dialupadmin and php5
Hi folks, I'd want to know is anyone is using dialupadmin along with php5.. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radwho/radutmp dates
Hi folks, How long time does radwho/radutmp store accounting information? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About mismatching shared secret
radiusPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x6cb0ac0 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server inner-tunnel-peap { # from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = control listen { socket = /usr/local-test/var/run/radiusd/radiusd.sock } } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } listen { type = auth ipaddr = 127.0.0.1 port = 18121 } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock Listening on status address 127.0.0.1 port 18120 as server status Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel Ready to process requests. any ideas? -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/12 Fajar A. Nugraha l...@fajar.net: On Thu, Jul 12, 2012 at 3:17 AM, Sergio Belkin seb...@gmail.com wrote: Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. If you're still interested in getting full NAS-Identifier, you should store accounting data in sql table. Even if you don't want to manage separate sql server (e.g. mysql), you can use something like sqlite to store the data. Needs some effort (e.g. the module is not built by default), but should be doable. -- Fajar - Thanks Fajar, I wanted to get the last access of users. I was getting that informaNAS-Identifiertion parsing log files, but I found that radlast is a simple but useful thing except the NAS-Identifier characters limit. Storing data in a sql db looks interesting. I've never configured it. If I use sql only for logging is /etc/raddb/sql.conf the main file that I have to look? Do sql storing exclude from using plain log files? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Tamás Becz tamas.b...@ericsson.com: -Original Message- From: freeradius-users-bounces+tamas.becz=ericsson.com@lists.freerad ius.org [mailto:freeradius-users- bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Sergio Belkin Sent: Tuesday, July 10, 2012 5:41 PM To: FreeRadius users mailing list Subject: radlast output Hi, radlast shows NAS-Identifier trunked lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in msabad 005:oficina- Tue Jul 10 12:10 still logged in Why? Is a bug? A misconfiguration? You want the debug output, ok you have it :) Uhm, you might want to spend the next couple of hours changing those secrets :) - Hehehe, I've read once time ago somewhat like the stupid thinks that everyone is stupid :) What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... You're getting upset at people who are trying to help you. Be nice, or you can be unsubscribed and banned from the list. Alan DeKok. - Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. In fact, a kind of such a message could have been private. It's not my habit, to be sarcastic. But ok, perhaps it was my mistake, it was not my will offend to Tamas, so my apologies. Thanks as always. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with nas-ip-address behind NAT
2012/6/25 Fajar A. Nugraha l...@fajar.net: NAS-IP-Address should be whatever the NAS sends, which can be its loopback/admin address, or it's private IP address in case of NAT. Well, I don't think that. NAS is sending its public IP, I mean the nat device IP, not its actual IP. Except that I am doing something wrong... Packet-Src-IP-Address, on the other hand, is whatever the radius sees the packet coming from, which should be the NAS/firewal's public IP address in your case. -- Fajar On Mon, Jun 25, 2012 at 11:13 PM, Sergio Belkin seb...@gmail.com wrote: Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho with nas-ip-address behind NAT
Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log What does that mean? but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) As *ALWAYS*, read the debug output. You're very dedicated to giving as little information as possible. Why? OK, you're right in my next message I will include it :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk: On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) You've not really explained what you've done. However, I *guess* that you have added %{EAP-Type} to the filename (detailfile) in the detail config. Yes, you guess well Look, though, where detail is getting called, and where eap is called, in the authorize section. It goes in order. The eap module sets EAP-Type, detail is called before. So you need to call the log after eap. But the gotcha is that eap will short circuit the return in the challenges, so you won't call the detail module if you put it after eap. Nice to know it :) I'd suggest you let all the incoming logs go to a single location where they are, then you add a new detail (or linelog) module to post-auth. That can use %{EAP-Type}, as it's *after* EAP has happened. I've tested it and works, nice! But please keep on reading: Alternatively, you can use my other suggestion anywhere you like. If you pick data out of EAP-Message yourself, you get to do what you want with it (and keep the shards when it shatters). Totally untested unlang. if (%{EAP-Message} =~ /^0x19/) { detail_log_peap } elsif (%{EAP-Message} =~ /^0x15/) { detail_log_ttls } else { detail_log_other } Note that things *will* hit detail_log_other. EAP Identity, for instance, before the eap type has been agreed. If you do this in the inner server, be prepared for unexpectedness. In short, understand EAP first. Good, but it sounds somewhat complex :) I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for me. One log entry, in post-auth, after the useful stuff happened. Any more detail needed? Just go to the dirty detail log and dig it out. Happens so rarely it wouldn't matter if it was in binary format and had to be read with a hex editor in Windows... Wow, linelog seems interesting, I've tried but only is logging Access-Request, why? I add my debug (I plan to get rid out of inner-tunnel-peap file): FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jan 3 2012 at 16:18:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb-testing/radiusd.conf including configuration file /etc/raddb-testing/proxy.conf including configuration file /etc/raddb-testing/clients.conf including files in directory /etc/raddb-testing/modules/ including configuration file /etc/raddb-testing/modules/chap including configuration file /etc/raddb-testing/modules/mschap including configuration file /etc/raddb-testing/modules/sqlcounter_expire_on_login including configuration file /etc/raddb-testing/modules/exec including configuration file /etc/raddb-testing/modules/realm including configuration file /etc/raddb-testing/modules/checkval including configuration file /etc/raddb-testing/modules/rediswho including configuration file /etc/raddb-testing/modules/passwd including configuration file /etc/raddb-testing/modules/attr_filter including configuration file /etc/raddb-testing/modules/linelog including configuration file /etc/raddb-testing/modules/wimax including configuration file /etc/raddb-testing/modules/pam including configuration file /etc/raddb-testing/modules/inner-eap including configuration file /etc/raddb-testing/modules/echo including configuration file /etc/raddb-testing/modules/soh including configuration file /etc/raddb-testing/modules/replicate including configuration file /etc/raddb-testing/modules/acct_unique including configuration file /etc/raddb-testing/modules/etc_group including configuration file /etc/raddb-testing/modules/pap including configuration file /etc/raddb-testing/modules/expr including configuration file /etc/raddb-testing/modules/smbpasswd including configuration file /etc/raddb-testing/modules/attr_rewrite including configuration file /etc/raddb-testing/modules/radutmp including configuration file /etc/raddb-testing/modules/mac2ip including configuration file /etc/raddb-testing/modules/logintime including configuration file /etc/raddb-testing/modules/sql_log including configuration file /etc/raddb-testing/modules/smsotp including configuration file /etc/raddb-testing/modules/preprocess including configuration file /etc/raddb-testing/modules/policy including configuration file /etc/raddb-testing/modules/cui including configuration file /etc/raddb-testing/modules/perl
Re: Problems with Huntgroup
2012/6/5 Matthew Newton m...@leicester.ac.uk: On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it. How a module is added? Mi current file is: That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Yes it is Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. I've added this files because I like to separate logs when supplicants are using PEAP or TTLS Is there a better way of doing that? The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. I don't blame debug :) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Thanks again Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk: On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote: I've added this files because I like to separate logs when supplicants are using PEAP or TTLS I'd still use just one file, and filter the logs instead. Is there a better way of doing that? There may be several ways. The first one that comes to mind is just pulling the EAP type out of the EAP-Message attributes. PEAP connections will have an EAP-Message attribute that matches the regexp /^0x19/, whereas TTLS connections will match /^0x15/. Alternatively, and probably easier in the long run, add %{EAP-Type} to linelog, so you get the name directly in your logs. Add it in the outer, and you'll see TTLS or PEAP. Add it in the inner, and you'll see the inner EAP type, such as MS-CHAP-V2. Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Apologies - you're right, it is being called. ++[files] returns noop :-) Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups. Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :) TIA Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: I've appended something like to huntgroups file mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I And in users files: pruebita Huntgroup-Name == mb,Cleartext-Password := pruebon But is not working user pruebita does not get an Access-Accept Please could you help me to solve it? You edited the default configuration and broke it. Don't do that. You've set copy_request_to_tunnel, which is good. It means that the huntgroup check will work. You've deleted files from raddb/sites-available/inner-tunnel. That's why it doesn't work. Add it back, and it will work. In 2.1.12, read the comments at the top of raddb/sites-available/inner-tunnel. It tells you how to test the inner-tunnel configuration. It tells you what NOT to do. i.e. tested PEAP before testing that the inner-tunnel config works. Alan DeKok. - Thanks Alan for you answer. I haven't deleted anything respect to configuration files per default: 32,36c32,36 listen { ipaddr = 127.0.0.1 port = 18120 type = auth } --- #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} 142c142 # ldap --- ldap 230,232c230,232 # Auth-Type LDAP { # ldap # } --- Auth-Type LDAP { ldap } 271a272,274 # Sergio reply_log 376a380,382 # Sergio post_proxy_log Did I missed something? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Please could you help me I've read the file and output, and also run radtest, but I don't figure out what I should do Mi current file is: listen { ipaddr = 127.0.0.1 port = 18121 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { post_proxy_log eap } EOF Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
2012/1/16 Alan Buxey a.l.m.bu...@lboro.ac.uk Where's the log for when this happens? As MAC auth wouldn't go through EAP tunnel it would suggest that some entry in eg users file is coming into play... alan Alan, I have three logs, I have the following parameter on radiusd.conf: requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log For example for today, I have /var/log/radius/radiusd-inner-tunnel-20120117.log (using ttls) var/log/radius/radiusd-inner-tunnel-peap-20120117.log (using peap) /var/log/radius/radiusd-DEFAULT-20120117.log The weird thing is that I've found one user that has entries *only* in /var/log/radius/radiusd-DEFAULT-20120117.log AFAIK is out-of-tunnel For example: Mon Jan 16 11:22:57 2012 : Auth: Login OK: [wterra] (from client AP-PVIII-VI port 2 cli 00-11-00-E4-67-EE) But neither wterra nor 00-11-00-E4-67-EE have entries in /var/log/radius/radiusd-inner-tunnel-* log files Please could you explain me? I don't use mac based authentication... Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
2012/1/17 Sergio Belkin seb...@gmail.com 2012/1/16 Alan Buxey a.l.m.bu...@lboro.ac.uk Where's the log for when this happens? As MAC auth wouldn't go through EAP tunnel it would suggest that some entry in eg users file is coming into play... alan Alan, I have three logs, I have the following parameter on radiusd.conf: requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log For example for today, I have /var/log/radius/radiusd-inner-tunnel-20120117.log (using ttls) var/log/radius/radiusd-inner-tunnel-peap-20120117.log (using peap) /var/log/radius/radiusd-DEFAULT-20120117.log The weird thing is that I've found one user that has entries *only* in /var/log/radius/radiusd-DEFAULT-20120117.log AFAIK is out-of-tunnel For example: Mon Jan 16 11:22:57 2012 : Auth: Login OK: [wterra] (from client AP-PVIII-VI port 2 cli 00-11-00-E4-67-EE) But neither wterra nor 00-11-00-E4-67-EE have entries in /var/log/radius/radiusd-inner-tunnel-* log files Please could you explain me? I don't use mac based authentication... Thanks in advance! Note: I've copied the entry from yesterday log because of that you see Mon Jan 16 but the question it's the same: Why is there an entry on DEFAULT logs but not in inner-tunnel logs Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only Out-of-tunnel
detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on status address 127.0.0.1 port 18120 as server status Ready to process requests. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Always Login incorrect: Could not extract EAP-Message from RADIUS message
/detail-20111216 [detail] expand: %t - Fri Dec 16 09:50:00 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - kiki333 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - kiki333 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 160 to 192.168.2.53 port 49603 Finished request 13. Cleaning up request 13 ID 160 with timestamp +12 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.4 port 39611, id=2, length=253 User-Name = SOYKADORNA NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0202007a19800070160301006b016703014eeb3ec87be73aa918030263d5e73f349398bd48e8176a62ce944dcf0c6b95cf3a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff01040023 State = 0x869e7309879c6a16768684a64fbb490b Message-Authenticator = 0x0786010bb78d36cc0a93b73a3a9b7a0f +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} - [auth_log] expand: /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d - /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] expand: %t - Fri Dec 16 09:50:01 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = SOYKADORNA, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [SOYKADORNA] (from client AP-sarlanga7 port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - SOYKADORNA attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 14 for 1 seconds Going to the next request - -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: I have a really weird problem. We have a lot of NAS'es and no one of them had this problem, except only one! It gets always login incorrect. Throw the NAS in the garbage. If I run eapol_test it complains saying. I've tried replacing the nas a few times What does that mean? Ooops, sorry it says could not extract EAP-Message from RADIUS message and makes no difference. And it doesnt' matter what user tries to connect. Please take a look to user interup with outer identity SOYKADORNA Am I doing something wrong? No. The problems are *not* RADIUS problems. The NAS is broken, or there's something else wrong in the network. Hmmm, so it should something wrong in the network, because I've tried from 2 differentes Access Points, with differents firmware and even with eapol_test... thanks Alan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: Ooops, sorry it says could not extract EAP-Message from RADIUS message That's a message on the NAS. Ask the NAS manufacturer what it means. Hmmm, so it should something wrong in the network, because I've tried from 2 differentes Access Points, with differents firmware and even with eapol_test... thanks Alan It's not a RADIUS problem. OK, I believe you :) The debug output you posted shows the server receiving duplicate packets *many* seconds apart. They're not detected as duplicates, because the retransmissions are too late. Find the one thing you *didn't* change in the network, and blame it for the problems. And no, it's still not a RADIUS problem. It's a remote site that has only an Acess Point, from other sites we have no problem. It's a weird thing that it started to happen suddenly. Perhaps the firewall its doing some rude thing with packets... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/16 Sergio Belkin seb...@gmail.com: Hi, I have a really weird problem. We have a lot of NAS'es and no one of them had this problem. It gets always login incorrect. If I run eapol_test it complains saying. I've tried replacing the nas a few times and makes no difference. And it doesnt' matter what user tries to connect. could not extract EAP-Message from RADIUS message EAPOL: EAP key not available This the debug output of freeradius. Please could you help me to solve this issue? Problem happens with client 192.168.3.201 Sorry, but not pay attention to ipaddress, (File has edited the sensitive data). Pleease take a look to user interup with outer identity SOYKADORNA Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/16 Sergio Belkin seb...@gmail.com: 2011/12/16 Sergio Belkin seb...@gmail.com: Hi, I have a really weird problem. We have a lot of NAS'es and no one of them had this problem. It gets always login incorrect. If I run eapol_test it complains saying. I've tried replacing the nas a few times and makes no difference. And it doesnt' matter what user tries to connect. could not extract EAP-Message from RADIUS message EAPOL: EAP key not available This the debug output of freeradius. Please could you help me to solve this issue? Problem happens with client 192.168.3.201 Sorry, but not pay attention to ipaddress, (File has edited the sensitive data). Pleease take a look to user interup with outer identity SOYKADORNA Thanks again I think I've found something about it http://www.ietf.org/rfc/rfc3579.txt 2.6.3 (Conflicting message) That could be the problem? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
-Address = 192.168.2.53,Acct-Session-Id = 0025-000A,User-Name = kiki333' [acct_unique] Acct-Unique-Session-ID = a10966e1e5dda57e. ++[acct_unique] returns ok [suffix] No '@' in User-Name = kiki333, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /usr/local/var/log/radius/radacct/192.168.2.53/detail-20111216 [detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.53/detail-20111216 [detail]expand: %t - Fri Dec 16 09:50:00 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - kiki333 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - kiki333 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 160 to 192.168.2.53 port 49603 Finished request 13. Cleaning up request 13 ID 160 with timestamp +12 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.4 port 39611, id=2, length=253 User-Name = SOYKADORNA NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0202007a19800070160301006b016703014eeb3ec87be73aa918030263d5e73f349398bd48e8176a62ce944dcf0c6b95cf3a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff01040023 State = 0x869e7309879c6a16768684a64fbb490b Message-Authenticator = 0x0786010bb78d36cc0a93b73a3a9b7a0f +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} - [auth_log] expand: /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d - /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216 [auth_log] expand: %t - Fri Dec 16 09:50:01 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = SOYKADORNA, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [SOYKADORNA] (from client AP-sarlanga7 port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - SOYKADORNA attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 14 for 1 seconds Going to the next request - -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Broken Pipe with ssh
2011/10/12 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, Ssh users are suffering of broken pipe when NASes use the WPA Enterprise schema. I wonder is I have something misconfigured that is causing nosense reconnection or thinks alike. Please could could you help me and take a look to my config and tell me if I should fix something? Thanks in advance! not really a RADIUS issue - unless your authentications are taking too long and therefore timing out - causing the clients to lose actuall connectivity. you need to see what is happeing on the client when these events are taking place - eg look at system messages or wireless stuff to see if somethings not right there ...what is the session-timeout? do you chance their VLAN - are different APs delivering different VLANs - do you see the clients being mobile at all? lots of things - its the wireless medium that is causing the issue I believe... and FR 2.1.1 is very very old, I'd recommend that you upgrade alan Yup. It seems that is no a radius issue. Sorry, of course is not that the problem arised and I think Oh is a freeradius issue indeed. It happens that is some problem that we have since a long time, and it's some difficult find the cause, so I think for a moment that I was doing something wrong (I was not blaming to radius developers, it's no my way of doing things). But finally we've found that it seems that firewall device at the edge of the network is causing such that issues. Thanks -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Broken Pipe with ssh
/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on status address 127.0.0.1 port 18120 as server status Ready to process requests. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invitation to connect on LinkedIn
LinkedIn Sergio Belkin requested to add you as a connection on LinkedIn: -- Glen, I'd like to add you to my professional network on LinkedIn. - Sergio Accept invitation from Sergio Belkin http://www.linkedin.com/e/f5ihn8-gpobvdyd-2f/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I164075252_9/pmpxnSRJrSdvj4R5fnhv9ClRsDgZp6lQs6lzoQ5AomZIpn8_elYOdj8RdP0Qdz59bPdPgABRukxjbPgVcjoQejoNd3cLrCBxbOYWrSlI/EML_comm_afe/ View invitation from Sergio Belkin http://www.linkedin.com/e/f5ihn8-gpobvdyd-2f/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I164075252_9/0VnP8RczkTc3gSckALqnpPbOYWrSlI/svi/ -- Why might connecting with Sergio Belkin be a good idea? Sergio Belkin's connections could be useful to you: After accepting Sergio Belkin's invitation, check Sergio Belkin's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future. -- (c) 2011, LinkedIn Corporation- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + xmpp server
Hi, I'd want to know if anyone there is using freeradius along with a xmpp server. I'd like to read experiences about it. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: On 27/05/11 16:31, Sergio Belkin wrote: Hi, I'd want to know if anyone there is using freeradius along with a xmpp server. I mean use a xmppserver as a NAS. I think that it provide more flexibility to choose based on what attributes is performed the authentication. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: On 27/05/11 16:58, Sergio Belkin wrote: I mean use a xmppserver as a NAS. I think that it provide more flexibility to choose based on what attributes is performed the authentication. So, would the idea be that: * client connects to XMPP server * client sends username/password * XMPP server sends PAP request * radius server replies with yes/no The easiest way is probably PAM and pam_radius, but it only does authentication. But I assume you want to do something more complex? - The Idea is: * client connects to XMPP server * client sends uid/radiusPassword (see below) * XMPP server sends MSChapv2 request * radius server replies with yes/no radiusPassword is an attribute alternative that we created instead userPassword. We use it instead of userPassword which is used for mail and intranet access. I was testing openfire but it can't choose the attribute, only uses userPassword, and has a radius plugin a bit outdated... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: The Idea is: * client connects to XMPP server * client sends uid/radiusPassword (see below) * XMPP server sends MSChapv2 request * radius server replies with yes/no Interesting. Since the client is sending user/password, why do you want to translate that to an MSCHAP request? Well, I don't know really but there was a plugin from jradius that could do that, but as I said is somewhat dated radiusPassword is an attribute alternative that we created instead userPassword. We use it instead of userPassword which is used for mail and intranet access. This is an attribute where? In a radius packet? Is an ldap attribute and AFAIK is a checkiTem, I have the following in ldap.attrmap: checkItem Cleartext-Password radiusPassword I was testing openfire but it can't choose the attribute, only uses userPassword, and has a radius plugin a bit outdated... Have you tried PAM and pam_radius? - No yet :) -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid signature
Hi, I am receiving error from some NAS: rad_recv: Accounting-Request packet from host 201.216.227.201 port 58999, id=0, length=86 Received Accounting-Request packet from 201.216.227.201 with invalid signature! (Shared secret is incorrect.) Dropping packe t without response. It's a werd thing, because the secret on both radius server and NASes are the same! I don't understand the problem! Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid signature
2011/5/11 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, rad_recv: Accounting-Request packet from host 201.216.227.201 port 58999, id=0, length=86 Received Accounting-Request packet from 201.216.227.201 with invalid signature! (Shared secret is incorrect.) Dropping packe t without response. server doesnt lie. check the shared secret for the ACCOUNTING part of the NAS alan Oops, sorry it's my fault. I forget to append append $var acct_server_shared_secret=$secret $N to openwrt NAS. It resulted in an OT but I hope that helps someone using OpenWRT. Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication based on users and NAS
Hi, It was easier than I thought, I simply had to add to /etc/raddb/users something like: steve Called-Station-Id == 00259c14066e,Cleartext-Password := password Still I had to solve 2 issues: The first one is that if I want steve to login through more than NAS I have to add one line like above per NAS. Is a nicer way to do it? The second one is that I don't know how to do it for Ldap users. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict access per NAS
Hi, Is there a way to restrict an LDAP user to be authorized only from an specific NAS (Access Point)? I'm using FreeRADIUS Version 2.1.1 Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Half OT: Windows XP won't connect
Hi, I have a freeradius with LDAP, supplicants use either EAP-PEAP or EAP-TTLS. Sometimes, Windows (mainly XP) systems won't connect, packages arrive only to Access Point but no to radius server. Generally, solution is rebooting the AP but I wonder if I need to tweak something on AP, this the result from tcpdump: 12:45:07.808808 00:22:5f:43:f4:31 (oui Unknown) Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00 12:45:07.815594 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 94: 0x: 8001 007a 1018 0001 0001 ...z 0x0010: 0008 0x0020: 0016 0022 5f43 f431 776c 3000 ..._C.1wl0. 0x0030: 3014 0100 000f ac02 0... 0x0040: 0100 000f ac04 0100 000 ac01 12:45:07.819711 EAPOL start (1) v1, len 0 12:45:07.825580 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 0022 5f43 f431 776d 3000 ..._C.1wl0. 0x0030: 0101 00... 12:45:18.821489 IP 192.168.188.131.17500 192.168.188.255.17500: UDP, length 127 12:45:20.417512 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:45:20.417682 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 12:45:28.095608 ARP, Request who-has 192.168.188.131 tell 192.168.188.1, length 28 12:45:28.098097 ARP, Reply 192.168.188.131 is-at 00:1f:5b:bb:77:f2 (oui Unknown), length 28 12:45:31.165528 ARP, Request who-has 192.168.188.187 tell 192.168.188.1, length 28 12:45:31.169815 ARP, Reply 192.168.188.187 is-at 00:25:d3:74:49:ac (oui Unknown), length 28 12:45:48.919456 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:45:48.919612 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 12:46:04.655521 ARP, Request who-has 192.168.188.187 tell 192.168.188.1, length 28 12:46:04.656464 ARP, Reply 192.168.188.187 is-at 00:25:d3:74:49:ac (oui Unknown), length 28 12:46:09.114950 EAPOL start (1) v1, len 0 12:46:09.115553 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 0022 5f43 f431 776d 3000 ..._.1wl0. 0x0030: 0101 00... 12:46:14.920025 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:46:14.920228 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: Causes of Failed binding
Hi, How does freeradius consider that Bind as user failed Thanks in advance!! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: SSL issues
: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating post_proxy_log detail post_proxy_log { detailfile = /usr/local/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating reply_log detail reply_log { detailfile = /usr/local/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } } server inner-tunnel-peap { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating auth_log detail auth_log { detailfile = /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } listen { type = status ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = YellowSubmarine } } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on status address 127.0.0.1 port 18120 as server status Ready to process requests. You can read wireshark dump on: http://pastebin.com/ZH2SfTFq Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Empty SubjectAltName on server certificate (EAP-PEAP)
Hi, I have a certificate with xpextensions but its SubjectAltName is empty. Is Mandatory or only is wrong when its content doesn't match with FQDN? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User enabled for one only NAS
2010/4/5 Sergio Belkin seb...@gmail.com: Hi, I've enabled on users file something like that: guest Cleartext-Password := guest How can I limit that user to one only NAS IP Address? Thanks in advance! -- -- Hmmm.. I wonder either if questions is somewhat stupid or freeradius can't do that... Greets. -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User enabled for one only NAS
Hi, I've enabled on users file something like that: guest Cleartext-Password := guest How can I limit that user to one only NAS IP Address? Thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/30 Julien Savoie julien.sav...@usainteanne.ca: Check if you have this enabled in radiusd.conf mschap { with_ntdomain_hack = yes } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } and proxy.conf realm DEFAULT { strip } If you only have one domain this will work. If you have different domains you'll need to setup the individual realms. Sounds like in your case you don't though. Hi Julien, file /etc/raddb/modules/mschap is as original one. I use no domain, only user+password. Sorry, but I forget the subject before. Thanks in advance! Sergio Belkin wrote: There are a few log entries like as as follows Auth: Login incorrect (rlm_ldap: User not found): [QSARGENTINA\\amumenthaler] (from client UP-PVIII-VIII-Bis port 0 via TLS tunnel) Please could you help me to find a fix? - -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/31 Julien Savoie julien.sav...@usainteanne.ca: Sergio Belkin wrote: and proxy.conf realm DEFAULT { strip } If you only have one domain this will work. If you have different domains you'll need to setup the individual realms. Sounds like in your case you don't though. Hi Julien, file /etc/raddb/modules/mschap is as original one. I use no domain, only user+password. Sorry, but I forget the subject before. Then you want to by default strip any realm/domain information off the request. Information provided should be sufficient. Really thanks, but the problem is that users use their personal notebooks, they are students, not employees, so Windows login usernames are not the same that ldap ones. It seems that Vista wants to use SSO and sends their credential before. Because of that subject is somewhat OT, but I guess that someone here was run into that problem... thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-users@lists.freeradius.org
Hi, I am using FR 2.1.1, for host x86_64, with LDAP 802.1x/WPA + OpenLDAP for wireless network access. I've found that some clients using EAP-PEAP using mainly Windows Vista sends notebook credentials despite that is disabled automatically use of credentials... There are a few log entries like as as follows Auth: Login incorrect (rlm_ldap: User not found): [QSARGENTINA\\amumenthaler] (from client UP-PVIII-VIII-Bis port 0 via TLS tunnel) Please could you help me to find a fix? Thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dict_addattr: attribute name too long error when running raclient by cron
Hi, I have a simple script as follows: #! /bin/bash echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 16 | radclient localhost:18120 status YellowSubmarine | tee /var/log/radius/status-$(date -d yesterday +%Y%m%d).log #echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1 | radclient localhost:18120 status YellowSubmarine | tee -a /var/log/radius/status-$(date -d yesterday +%Y%m%d).log When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long crontab line is as follows: 58 9 * * * root /scripts/getRadiusStatus /tmp/whatsup 21 Please could you help to solve it? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addattr: attribute name too long error when running raclient by cron
2010/3/17 Sergio Belkin seb...@gmail.com: Hi, I have a simple script as follows: #! /bin/bash echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 16 | radclient localhost:18120 status YellowSubmarine | tee /var/log/radius/status-$(date -d yesterday +%Y%m%d).log #echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1 | radclient localhost:18120 status YellowSubmarine | tee -a /var/log/radius/status-$(date -d yesterday +%Y%m%d).log When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long crontab line is as follows: 58 9 * * * root /scripts/getRadiusStatus /tmp/whatsup 21 Please could you help to solve it? Thanks in advance -- Sorry, I fix myself I wanted to mean radclient on subject and launched by cron... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addattr: attribute name too long error when running raclient by cron
2010/3/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long You have multiple versions of FreeRADIUS installed. Fix that. Alan DeKok. - Oh yeah, my fault, there was a really stupid mistake, current binaries are not on cron path, as you say there was unused and older binaries on /usr/bin, and cron was picking radclient from there. Thanks! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About FreeRADIUS-Stats-Client-IP-Address
Hi, When I issue the following command on the shell: echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 35, FreeRADIUS-Stats-Client-IP-Address = 10.128.255.80 | radclient localhost:18120 status MySecret It gets global statistic and *not only* those of Client. Is there a way to get *only* stats from Client? Thanks in advance! -- -- SB http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question About rlm_sql_log (it was Re: Time connected)
2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: 2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I guess that you're using database module, aren't you? You should too. Much simpler than parsing detail file. Ivan Kalik Kalik Informatika ISP - Hi, I was reading about rlm_sql_log. I mean I don't want to rely on sql for authorization and authentication. Can I use that module only for easiest log handling *only* ? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question About rlm_sql_log (it was Re: Time connected)
2009/11/3 Ivan Kalik t...@kalik.net: Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' I guess that you're using database module, aren't you? You should too. Much simpler than parsing detail file. I was reading about rlm_sql_log. Why? That has nothing to do with anything you would want. I mean I don't want to rely on sql for authorization and authentication. So don't. Use it just for accounting. Can I use that module only for easiest log handling *only* ? What does that mean? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I want to find some way to analyze logs, and so can get eg: last user status or how long a time that a user has been connected. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Time connected
Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time connected
2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I guess that you're using database module, aren't you? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status X User
Hi, Is there a way to get the las time that user got Accept-Accept and Accept-Reject, of course I can parse log files but I wonder if there a radius tool that can do it. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status X User
2009/10/23 Alexander Clouter a...@digriz.org.uk: Sergio Belkin seb...@gmail.com wrote: Is there a way to get the las time that user got Accept-Accept and Accept-Reject, of course I can parse log files but I wonder if there a radius tool that can do it. your data - SQL SELECT * FROM postauth WHERE user_name = 'blar' AND packet_type = 'Access-Reject' ORDER BY timestamp DESC LIMIT 1 Then for the latter replace 'Access-Accept' with 'Access-Reject'? Cheers -- Alexander Clouter .sigmonster says: Zeus gave Leda the bird. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ooops, I have no mysql, except that there is a way to dump log files to mysql database :) Sorry if the question sounds stupid :) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa/wpa2 on logs
2009/10/14 Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/10/2009 18:53, Sergio Belkin wrote: Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! No. Information about the security association is not contained in EAP authentication attempts. Thanks Arran! At least it's good to know that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa/wpa2 on logs
Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weekly and daily logs
Sorry for the stupid question Is possible on FreeRADIUS Version 2.1.1 create log files both on daily and weekly basis? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/9/1 Ivan Kalik t...@kalik.net: I have configured three virtual servers: default, inner (uses eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel attempts go to default server log files. cron performs a daily task that more or less perform something like that: Please I beg you that give me an idea what I am failing. I clarifiy a bit: But I've found that some OK are sent to default server log file *only*. and nothing to inner tunnel log files. PEAP and TTLS will have OKs for both inner and outer identities. PAP, MSCHAP etc will have only single OK. Ivan Kalik Kalik Informatika ISP Thanks Ivan, But in my case PAP and MSCHAP nver are used without TTLS or PEAP. So I don't understand why some OK's was sent to default server log. Because of that now I use requests = ${logdir}/radiusd-%{%{Virtual-Server}-%Y%m%d.log and now there are no entries on default log server, I wonder if what I am doing is right, I mean if I am omitting some OK doing that... Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/9/3 Sergio Belkin seb...@gmail.com: 2009/9/1 Ivan Kalik t...@kalik.net: I have configured three virtual servers: default, inner (uses eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel attempts go to default server log files. cron performs a daily task that more or less perform something like that: Please I beg you that give me an idea what I am failing. I clarifiy a bit: But I've found that some OK are sent to default server log file *only*. and nothing to inner tunnel log files. PEAP and TTLS will have OKs for both inner and outer identities. PAP, MSCHAP etc will have only single OK. Ivan Kalik Kalik Informatika ISP Thanks Ivan, But in my case PAP and MSCHAP nver are used without TTLS or PEAP. So I don't understand why some OK's was sent to default server log. Because of that now I use requests = ${logdir}/radiusd-%{%{Virtual-Server}-%Y%m%d.log and now there are no entries on default log server, I wonder if what I am doing is right, I mean if I am omitting some OK doing that... Thanks in advance! Sergio Belkin - Sorry for be repeating but I meant: I don't understand why some OK's was sent to default server log *only*. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/8/31 Sergio Belkin seb...@gmail.com: Hi, I have configured three virtual servers: default, inner (uses eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel attempts go to default server log files. cron performs a daily task that more or less perform something like that: grep OK /var/log/radius/radiusd-*-$date.log | awk '{print $10}' | sort -fu | wc -l That way I get how many users could get an Access-Accept. Well I've found that that is not right. Because some supplicant can send different identities into and out of tunnel. So I'd like to use: grep OK /var/log/radius/radiusd-inner*-$date.log | awk '{print $10}' | sort -fu | wc -l But I've found that some OK are sent to default server log file. So I can't get right statistic. Please could you help to do it? Below are debug info: Please I beg you that give me an idea what I am failing. I clarifiy a bit: But I've found that some OK are sent to default server log file *only*. and nothing to inner tunnel log files. I don't understand why if I have on radiusd.conf log { destination = files file = ${logdir}/radius.log requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } on debug messages *only* appears: log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } Now I am using requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log but I don't know if it is right because ${logdir}/radiusd-%DEFAULT}-%Y%m%d.log from DEFAULT server (out of tunnel) are not generated at all, and they were useful because showed the Mac Address of supplicant. If you want to see more of my config you can do it on: http://pastebin.com/m65441172 -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Logs in database (It was Re: rlm_ldap logs)
2009/8/28 Sergio Belkin seb...@gmail.com: Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Shame on me! That's is something that already logs do: Fri Aug 28 18:48:08 2009 : Auth: Login incorrect (rlm_ldap: User not found): [zz...@zz.zzz] (from client port 0 via TLS tunnel) Thanks y Sorry Even so I'd like to find a way to store radius logs on a database. Does exist such a tool? I need to perform some queries on them, for example, what users that had an incorrect login (eg bad password or certificate) after some time they could get an OK. Perhaps, some of you have an idea about how can I do that. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out and into tunnel log files
: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating post_proxy_log detail post_proxy_log { detailfile = /usr/local/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating reply_log detail reply_log { detailfile = /usr/local/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } } server inner-tunnel-peap { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating auth_log detail auth_log { detailfile = /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 192.168.1.5 port = 0 } listen { type = acct ipaddr = 192.168.1.5 port = 0 } Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Ready to process requests. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap logs
Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prevent uid sharing or hot to allow use uid only once
Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-message and supplicant
Hi, Is possible that Reply-message can be seen from laptops running the supplicant? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information alan Does file attrs.access_reject has to with you are talking about? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 John Dennis jden...@redhat.com: Sergio Belkin wrote: Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). I don't understand the problem or what you're trying to solve. So what if Joe mistakenly tries to used John's username, it won't work as he won't know Joe's password. This is no different than an attempted network break in which should be prevented by locking your resources down and ensuring strong passwords. Never in any instance will resources authorized for one user be granted to another user unless you've configured something wrong. If the problem is that both John and Joe want the same username then one needs to explain to Joe that username is already in use and he'll have to use another one. -- John Dennis jden...@redhat.com What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry for the stupid question, what does EAP-Message =* ANY mean? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... simultaneous-use - only allow one instance of the user/pass to be online at a time. Should I enable accouning for that? sure, another person might be on instead of John...but then John wont be able to get online...He'd very quickly be miffed that he'd lost his access due to someone else using his credentials alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still with ldap error
Hi, Some months ago I mentioned a problem that it seems to be non-fatal but it still is there: Fri May 22 10:00:50 2009 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Fri May 22 10:00:50 2009 : Info: rlm_ldap: Attempting reconnect This problem appears more or less every 90 seconds. on ldap logs you can see things like that: May 22 04:16:40 ldap-server slapd[27663]: conn=219 fd=14 ACCEPT from IP=127.0.0.1:56359 (IP=127.0.0.1:389) May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn=uid=jojo0l4,ou=people,dc=domain,dc=edu method=128 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn=uid=jojo0l4,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND anonymous mech=implicit ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn=uid=jojoi1,ou=people,dc=domain,dc=edu method=128 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn=uid=jojoi1,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 RESULT tag=97 err=0 text= May 22 04:18:01 ldap-server slapd[27663]: conn=219 fd=14 closed (idletimeout) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 ACCEPT from IP=IPADDRESS:57845 (IP=0.0.0.0:636) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 TLS established tls_ssf=256 ssf=256 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn=uid=jojo2,ou=people,dc=domain,dc=edu method=128 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn=uid=jojo2,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=1 UNBIND May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 closed May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 ACCEPT from IP=IPADDRESS:36313 (IP=0.0.0.0:636) May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 TLS established tls_ssf=256 ssf=256 I've tried modifying idletimeout y timelimit on slapd.conf, and modifying limits per ldap radius user. I was playing with timeout and timelimit and nothing changed it. Raising and lowering Using FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2008 at 15:14:37 I'd thank you your help! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
somewhat ot: Check radius server name on linux supplicant
Hi, I'm stuck with a problem to which I haven't found an easy solution. Let's say we use either EAP-PEAP or EAP-TTLS. Both on Windows you cave ways to check not only ca certificate but also radius server name. I've tried: *NetworkManager: It can't check radius server name. *wicd: You could use customized scripts but make things harder and replace NetworkManager which is the default network tool on modern distros. *kwlan: It's like wicd an more KDE oriented. *wpasupplicant: It can check server name! But also on Fedora 10 I haven't found a way for NetworkManager apply its config file. Mostly modern and end users distros don't pay attention to wpasupplicant config file. On Windows (and I am not presicely a MS fan) you can check server name either by itself or by SecureW2. On Mac it prompts you showing radius server name. Sadly, I haven't found on Linux to check radius server name. I fear this: Let's say I have a radius server which use a certificate signed by WhateverSign. You get a certificate signed by WhateverSign too. You use a trustable ca certificate, don't you? Well, you config a cheating Access Point. Then a user come and connect to that cheating Access Point. Please tell me if that risk exists and if is wothy of worrying. If it is, how I can do for check radius server name on modern distro Linux? Thanks in advance and happy new year -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP per user
Hi, I wonder if radius force to a given user eg jdoe that only get from an Access Point always the same IP address? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP per user
2008/12/17 t...@kalik.net: AP uses DHCP not radius to assign IPs. So - no. You can reserve IPs for devices but not users. Ivan Kalik Kalik Informatika ISP Dana 17/12/2008, Sergio Belkin seb...@gmail.com piše: Hi, I wonder if radius force to a given user eg jdoe that only get from an Access Point always the same IP address? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Thanks Ivan, I guess that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
2008/12/15 a.l.m.bu...@lboro.ac.uk: hi, why go backwards when you have the right wireless technology in place? you need to look at the windows client end of things. I'd suggest looking at automating the setup..the best thing would be to have another wireless SSID (eg 'setup for XYZ' - where XYZ is your current SSID) - and have that as an open wifi that can only (ONLY!) access one single IP on which lives a web server with auto setup tools - eg .NET or VBS for MS windows, XML for MAC and even a setup file for iPhone/iPod touch etc. (this would have to be a webredirect so as soon as they associate, any DNS or port 80/8080/3128 etc get sent to the index page.) - another web delivery option is to prepackage eg open1x (open1x.sf.net) or SecureW2 (another supplicant) and get them to use that as you did note, the problem is with the client setup.. thats the current difficulty with 802.1X. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... All in all, you and Paul have provided me interesting info... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex?supplicant at level end user?
2008/12/15 Alexander Clouter a...@digriz.org.uk: Sergio Belkin seb...@gmail.com wrote: Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. We seem to have no real problems with SecureW2 and our userbase. Mac OS X users 'import' the configuration (if they are 10.3 or 10.4) and WinXP users get a light time of it would my SecureW2 preconfiguration script with some NSIS wrapper action to spoonfeed them during problematic bits. Of course SecureW2 + WinXP + SP3 + wired 802.1X is fruity at the moment which is out current problem, however that's a grumble for another thread. The only problems we have is that we are 'awkward' and force WPA2 only and do not give into those WPA (version 1) TKIP weenies. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... Do not ever go down this route[1]. It completely negates the point of having a WPA Enterprise network when someone comes along with an evil twin network and gets the user to install a 'springboard' application to get onto the better network. It's as counterproductive as using PEAP/TTLS without full certificate validation :-/ If you want my NSIS and/or SecureW2 INF file do drop me an email. The springboard'ing issue we resolved by dumping everything onto a CD and distributed them to the masses that way. Even if this is not an option for you (like us in education with 'student welcome packs') if you make the CD's readily available near hotspots and what not in public areas people will find what they need. Cheers Alex [1] I have convinced my self it's safe for a wired network, getting non-802.1X clients 802.1X'ified, but just not worth the risk for wireless clients -- Alexander Clouter .sigmonster says: Succumb to natural tendencies. Be hateful and boring. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Recently we upgraded from OpenWrt White Russian to Kamikaze. By now, problem about discarding packets is no more. Most of the issues were that at random times took long time get Access-Accept or even AP din't get any frames from supplicants... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slightly OT: Problem with Vista
2008/12/11 a.l.m.bu...@lboro.ac.uk: hi, which version of FreeRADIUS are you using? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Release 2.1.2, but it seems a supplicant issue... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
Hi, Currently I'm using: *OpenWRT Kamikaze in AP's *Freeradius 2.1.2 *LDAP End users either use ttls or peap on their notebooks, as I have a LDAP server, each use his username and a password. Problem with this approach is that is somewhat complex for end users, they must either install a software or do a complicated configuration (think in end users terms, please). I'd want to have a open wireless network and that each user access to captive portal and enter his username and password, that captive portal redirects request to freeradius and freeradius in turn queries to ldap server. I'd want to know if CoovaAP (or something similar, what?) can perform such task as portal captive installed on APs. I'd be glad to read suggestions Thanks in advance!! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slightly OT: Problem with Vista
0x0020: 0005 001f 3a1b 4e8b 776c 3000 1000 :.N.wl0. 0x0030: 5000 fc59 fb00 0101 00PY. 00:10:40.337119 EAP code=1 id=1 length=0 Please, what could be the problem? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
2008/12/5 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Your LDAP server is likely timeout out the connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html My LDAP server has: idletimeout 30 timelimit 300 is not 30 enough? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
2008/12/3 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius bothers to query for anonymous uid and not only for uid into the tunnel Because you configured the ldap module *outside* of the tunnel, too. If you don't list it in sites-enabled/default, it will only do queries for inside of the TLS tunnel. Thanks Alan! That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:07:51 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:10:41 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:10:41 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:12:14 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:12:14 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:14:30 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:14:30 2008 : Info: rlm_ldap: Attempting reconnect Thu Dec 4 09:18:09 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Dec 4 09:18:09 2008 : Info: rlm_ldap: Attempting reconnect What are these problem from? radius or ldap? ldap module config is as follows: ldap { server = ldap.palermo.edu identity = cn=freeradius,ou=applications,dc=palermo,dc=edu password = somepass basedn = ou=people,dc=palermo,dc=edu filter = (uid=%u) ldap_connections_number = 1 timeout = 60 timelimit = 120 net_timeout = 10 tls { cacertfile = /etc/raddb/cacert.pem randfile= /dev/urandom } access_attr = radiusAllowed dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no EOF Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius user queries for uid anonymous in ldap
Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius bothers to query for anonymous uid and not only for uid into the tunnel Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 ACCEPT from IP=123.45.67.89:56075 (IP=0.0.0.0:636) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 TLS established tls_ssf=256 ssf=256 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn=cn=freeradius,ou=applications,dc=cadorna,dc=edu method=128 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn=cn=freeradius,ou=applications,dc=cadorna,dc=edu mech=SIMPLE ssf=0 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 RESULT tag=97 err=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=anonymous) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=anonymous) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=glinde) Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=jinfan) Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:55:05 sinclair slapd[11285]: conn=1264 fd=15 closed (idletimeout) Does make sense to query for anonymous? Thanks in advance Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
I've upgraded to OpenWRT Kamikaze and problem seems goes away... 2008/11/6 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Alan, thanks, That's really a quite convincing answer :) Yup. I'm not just a random loudmouth on this list. Of course I believe you , but please understand me, It's hard to me to realize that either Linksys make non-standard products or OpenWRT (white russian) developers had made such a mistake. shrug There are many, many, RADIUS client implementations that are nearly as bad. So, I'd be glad to know what AP's are standard compliant is there a list? Nope. I don't think very many are fully standards compliant. I suggest updating the Wiki with any issues you find. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Mac OS self asigned IP issues
Hi, I am using OpenWRT Kamikaze and sometimes there is a problem with Mac OS clients. Clients get Access-Accept, but Mac OS says that only gets a self asigned IP and then it can't surf the web. Problem happens using either TTLS or PAP. It is a problem of Mac OS or a OpenWRT one? I'd be glad to read suggestions and comments... Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-User?
Sorry for the stupid question, what does Framed-User stand for? I hope not to be stoned to death because of such a question :) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User found on DEFAULT server log but not in tunneled virtual server log
= mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel-peap } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } } server inner-tunnel-peap { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = /usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{% {Virtual-Server}:-DEFAULT}-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 111.222.333.5 port = 0 } listen { type = acct ipaddr = 111.222.333.5 port = 0 } Listening on authentication address 111.222.333.5 port 1812 Listening on accounting address 111.222.333.5 port 1813 Ready to process requests. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/5 aland [EMAIL PROTECTED]: On Wed, Nov 05, 2008 at 12:43:07AM -0200, Sergio Belkin wrote: OK, AP's are broken, now with best regards, how I convince to my boss that he should buy more than 30 new AP's, should I tell him... read the freeradius mailing list? Tell him that I co-wrote RFC 5080, which says that these AP's are broken: When sending requests, RADIUS clients MUST NOT reuse Identifiers for a source IP address and source UDP port until either a valid response has been received, or the request has timed out. These AP's violate the standards, and are broken. I know, because my name is on the standards. My name is also on the RADIUS guidelines document, which says how people should use RADIUS in the future. And my name is going on 3-4 other RADIUS standards. So it's not people on the FreeRADIUS list told me, but instead the people who wrote the standards say that the AP is broken. Alan DeKok. - Alan, thanks, That's really a quite convincing answer :) Of course I believe you , but please understand me, It's hard to me to realize that either Linksys make non-standard products or OpenWRT (white russian) developers had made such a mistake. So, I'd be glad to know what AP's are standard compliant is there a list? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/4 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I think is worthwhile to remark that that problem exists even using OpewnWRT on Linksys WRT54GL and not using original firmware... Which may be based on similar code to the original firmware. Is there a way to at least to minimize those errors? I've heard some people complains that sometimes try to reconnect and sometimes the only solution is reboot the AP. Fix the NAS. As you noted earlier, this doesn't happen with another NAS. The conclusion is that the NAS is broken. But what do you mean for fix the nas? Should I use another brand/model of AP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/4 Sergio Belkin [EMAIL PROTECTED]: 2008/11/4 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I think is worthwhile to remark that that problem exists even using OpewnWRT on Linksys WRT54GL and not using original firmware... Which may be based on similar code to the original firmware. Is there a way to at least to minimize those errors? I've heard some people complains that sometimes try to reconnect and sometimes the only solution is reboot the AP. Fix the NAS. As you noted earlier, this doesn't happen with another NAS. The conclusion is that the NAS is broken. But what do you mean for fix the nas? Should I use another brand/model of AP? What I am trying to tell you is are the about of 30 AP's that I am using broken? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/4 [EMAIL PROTECTED]: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg45635.html There is nothing to see in server debug for the packet that's discarded. Ivan Kalik Kalik Informatika ISP Dana 4/11/2008, Marinko Tarlac [EMAIL PROTECTED] piše: Sorry for bothering but does anyone know what's wrong with these nases? Is there any way to go a little deeper than #radiusd -x ? Jelle wrote: Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all appear to be broken. To bad, but then again a reason to integrate the N standard with other AP's... :) 2008/11/4 Stephen Bowman [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] But what do you mean for fix the nas? Should I use another brand/model of AP? What I am trying to tell you is are the about of 30 AP's that I am using broken? Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK, AP's are broken, now with best regards, how I convince to my boss that he should buy more than 30 new AP's, should I tell him... read the freeradius mailing list? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/10/5 Alan DeKok [EMAIL PROTECTED]: Jelle Langbroek wrote: I can tell you that with my tests, I figured out that it's happening with all sorts of clients (MacOSX, XP, Vista). The supplicant's aren't involved here. It's the NAS that retransmits the RADIUS packets. It appears only to be happing with the WAP54G (and now the WRT54GL you say). When I replaced the WAP54G with a WAP200, the errors disappeared with the same clients. i.e. the WAP54G is broken. It doesn't do RADIUS properly. I tested this on many locations with many different clients and everywhere the same results. It must be the WAP54G then. Yes. I'm still using those AP's and I keep getting the error in the logs. It's indeed quite random. The error seems not harmful (although the sourcecode of freeRadius says the AP is broken). :) It's a common complaint on this list. Some issues are FreeRADIUS bugs. Others are broken NASes. I'm in the process of putting together a RADIUS validation test suite, so that manufacturers can see if their products are compliant *before* shipping them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think is worthwhile to remark that that problem exists even using OpewnWRT on Linksys WRT54GL and not using original firmware... Is there a way to at least to minimize those errors? I've heard some people complains that sometimes try to reconnect and sometimes the only solution is reboot the AP. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log partially solved
2008/10/27 Sergio Belkin [EMAIL PROTECTED]: 2008/10/27 [EMAIL PROTECTED]: detail auth_log { detailfile = ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type} # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d .. But still, it says nothing if supplicant is using TTLS or PAP which is what I'd like to see as filenames suffixes. Am I missing something? Try EAP-Type-TTLS and EAP-Type-PEAP instead of EAP-Type. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I don't understand, if I set ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_EAP-Type-TTLS always be appended with _EAP-Type-TTLS and if I set ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type-TTLS} won't work either. Am I doing something wrong? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - Well I came back to my earlier configuration: ---snip--- detail auth_log { detailfile = ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type} # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! # detailperm = 0600 # You may also strip out passwords completely suppress { User-Password } } ---snip--- So far is the best I could do, I guess: auth-detail-20081029_MS-CHAP-V2 means PEAP try (?) auth-detail-20081029_NAK means unacceptable type auth-detail-20081029_Identity means TTLS (??) auth-detail-20081029_ means Access Accept (??) I'd like to read more about it... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log partially solved
Hi, I am using freeradiusd 2.0.2 I have edited config files, so radiusd.conf has: ---snip--- detail auth_log { detailfile = ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type} # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! # detailperm = 0600 # You may also strip out passwords completely suppress { User-Password } } ---snip--- and /etc/raddb/sites-available/default has: eap { ok = return } authorize { preprocess chap mschap suffix eap { ok = return } unix files ldap expiration logintime pap auth_log } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } Now, I get files log as follows: -rw--- 1 radiusd radiusd928 Oct 27 11:01 auth-detail-20081027_NAK -rw--- 1 radiusd radiusd411 Oct 27 11:01 auth-detail-20081027_MS-CHAP-V2 -rw--- 1 radiusd radiusd 6757 Oct 27 11:10 auth-detail-20081027_Identity -rw--- 1 radiusd radiusd 1195 Oct 27 11:10 auth-detail-20081027_ But still, it says nothing if supplicant is using TTLS or PAP which is what I'd like to see as filenames suffixes. Am I missing something? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log partially solved
2008/10/27 [EMAIL PROTECTED]: detail auth_log { detailfile = ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type} # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d .. But still, it says nothing if supplicant is using TTLS or PAP which is what I'd like to see as filenames suffixes. Am I missing something? Try EAP-Type-TTLS and EAP-Type-PEAP instead of EAP-Type. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I don't understand, if I set ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_EAP-Type-TTLS always be appended with _EAP-Type-TTLS and if I set ${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type-TTLS} won't work either. Am I doing something wrong? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status Access from detail authentication log
= anonymous NAS-IP-Address = 192.168.134.204 Called-Station-Id = 001d7edc22f4 Calling-Station-Id = 0016447e5a79 NAS-Identifier = 001d7edc22f4 NAS-Port = 29 Framed-MTU = 1400 State = 0x188848171d8f5dcb0bc882eaac65b2e0 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207004f158000451703010040bb5dbf55827b2cf722b2ac8309afa04e839f6cc432524a60e4130a25fca5246f1644df960e7e5109e4d728cd1a0e16f53c9741917a95497c068e8cbace5d2ea6 Message-Authenticator = 0xb254f4b7fa9e4b6a8010d27210310955 Fri Aug 22 10:58:03 2008 Packet-Type = Access-Request User-Name = ngalan FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 111.111.111.111 -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/6/13 Jelle Langbroek [EMAIL PROTECTED]: Hi, Thanks for your reply. I began testing different setups immediately. I located 1 AP which didn't regenerate the error (AP1) and swapped it with one which did generate the error (AP2). I then saw that AP1 (which now was located on the place of AP2), began generating the same errors. The clients are fixed , so I tested with the same clients on that location. My conclusion: 1) The error probably has something to do with the WAP54G, but; 2) The error is only produced in combination with some clients (don't know if it's a hardware issue, because it seems to have nothing to do with the OS. OSX and Windows Vista/XP are all 'sometimes' producing the error. 3) It might have something to do with overlapping channels, but my tests are not yet conclusive about that. It's all so much trial and error... I decided to just buy another AP (WAP200) to test and see if the same error pops up. I'm also going to try an Asus WL-G330ge, just to be sure. More on that later... Jelle ps: The models I use are Linksys WAP54G, v3.1, with firmware version 3.05. 2008/6/11 Alan DeKok [EMAIL PROTECTED]: jelle-e wrote: Everything seems to run smoothly but before every login attempt the logs say (something like): Error: Discarding conflicting packet from client NAS-NAME port 3072 - ID: 3 due to recent request 28. That's pretty definitive. After that the user logs in correctly. I have no idea where to start searching for the answer. Since this error appears to occur on every AP, I don't think they're all 'broken'. It's possible. If they're all the same manufacturer and software version, they could all have the same bug. Does anybody have an idea? Thanks in advance! Run tcpdump or wireshark to look at the packets. Odds are the AP's *are* sending conflicting packets. Look for 2 packets from the same client IP port, with the same RADIUS code and ID, within a second of each other. If the packet contents are different, then the AP is broken. i.e. You can believe that FreeRADIUS is broken, but *only* on your system... and not on the other 10,000 systems with 100's of 1000's of AP's. Or, you can believe that your AP's are broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I use the EAP/TTLS and EAP/PAP scheme. I have the same error as you but is somewhat at ramdom. In my case, APs Linksys WRT54GL has OpenWRT WhiteRussian installed. Could be some bad in clients? I've seen things too weirds in Mac OS X clients... I'd like to know if your problems have been fixed with Asus WL-G330ge. Also, I think that overlapping channels can be causing the error, so I'll change that... Greets- -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem compiling freeradius-2.1.0 on Centos 5 x86_64
Hi, I have a freeradius 2.0.2 working fine with no problems on Centos 5 x86_64, I had no problem at compiling time. I want to test version 2.1.0 from freeradius. But it failed as follows: [snip] Making all in main... gmake[4]: Entering directory `/root/freeradius-server-2.1.0/src/main' /root/freeradius-server-2.1.0/libtool --mode=link gcc -o radmin radmin.lo gcc -o radmin .libs/radmin.o .libs/radmin.o: In function `main': /root/freeradius-server-2.1.0/src/main/radmin.c:117: undefined reference to `using_history' /root/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_insert' /root/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_bind_key' /root/freeradius-server-2.1.0/src/main/radmin.c:176: undefined reference to `readline' /root/freeradius-server-2.1.0/src/main/radmin.c:185: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/root/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/freeradius-server-2.1.0' make: *** [all] Error 2 [snip] What's wrong? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling freeradius-2.1.0 on Centos 5 x86_64
2008/9/12 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I have a freeradius 2.0.2 working fine with no problems on Centos 5 x86_64, I had no problem at compiling time. I want to test version 2.1.0 from freeradius. But it failed as follows: This is a configure script issue that's fixed in git, and in 2.1.1. Alan DeKok. - Hi Alan, is not 2.1.1 released as stable, is it? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
2008/7/8 joris [EMAIL PROTECTED]: Hello, After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP (in my case, i'm interested in EAP-TTLS). Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? Cheers, Joris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What documentation says is that you can't use encrypted password in LDAP with EAP/PEAP. But you can use EAP/TTLS + PAP with LDAP. The main problem for this approach is that the f**k Windows has not native support for TTLS, so you should install some software eg: SecureW2... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
Please, any idea? Still I have log filenames such as: auth-detail-20080630 and say nothing about eap method and contains something like: Mon Jun 30 08:32:26 2008 Packet-Type = Access-Request User-Name = anonymous NAS-IP-Address = 10.128.255.84 Called-Station-Id = 001d7edc23a2 Calling-Station-Id = 001b773a9ab2 NAS-Identifier = 001d7edc23a2 NAS-Port = 18 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020e01616e6f6e796d6f7573 Message-Authenticator = 0x9919cd335c2d96b125469208dd722a9d Thanks in advance 2008/6/26 Sergio Belkin [EMAIL PROTECTED]: 2008/6/26 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: What am I doing wrong? You are running auth_log BEFORE eap? Alan DeKok. I have the following in sites-enabled/default : Which has auth_log BEFORE eap, which is WRONG. How do you expect to log the EAP type when the EAP module hasn't been run yet? Alan DeKok. - OK, but this the *default* order in the file I didn't know that order matters in this case. I've changed order and this the debug output: FreeRADIUS Version 2.0.2, for host x86_64-unknown-linux-gnu, built on Mar 5 2008 at 16:09:30 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid user = radiusd group = radiusd checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 10.30.0.101 { require_message_authenticator = no secret = stopnene-Green-22 shortname = oficina } client 10.128.255.100 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-PB } client 10.128.255.10 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-SS } client 10.128.255.11 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-1 } client 10.128.255.12 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-2 } client 10.128.255.13 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-3 } client 10.128.255.14 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-4 } client 10.128.255.15 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-5 } client 10.128.255.16 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-6 } client 10.128.255.17 { require_message_authenticator = no secret = stopnene-Red-3 shortname = DOWNI-7 } client 10.128.255.80 { require_message_authenticator = no secret = stopnene-Red-398952 shortname = DOWNVIII-PB } client 10.128.255.81 { require_message_authenticator = no secret = stopnene-Red-398952 shortname = DOWNVIII-I } client 10.128.255.82 { require_message_authenticator = no secret = stopnene-Red-398952 shortname = DOWNVIII-II } client 10.128.255.83 { require_message_authenticator = no secret = stopnene-Red-398952 shortname = DOWNVIII-III } client 10.128.255.84 { require_message_authenticator = no secret = stopnene-Red-398952 shortname = DOWNVIII-IV } client
Re: EAP method in logs
2008/6/25 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I use freeradius 2.0.2, and people can use either ttls or peap as they want (or can). I'd want to know if it's possible to see what EAP methodare using users through radius logs... The EAP type is available in the EAP-Type attribute. You can use it just like anything else: %{EAP-Type} ... Alan, Do I need to use rlm_perl anyway? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
2008/6/26 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Alan, Do I need to use rlm_perl anyway? No. The EAP-Type attribute is added by the EAP module. Once the attribute is there, it can be used, edited, updated, etc. just like User-Name, or NAS-IP-Address. Alan DeKok. I edited so radiusd.conf: detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d%{EAP-Type} and added EAP-Message =* ANY to attrs file, but I see no difference (any file witt a new name wasn't created) What am I doing wrong? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html