, MS-CHAP works in the server. Put that entry at the TOP of the users file, and it should work. Odds are you put it in the middle of the users file, and there's an earlier entry which means that the cobb entry is never used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and users file
Alan DeKok already hit it head on, I had an old version of the radius dictionary hanging around. -v doesn't list the version of the modules or dictionary file unfortunately. Swapped in the new one and it works Ryan On 6/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := secret as below, i get this when starting... /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute Cleartext-password Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module files. radiusd.conf[1589] Failed to parse authorize section. output of `radiusd -v` please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
Instead of using radclient/radtest, this program BY FAR is the best way to debug a radius box... http://jradius.org/wiki/index.php/JRadiusSimulator On 6/19/07, hao chen [EMAIL PROTECTED] wrote: Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me a example of the radclient configure file? Thank you. -chenhao 2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]: No, not with radtest. You can use radclient, which has much more ability, but is also more complicated. Use, for instance, XP dialup connection. In connection properties click on Security tab, Advanced radio button and then Settings button. By default all protocols are ticked. Leave only CHAP ticked and exit with OK. Once you are done with testing remember to go back and add protocols back. WARNING: This will work only if the NAS you are connecting through also supports CHAP authentication. If it doesn't, XP client with only CHAP enabled won't be able to connect. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf [1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with Multiple AD/LDAP
Hello,
I'm working on a new config to allow multiple AD servers to be hit, and am
running into a problem. Just a quick background, I have one server that has
multiple root level OU's with users under it. It may not be the recommended
design, but for our needs it is suitable. I've set up freeradius with three
unique ldap entries, all connecting to the same AD server but under
different OU's.
Anyway, in users.conf I've got this:
DEFAULT Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=1
radiusd.conf
authorize {
...
LDAP1
LDAP2
LDAP3
}
which will return group=WIFIUSER in the accept-accept if the user is in the
WIFIUSER AD group. The problem is it only works if the user exists in the
last LDAP entry that is listed. it will still return an accept-accept, but
no group, if they aren't in the last OU. (In the example above, a user in
the LDAP1 OU would not get the WIFUSER group accept-accept, even though they
are in it. Moving LDAP1 to the bottom would make it work.
Any suggestions?
Ryan Kramer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with Multiple AD/LDAP
it works! Just a quick followup for anyone else that might run into it...
You need to define the DEFAULT users.conf entry differently as it can apply
to different servers individually.
DEFAULT LDAP1-Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=0
DEFAULT LDAP2-Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=0
DEFAULT LDAP3-Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=0
works perfectly...
Ryan Kramer
On 6/11/07, Ryan Kramer [EMAIL PROTECTED] wrote:
Hello,
I'm working on a new config to allow multiple AD servers to be hit, and am
running into a problem. Just a quick background, I have one server that has
multiple root level OU's with users under it. It may not be the recommended
design, but for our needs it is suitable. I've set up freeradius with three
unique ldap entries, all connecting to the same AD server but under
different OU's.
Anyway, in users.conf I've got this:
DEFAULT Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=1
radiusd.conf
authorize {
...
LDAP1
LDAP2
LDAP3
}
which will return group=WIFIUSER in the accept-accept if the user is in
the WIFIUSER AD group. The problem is it only works if the user exists in
the last LDAP entry that is listed. it will still return an accept-accept,
but no group, if they aren't in the last OU. (In the example above, a user
in the LDAP1 OU would not get the WIFUSER group accept-accept, even though
they are in it. Moving LDAP1 to the bottom would make it work.
Any suggestions?
Ryan Kramer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Were you ever able to solve the issue of multipe OU's? I have about 100
OU's that have users under them, running without a specified OU doesn't
work, and obviously once I drop into an OU it hits the users that live
there, and no others.
Ryan
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for weekend
study).
Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
5. Start the server with -X
6. Run radtest to send a checking PAP request
It should work.
The above config is the ABSOLUTE BARE MINIMUM server config which
will
check PAP requests ONLY against an AD LDAP server. I do NOT
recommend
you go into service with this config. Try to look at it, understand
how
it's doing what it's doing, *then* start again with the default
FreeRadius config and make the absolute minimum changes to get back
to
that point.
-
List info
Re: Freeradius and MS ActiveDirectory
It is already built into FreeRadius in a number of ways... either NTLM or Ldap to AD. Ryan Kramer\ On 5/24/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Hi, Is there any plug-in for Freeradius, that allow to interface with an Active Directory and authenticate users?? if not, is it possible to developpe such a plug-in ? and what are the requiremenet? could this plug-in be a PAM module ? thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
You can take care of #1 by still doing LDAP to AD for the groups, but using
ntlm for the password authentication. This seems counterproductive, unless
you are using a backside encryption where you need to do it that way, which
is what I ended up having to do.
On 4/30/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the Tip ryan but I have been down that road and 2 reasons
stopped me:
1 - no way of retrieving ldap groups
2 - Been requested not to have samba on the machine.
ntlm_auth was very straight forward for me because it supports all the
encryption methods.
On 5/1/07, Ryan Kramer [EMAIL PROTECTED] wrote:
depending on the wifi auth method, you may want to also investigate a
NTLM_AUTH method instead of straight ldap. This requires the freeradius
machine to be a member of the domain, but once you do that it works
great.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless
clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file
/etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for
weekend
study).
Quite possible the biggest learning curve for me is the ldap
fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've
just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius
can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My
Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter =
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
Re: Freeradius Auth via LDAP against Active Directory Server 2003
depending on the wifi auth method, you may want to also investigate a
NTLM_AUTH method instead of straight ldap. This requires the freeradius
machine to be a member of the domain, but once you do that it works great.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for weekend
study).
Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
5. Start the server with -X
6. Run radtest to send a checking PAP request
It should work.
The above config is the ABSOLUTE BARE MINIMUM server config which
will
check PAP requests ONLY against an AD LDAP server. I do NOT
recommend
you go into service with this config. Try to look at it, understand
how
it's doing what it's doing, *then* start again with the default
FreeRadius config and make the absolute minimum changes to get back
to
that point.
-
List info/subscribe/unsubscribe? See
LDAP changes between 1.01 and 1.1.5
I've recently moved to 1.1.5, and went from a system that worked perfectly with MS LDAP to one that will no longer find the user groups, using the identical config. Anyone have any ideas? The obvious one is that 1.1.5throws in all kinds of escape characters, but i'm assuming that is output only. Ryan Kramer 1.0.1 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter ((cn=DIVISION-WIFI)(|((objectClass=group)(member=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company))((objectClass=GroupOfUniqueNames)(uniquemember=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company rlm_ldap::ldap_groupcmp: User found in group DIVISION-WIFI 1.1.5 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter ((cn=DIVISION-WIFI)(|((objectClass=group)(member=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: Group DIVISION-WIFI not found or user is not a member. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
No. It's part of the LDAP query. In order to avoid external users logging in with names that are valid LDAP queries, the untrusted user input is escaped before it is passed to the LDAP module. Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. I replaced the code of that function with the much more lenient code of the 1.0.1 ldap_escape_func, and it works great with MS LDAP now! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Ryan Kramer wrote: Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. The code does not distinguish between Microsoft AD and other LDAP servers. Correct, it is very simple code and doesn't care. My guess is that it is Microsoft AD not acting like any other reasonable AD on the planet i suspect. I'll post my exact queries tomorrow, but as I mentioned, the only change was to revert that section of code back to the 1.0.1 version, recompile, and it works great. I hacked away at the configs for about 3 hours without any success using pretty much every trick I could think of to get it working. I SUSPECT something might not be escaped in a manner the MS AD server likes, or maybe just the fact it has any escape sequences built in at all is what is causing it to toss it. Hopefully tomorrow I'll be able to get some logs from our server admins to see exactly what the queries they receive look like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
1) Microsoft LDAP isn't like normal ldap, you don't get access to the password. To have freeradius touch the password at any point, it needs to be on the domain and do a ntlm_auth instead of ldap. On 4/4/07, wenny wang [EMAIL PROTECTED] wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Packet Simulator
jradius is about the best i've found. On 4/2/07, khursheed Ahmed [EMAIL PROTECTED] wrote: Hi All I need a RADIUS Packet simulator, which could simulate RADIUS packet for me, If is there any Plz tell me, As I needed it bcz I m developing a Translation Agent which could translate (convert) RADIS packet in to Diameter Packet. Is there any Idea Plz help me Khursheed Ahmed QAU - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x-radius VLAN assignment
Hello! I am working on implementing freeradius with an aruba Wifi controller connected to freeradius, which then talks to AD. (The linux box is on the AD domain) Anyway, we need to pull the vlan identifier through from an AD group, but it appears FreeRadius does not pull that through the request field. Anyone have any thoughts? We know this is possible through the Microsoft radius solution, but are having a tough time of it without using that instead. Thanks! Ryan Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
identify dial-up test session
Hello, I would like to identify a ppp session as a test session by somehow marking the accounting records. I've considered overloading the username sent by pppd to include a .test and alter the 'Service-Type' based on the suffix. I'd like to be able to somehow pass an Attribute from LCP-IPIP-RADIUS to identify a session as unique, but I'm not sure if that is even possible. Note, I do not need any special service that might be associated with say a Service-Type = Administrative, just an Attribute I can load to the db to later filter out. Has anyone tried anything similar in the past? If anyone can point me in the right direction I would really appreciate it. -- Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modcall[authorize] after Access-Accept
Hello, I have both the realm and sql modules in my authorize section. After freeradius receives an Access-Accept it processes the authorize section. It is not clear to me why, but I assume this is intentional based on debug messages: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module realmslash returns noop for request 0 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module realmat returns noop for request 0 My problem is that the sql module is called after the realm modules and querys the db. I don't know why this would ever be necessary, but it is undesirable for my configuration. I cannot simply group 'realmslash' and 'relamat' and return if 'noop'. This would cause a 'LOCAL' realm to skip the sql. I appreciate any help. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_mschapv2: out of memory
Title: rlm_eap_mschapv2: out of memory Can someone please tell me how I might fix this? Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: out of memory rlm_eap: Default EAP type mschapv2 failed in initiate rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 20 modcall: leaving group authenticate (returns invalid) for request 20 auth: Failed to validate the user. 2.6.15-wpnmd.3.1 #1 SMP Wed Apr 12 04:50:31 GMT 2006 i686 GNU/Linux Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_mschapv2: out of memory
Thank You Alan, The microsoft dictionary was commented out in /usr/local/share/freeradius/dictionary. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, June 02, 2006 10:16 AM To: FreeRadius users mailing list Subject: Re: rlm_eap_mschapv2: out of memory Ryan Melendez [EMAIL PROTECTED] wrote: Can someone please tell me how I might fix this? ... rlm_eap_mschapv2: out of memory rlm_eap: Default EAP type mschapv2 failed in initiate From looking at the source, it happens when a call to pairmake() fails. I'd guess that the MS-CHAP-Challenge attribute it's in your dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no sql log for proxied Accounting
Hello, I'm trying to configure freeradius to only sql log Accounting packets that are not proxied. I see the note in the config file that reads accounting requests which are proxied are also logged in the detail file. That is fine, but I can't have it log to sql. In general I would only like to sql log Accounting records associated with realms configured for accthost = LOCAL. Has anyone else had success with this? radiusd: FreeRADIUS Version 1.1.0, for host , built on Mar 6 2006 at 20:41:50 Copyright (C) 2000-2003 The FreeRADIUS server project. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response packet with invalid signature!
Hello,
I am getting Accounting-Response packets from one particular NAS with an
invalid signature. I verified the shared secret is correct. Radiusd is
configured to proxy Accounting-Request packets the following way.
proxy server {
synchronous = no
retry_delay = 10
retry_count = 30
dead_time = 300
}
This particular NAS take about 25 seconds to send the
Accounting-Response. By the time it's sent its response freeradius has
moved on to the second or third retry. The authenticator calculated by
the NAS is for the initial accounting packet and is invalid for the
second request due to a change in the Acct-Delay-Time (and possibly
proxy-state). Freeradius then bails out:
Received Accounting-Response packet from with invalid signature!
Server rejecting request 1.
Finished request 1
Going to the next request
rl_next: returning NULL
Cleaning up request 1 ID 11 with timestamp 44206de3
If I change the config to:
retry_delay = 30
retry_count = 1
then freeradius sleeps for 30 seconds and does not send a second packet.
Waking up in 31 seconds...
rad_recv: Accounting-Response packet from host :1813, id=1, length=25
Proxy-State = 0x323233
Sending Accounting-Response of id 223 to :51818
Finished request 0
What is the correct way to do this according to the RFC? 25 seconds is
an extremely long delay but it seems there should be a way to handle
this. I tried playing with cleanup_delay, but I'm not getting anywhere.
Do I have to set the retry_delay very high to have a better chance? 25
seconds is a long time to wait if the host is actually down.
Thanks,
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dictionary.cablelabs[168]: dict_addvalue: value name too long
Hey Alan, I don't have more than one version of freeradius running. This was my problem. ./configure LDFLAGS=/path/to/openssl/ export LDFLAGS make I needed to set LDFLAGS _before_ ./configure. This works well: LDFLAGS=/path/to/openssl/ export LDFLAGS ./configure make Thanks, Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alan DeKok Sent: Thursday, February 16, 2006 4:24 PM To: FreeRadius users mailing list Subject: Re: dictionary.cablelabs[168]: dict_addvalue: value name too long Ryan Melendez [EMAIL PROTECTED] wrote: I am using 1.1.0. Sorry I left that out. That message isn't produced when running the stock 1.1.0. What else is going on in your machine? Do you have multiple versions of FreeRADIUS installed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary.cablelabs[168]: dict_addvalue: value name too long
Title: dictionary.cablelabs[168]: dict_addvalue: value name too long Hello, In order to correctly link to libssl.so.0.9.7 and libcrypto.so.0.9.7 at run time. I set LDFLAGS=-R/usr/local/openssl-0.9.7/lib at compile time. When I execute the bin I get the following error: Thu Feb 16 18:39:40 2006 : Debug: read_config_files: reading dictionary Thu Feb 16 18:39:40 2006 : Error: Errors reading dictionary: dict_init: //usr/local/share/freeradius/dictionary.cablelabs[168]: dict_addvalue: value name too long Thu Feb 16 18:39:40 2006 : Error: Errors reading radiusd.conf If I remove line 168 in the cablelabs dictionary file everything loads fine: Thu Feb 16 18:43:14 2006 : Debug: security: reject_delay = 1 Thu Feb 16 18:43:14 2006 : Debug: security: status_server = no Thu Feb 16 18:43:14 2006 : Debug: main: debug_level = 0 Thu Feb 16 18:43:14 2006 : Debug: read_config_files: reading dictionary Thu Feb 16 18:43:14 2006 : Debug: read_config_files: reading naslist Thu Feb 16 18:43:14 2006 : Debug: read_config_files: reading clients This is the line I removed. dictionary.cablelabs[168] VALUE CableLabs-QoS-Release-Reason Inactivity-Resource-Recovery-Timer-Expiration 2 Alternativly, if I do not set LDFLAGS when I compile and set LD_LIBRARY_PATH at runtime (which I don't want to do) I do not get an error. Am I doing something wrong or is the dictionary file malformed? Please let me know if I can provide any other information. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dictionary.cablelabs[168]: dict_addvalue: value name too long
Hey Alan, I am using 1.1.0. Sorry I left that out. read_config_files: reading dictionary Errors reading dictionary: dict_init: //usr/local/share/freeradius/dictionary.cablelabs[168]: dict_addvalue: value name too long Errors reading radiusd.conf [andreadoria:520 ~] /usr/local/sbin/radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 16 2006 at 18:27:38 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Thanks, Ryan -Original Message- From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Thu 2/16/2006 1:11 PM To: FreeRadius users mailing list Subject: Re: dictionary.cablelabs[168]: dict_addvalue: value name too long Ryan Melendez [EMAIL PROTECTED] wrote: Thu Feb 16 18:39:40 2006 : Error: Errors reading dictionary: dict_init: //usr/local/share/freeradius/dictionary.cablelabs[168]: dict_addvalue: value name too long The only way you get that error is if you're running an old version of FreeRADIUS against newer dictionaries. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
