dialupadmin and php5
Hi folks, I'd want to know is anyone is using dialupadmin along with php5.. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radwho/radutmp dates
Hi folks, How long time does radwho/radutmp store accounting information? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About mismatching shared secret
radiusPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x6cb0ac0
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server inner-tunnel-peap { # from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = 192.168.1.5
port = 0
}
listen {
type = acct
ipaddr = 192.168.1.5
port = 0
}
listen {
type = control
listen {
socket = /usr/local-test/var/run/radiusd/radiusd.sock
}
}
listen {
type = status
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = YellowSubmarine
}
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18121
}
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock
Listening on status address 127.0.0.1 port 18120 as server status
Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel
Ready to process requests.
any ideas?
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/12 Fajar A. Nugraha l...@fajar.net: On Thu, Jul 12, 2012 at 3:17 AM, Sergio Belkin seb...@gmail.com wrote: Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. If you're still interested in getting full NAS-Identifier, you should store accounting data in sql table. Even if you don't want to manage separate sql server (e.g. mysql), you can use something like sqlite to store the data. Needs some effort (e.g. the module is not built by default), but should be doable. -- Fajar - Thanks Fajar, I wanted to get the last access of users. I was getting that informaNAS-Identifiertion parsing log files, but I found that radlast is a simple but useful thing except the NAS-Identifier characters limit. Storing data in a sql db looks interesting. I've never configured it. If I use sql only for logging is /etc/raddb/sql.conf the main file that I have to look? Do sql storing exclude from using plain log files? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Tamás Becz tamas.b...@ericsson.com: -Original Message- From: freeradius-users-bounces+tamas.becz=ericsson.com@lists.freerad ius.org [mailto:freeradius-users- bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Sergio Belkin Sent: Tuesday, July 10, 2012 5:41 PM To: FreeRadius users mailing list Subject: radlast output Hi, radlast shows NAS-Identifier trunked lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in msabad 005:oficina- Tue Jul 10 12:10 still logged in Why? Is a bug? A misconfiguration? You want the debug output, ok you have it :) Uhm, you might want to spend the next couple of hours changing those secrets :) - Hehehe, I've read once time ago somewhat like the stupid thinks that everyone is stupid :) What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlast output
2012/7/11 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: What a pity, I thought you had something interesting to teach us! Oh I see you are trying to teach us something of social engineering in a open source mailing list! Wow... You're getting upset at people who are trying to help you. Be nice, or you can be unsubscribed and banned from the list. Alan DeKok. - Alan, thanks for your advice, always in this mailing list I was willing to learn and to admit when I have to fix something. Mail from Tamás it looked somewhat sarcastic and had nothing to do with the main subject. In fact, a kind of such a message could have been private. It's not my habit, to be sarcastic. But ok, perhaps it was my mistake, it was not my will offend to Tamas, so my apologies. Thanks as always. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with nas-ip-address behind NAT
2012/6/25 Fajar A. Nugraha l...@fajar.net: NAS-IP-Address should be whatever the NAS sends, which can be its loopback/admin address, or it's private IP address in case of NAT. Well, I don't think that. NAS is sending its public IP, I mean the nat device IP, not its actual IP. Except that I am doing something wrong... Packet-Src-IP-Address, on the other hand, is whatever the radius sees the packet coming from, which should be the NAS/firewal's public IP address in your case. -- Fajar On Mon, Jun 25, 2012 at 11:13 PM, Sergio Belkin seb...@gmail.com wrote: Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho with nas-ip-address behind NAT
Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Alan DeKok al...@deployingradius.com:
Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log
What does that mean?
but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
As *ALWAYS*, read the debug output.
You're very dedicated to giving as little information as possible. Why?
OK, you're right in my next message I will include it :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk:
On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
You've not really explained what you've done.
However, I *guess* that you have added %{EAP-Type} to the filename
(detailfile) in the detail config.
Yes, you guess well
Look, though, where detail is getting called, and where eap is
called, in the authorize section. It goes in order. The eap module
sets EAP-Type, detail is called before.
So you need to call the log after eap. But the gotcha is that eap
will short circuit the return in the challenges, so you won't call
the detail module if you put it after eap.
Nice to know it :)
I'd suggest you let all the incoming logs go to a single location
where they are, then you add a new detail (or linelog) module to
post-auth. That can use %{EAP-Type}, as it's *after* EAP has
happened.
I've tested it and works, nice! But please keep on reading:
Alternatively, you can use my other suggestion anywhere you like.
If you pick data out of EAP-Message yourself, you get to do what
you want with it (and keep the shards when it shatters).
Totally untested unlang.
if (%{EAP-Message} =~ /^0x19/) {
detail_log_peap
}
elsif (%{EAP-Message} =~ /^0x15/) {
detail_log_ttls
}
else {
detail_log_other
}
Note that things *will* hit detail_log_other. EAP Identity, for
instance, before the eap type has been agreed. If you do this in
the inner server, be prepared for unexpectedness. In short,
understand EAP first.
Good, but it sounds somewhat complex :)
I just chuck the raw data out with detail and leave it be. The
useful stuff is pristinely formatted with gentle loving care by
the linelog module, where it sits in a nice greppable format for
me. One log entry, in post-auth, after the useful stuff happened.
Any more detail needed? Just go to the dirty detail log and dig it
out. Happens so rarely it wouldn't matter if it was in binary
format and had to be read with a hex editor in Windows...
Wow, linelog seems interesting, I've tried but only is logging
Access-Request, why?
I add my debug (I plan to get rid out of inner-tunnel-peap file):
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on
Jan 3 2012 at 16:18:16
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb-testing/radiusd.conf
including configuration file /etc/raddb-testing/proxy.conf
including configuration file /etc/raddb-testing/clients.conf
including files in directory /etc/raddb-testing/modules/
including configuration file /etc/raddb-testing/modules/chap
including configuration file /etc/raddb-testing/modules/mschap
including configuration file
/etc/raddb-testing/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb-testing/modules/exec
including configuration file /etc/raddb-testing/modules/realm
including configuration file /etc/raddb-testing/modules/checkval
including configuration file /etc/raddb-testing/modules/rediswho
including configuration file /etc/raddb-testing/modules/passwd
including configuration file /etc/raddb-testing/modules/attr_filter
including configuration file /etc/raddb-testing/modules/linelog
including configuration file /etc/raddb-testing/modules/wimax
including configuration file /etc/raddb-testing/modules/pam
including configuration file /etc/raddb-testing/modules/inner-eap
including configuration file /etc/raddb-testing/modules/echo
including configuration file /etc/raddb-testing/modules/soh
including configuration file /etc/raddb-testing/modules/replicate
including configuration file /etc/raddb-testing/modules/acct_unique
including configuration file /etc/raddb-testing/modules/etc_group
including configuration file /etc/raddb-testing/modules/pap
including configuration file /etc/raddb-testing/modules/expr
including configuration file /etc/raddb-testing/modules/smbpasswd
including configuration file /etc/raddb-testing/modules/attr_rewrite
including configuration file /etc/raddb-testing/modules/radutmp
including configuration file /etc/raddb-testing/modules/mac2ip
including configuration file /etc/raddb-testing/modules/logintime
including configuration file /etc/raddb-testing/modules/sql_log
including configuration file /etc/raddb-testing/modules/smsotp
including configuration file /etc/raddb-testing/modules/preprocess
including configuration file /etc/raddb-testing/modules/policy
including configuration file /etc/raddb-testing/modules/cui
including configuration file /etc/raddb-testing/modules/perl
Re: Problems with Huntgroup
2012/6/5 Matthew Newton m...@leicester.ac.uk: On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it. How a module is added? Mi current file is: That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Yes it is Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. I've added this files because I like to separate logs when supplicants are using PEAP or TTLS Is there a better way of doing that? The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. I don't blame debug :) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Thanks again Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk:
On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote:
I've added this files because I like to separate logs when supplicants
are using PEAP or TTLS
I'd still use just one file, and filter the logs instead.
Is there a better way of doing that?
There may be several ways. The first one that comes to mind is
just pulling the EAP type out of the EAP-Message attributes.
PEAP connections will have an EAP-Message attribute that matches
the regexp /^0x19/, whereas TTLS connections will match
/^0x15/.
Alternatively, and probably easier in the long run, add
%{EAP-Type} to linelog, so you get the name directly in your logs.
Add it in the outer, and you'll see TTLS or PEAP. Add it in the
inner, and you'll see the inner EAP type, such as MS-CHAP-V2.
Good idea, I've tried appending %{EAP-Type) that to detail.log but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
I want to learn. Sorry but I repeat the question how a module is
added? because files is statament is present on both files
/etc/raddb-testing/sites-enabled/inner-tunnel-peap and
/etc/raddb-testing/sites-enabled/inner-tunnel
Apologies - you're right, it is being called.
++[files] returns noop
:-)
Add 'preprocess' to the top of the authorize{} section in your
inner-tunnel-peap / inner-tunnel files. That's the module that
checks huntgroups.
Thanks guys it dit it! I just realize that modules must be appended in
inner-tunnel files to load them :)
TIA
Cheers,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com:
Sergio Belkin wrote:
I've appended something like to huntgroups file
mb NAS-IP-Address == 10.129.189.1
mb NAS-IP-Address == 10.129.84.1
mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I
And in users files:
pruebita Huntgroup-Name == mb,Cleartext-Password := pruebon
But is not working user pruebita does not get an Access-Accept
Please could you help me to solve it?
You edited the default configuration and broke it. Don't do that.
You've set copy_request_to_tunnel, which is good. It means that the
huntgroup check will work.
You've deleted files from raddb/sites-available/inner-tunnel.
That's why it doesn't work. Add it back, and it will work.
In 2.1.12, read the comments at the top of
raddb/sites-available/inner-tunnel. It tells you how to test the
inner-tunnel configuration. It tells you what NOT to do.
i.e. tested PEAP before testing that the inner-tunnel config works.
Alan DeKok.
-
Thanks Alan for you answer.
I haven't deleted anything respect to configuration files per default:
32,36c32,36
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
---
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}
142c142
# ldap
---
ldap
230,232c230,232
# Auth-Type LDAP {
# ldap
# }
---
Auth-Type LDAP {
ldap
}
271a272,274
# Sergio
reply_log
376a380,382
# Sergio
post_proxy_log
Did I missed something?
Thanks in advance
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com:
The debug for the inner-tunnel *clearly* shows NOT using the files
module.
So, sorry for the stupid questions but how can I do that
It's true what you say about debug output, but I files is in
inner-tunnel configuration, I tried putting files above of chap, but
doesn't change anything.
Please could you help me I've read the file and output, and also run
radtest, but I don't figure out what I should do
Mi current file is:
listen {
ipaddr = 127.0.0.1
port = 18121
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
post_proxy_log
eap
}
EOF
Thanks in advance!
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
2012/1/16 Alan Buxey a.l.m.bu...@lboro.ac.uk
Where's the log for when this happens? As MAC auth wouldn't go through EAP
tunnel it would suggest that some entry in eg users file is coming into
play...
alan
Alan, I have three logs,
I have the following parameter on radiusd.conf:
requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
For example for today, I have
/var/log/radius/radiusd-inner-tunnel-20120117.log (using ttls)
var/log/radius/radiusd-inner-tunnel-peap-20120117.log (using peap)
/var/log/radius/radiusd-DEFAULT-20120117.log
The weird thing is that I've found one user that has entries *only* in
/var/log/radius/radiusd-DEFAULT-20120117.log AFAIK is out-of-tunnel
For example:
Mon Jan 16 11:22:57 2012 : Auth: Login OK: [wterra] (from client
AP-PVIII-VI port 2 cli 00-11-00-E4-67-EE)
But neither wterra nor 00-11-00-E4-67-EE have entries in
/var/log/radius/radiusd-inner-tunnel-* log files
Please could you explain me?
I don't use mac based authentication...
Thanks in advance!
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
2012/1/17 Sergio Belkin seb...@gmail.com
2012/1/16 Alan Buxey a.l.m.bu...@lboro.ac.uk
Where's the log for when this happens? As MAC auth wouldn't go through EAP
tunnel it would suggest that some entry in eg users file is coming into
play...
alan
Alan, I have three logs,
I have the following parameter on radiusd.conf:
requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
For example for today, I have
/var/log/radius/radiusd-inner-tunnel-20120117.log (using ttls)
var/log/radius/radiusd-inner-tunnel-peap-20120117.log (using peap)
/var/log/radius/radiusd-DEFAULT-20120117.log
The weird thing is that I've found one user that has entries *only* in
/var/log/radius/radiusd-DEFAULT-20120117.log AFAIK is out-of-tunnel
For example:
Mon Jan 16 11:22:57 2012 : Auth: Login OK: [wterra] (from client AP-PVIII-VI
port 2 cli 00-11-00-E4-67-EE)
But neither wterra nor 00-11-00-E4-67-EE have entries in
/var/log/radius/radiusd-inner-tunnel-* log files
Please could you explain me?
I don't use mac based authentication...
Thanks in advance!
Note: I've copied the entry from yesterday log because of that you see
Mon Jan 16 but the question it's the same: Why is there an entry on
DEFAULT logs but not in inner-tunnel logs
Thanks again
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only Out-of-tunnel
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /usr/local/etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = 192.168.1.5
port = 0
}
listen {
type = acct
ipaddr = 192.168.1.5
port = 0
}
listen {
type = status
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = YellowSubmarine
}
}
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on status address 127.0.0.1 port 18120 as server status
Ready to process requests.
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Always Login incorrect: Could not extract EAP-Message from RADIUS message
/detail-20111216
[detail] expand: %t - Fri Dec 16 09:50:00 2011
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - kiki333
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - kiki333
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 160 to 192.168.2.53 port 49603
Finished request 13.
Cleaning up request 13 ID 160 with timestamp +12
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.4 port 39611, id=2, length=253
User-Name = SOYKADORNA
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x0202007a19800070160301006b016703014eeb3ec87be73aa918030263d5e73f349398bd48e8176a62ce944dcf0c6b95cf3a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff01040023
State = 0x869e7309879c6a16768684a64fbb490b
Message-Authenticator = 0x0786010bb78d36cc0a93b73a3a9b7a0f
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} -
[auth_log] expand:
/usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-
/usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216
[auth_log]
/usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216
[auth_log] expand: %t - Fri Dec 16 09:50:01 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = SOYKADORNA, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [SOYKADORNA] (from client AP-sarlanga7 port 0 cli
02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - SOYKADORNA
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 14 for 1 seconds
Going to the next request
-
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: I have a really weird problem. We have a lot of NAS'es and no one of them had this problem, except only one! It gets always login incorrect. Throw the NAS in the garbage. If I run eapol_test it complains saying. I've tried replacing the nas a few times What does that mean? Ooops, sorry it says could not extract EAP-Message from RADIUS message and makes no difference. And it doesnt' matter what user tries to connect. Please take a look to user interup with outer identity SOYKADORNA Am I doing something wrong? No. The problems are *not* RADIUS problems. The NAS is broken, or there's something else wrong in the network. Hmmm, so it should something wrong in the network, because I've tried from 2 differentes Access Points, with differents firmware and even with eapol_test... thanks Alan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: Ooops, sorry it says could not extract EAP-Message from RADIUS message That's a message on the NAS. Ask the NAS manufacturer what it means. Hmmm, so it should something wrong in the network, because I've tried from 2 differentes Access Points, with differents firmware and even with eapol_test... thanks Alan It's not a RADIUS problem. OK, I believe you :) The debug output you posted shows the server receiving duplicate packets *many* seconds apart. They're not detected as duplicates, because the retransmissions are too late. Find the one thing you *didn't* change in the network, and blame it for the problems. And no, it's still not a RADIUS problem. It's a remote site that has only an Acess Point, from other sites we have no problem. It's a weird thing that it started to happen suddenly. Perhaps the firewall its doing some rude thing with packets... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/16 Sergio Belkin seb...@gmail.com: Hi, I have a really weird problem. We have a lot of NAS'es and no one of them had this problem. It gets always login incorrect. If I run eapol_test it complains saying. I've tried replacing the nas a few times and makes no difference. And it doesnt' matter what user tries to connect. could not extract EAP-Message from RADIUS message EAPOL: EAP key not available This the debug output of freeradius. Please could you help me to solve this issue? Problem happens with client 192.168.3.201 Sorry, but not pay attention to ipaddress, (File has edited the sensitive data). Pleease take a look to user interup with outer identity SOYKADORNA Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
2011/12/16 Sergio Belkin seb...@gmail.com: 2011/12/16 Sergio Belkin seb...@gmail.com: Hi, I have a really weird problem. We have a lot of NAS'es and no one of them had this problem. It gets always login incorrect. If I run eapol_test it complains saying. I've tried replacing the nas a few times and makes no difference. And it doesnt' matter what user tries to connect. could not extract EAP-Message from RADIUS message EAPOL: EAP key not available This the debug output of freeradius. Please could you help me to solve this issue? Problem happens with client 192.168.3.201 Sorry, but not pay attention to ipaddress, (File has edited the sensitive data). Pleease take a look to user interup with outer identity SOYKADORNA Thanks again I think I've found something about it http://www.ietf.org/rfc/rfc3579.txt 2.6.3 (Conflicting message) That could be the problem? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Always Login incorrect: Could not extract EAP-Message from RADIUS message
-Address = 192.168.2.53,Acct-Session-Id =
0025-000A,User-Name = kiki333'
[acct_unique] Acct-Unique-Session-ID = a10966e1e5dda57e.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = kiki333, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
- /usr/local/var/log/radius/radacct/192.168.2.53/detail-20111216
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.2.53/detail-20111216
[detail]expand: %t - Fri Dec 16 09:50:00 2011
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - kiki333
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - kiki333
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 160 to 192.168.2.53 port 49603
Finished request 13.
Cleaning up request 13 ID 160 with timestamp +12
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.4 port 39611, id=2, length=253
User-Name = SOYKADORNA
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x0202007a19800070160301006b016703014eeb3ec87be73aa918030263d5e73f349398bd48e8176a62ce944dcf0c6b95cf3a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff01040023
State = 0x869e7309879c6a16768684a64fbb490b
Message-Authenticator = 0x0786010bb78d36cc0a93b73a3a9b7a0f
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} -
[auth_log] expand:
/usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-
/usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216
[auth_log]
/usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/requests/192.168.4/auth-detail--DEFAULT-20111216
[auth_log] expand: %t - Fri Dec 16 09:50:01 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = SOYKADORNA, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [SOYKADORNA] (from client AP-sarlanga7 port 0 cli
02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - SOYKADORNA
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 14 for 1 seconds
Going to the next request
-
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Broken Pipe with ssh
2011/10/12 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, Ssh users are suffering of broken pipe when NASes use the WPA Enterprise schema. I wonder is I have something misconfigured that is causing nosense reconnection or thinks alike. Please could could you help me and take a look to my config and tell me if I should fix something? Thanks in advance! not really a RADIUS issue - unless your authentications are taking too long and therefore timing out - causing the clients to lose actuall connectivity. you need to see what is happeing on the client when these events are taking place - eg look at system messages or wireless stuff to see if somethings not right there ...what is the session-timeout? do you chance their VLAN - are different APs delivering different VLANs - do you see the clients being mobile at all? lots of things - its the wireless medium that is causing the issue I believe... and FR 2.1.1 is very very old, I'd recommend that you upgrade alan Yup. It seems that is no a radius issue. Sorry, of course is not that the problem arised and I think Oh is a freeradius issue indeed. It happens that is some problem that we have since a long time, and it's some difficult find the cause, so I think for a moment that I was doing something wrong (I was not blaming to radius developers, it's no my way of doing things). But finally we've found that it seems that firewall device at the edge of the network is causing such that issues. Thanks -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Broken Pipe with ssh
/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = 192.168.1.5
port = 0
}
listen {
type = acct
ipaddr = 192.168.1.5
port = 0
}
listen {
type = status
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = YellowSubmarine
}
}
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on status address 127.0.0.1 port 18120 as server status
Ready to process requests.
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invitation to connect on LinkedIn
LinkedIn Sergio Belkin requested to add you as a connection on LinkedIn: -- Glen, I'd like to add you to my professional network on LinkedIn. - Sergio Accept invitation from Sergio Belkin http://www.linkedin.com/e/f5ihn8-gpobvdyd-2f/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I164075252_9/pmpxnSRJrSdvj4R5fnhv9ClRsDgZp6lQs6lzoQ5AomZIpn8_elYOdj8RdP0Qdz59bPdPgABRukxjbPgVcjoQejoNd3cLrCBxbOYWrSlI/EML_comm_afe/ View invitation from Sergio Belkin http://www.linkedin.com/e/f5ihn8-gpobvdyd-2f/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I164075252_9/0VnP8RczkTc3gSckALqnpPbOYWrSlI/svi/ -- Why might connecting with Sergio Belkin be a good idea? Sergio Belkin's connections could be useful to you: After accepting Sergio Belkin's invitation, check Sergio Belkin's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future. -- (c) 2011, LinkedIn Corporation- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + xmpp server
Hi, I'd want to know if anyone there is using freeradius along with a xmpp server. I'd like to read experiences about it. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: On 27/05/11 16:31, Sergio Belkin wrote: Hi, I'd want to know if anyone there is using freeradius along with a xmpp server. I mean use a xmppserver as a NAS. I think that it provide more flexibility to choose based on what attributes is performed the authentication. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: On 27/05/11 16:58, Sergio Belkin wrote: I mean use a xmppserver as a NAS. I think that it provide more flexibility to choose based on what attributes is performed the authentication. So, would the idea be that: * client connects to XMPP server * client sends username/password * XMPP server sends PAP request * radius server replies with yes/no The easiest way is probably PAM and pam_radius, but it only does authentication. But I assume you want to do something more complex? - The Idea is: * client connects to XMPP server * client sends uid/radiusPassword (see below) * XMPP server sends MSChapv2 request * radius server replies with yes/no radiusPassword is an attribute alternative that we created instead userPassword. We use it instead of userPassword which is used for mail and intranet access. I was testing openfire but it can't choose the attribute, only uses userPassword, and has a radius plugin a bit outdated... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + xmpp server
2011/5/27 Phil Mayers p.may...@imperial.ac.uk: The Idea is: * client connects to XMPP server * client sends uid/radiusPassword (see below) * XMPP server sends MSChapv2 request * radius server replies with yes/no Interesting. Since the client is sending user/password, why do you want to translate that to an MSCHAP request? Well, I don't know really but there was a plugin from jradius that could do that, but as I said is somewhat dated radiusPassword is an attribute alternative that we created instead userPassword. We use it instead of userPassword which is used for mail and intranet access. This is an attribute where? In a radius packet? Is an ldap attribute and AFAIK is a checkiTem, I have the following in ldap.attrmap: checkItem Cleartext-Password radiusPassword I was testing openfire but it can't choose the attribute, only uses userPassword, and has a radius plugin a bit outdated... Have you tried PAM and pam_radius? - No yet :) -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid signature
Hi, I am receiving error from some NAS: rad_recv: Accounting-Request packet from host 201.216.227.201 port 58999, id=0, length=86 Received Accounting-Request packet from 201.216.227.201 with invalid signature! (Shared secret is incorrect.) Dropping packe t without response. It's a werd thing, because the secret on both radius server and NASes are the same! I don't understand the problem! Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid signature
2011/5/11 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, rad_recv: Accounting-Request packet from host 201.216.227.201 port 58999, id=0, length=86 Received Accounting-Request packet from 201.216.227.201 with invalid signature! (Shared secret is incorrect.) Dropping packe t without response. server doesnt lie. check the shared secret for the ACCOUNTING part of the NAS alan Oops, sorry it's my fault. I forget to append append $var acct_server_shared_secret=$secret $N to openwrt NAS. It resulted in an OT but I hope that helps someone using OpenWRT. Thanks again -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication based on users and NAS
Hi, It was easier than I thought, I simply had to add to /etc/raddb/users something like: steve Called-Station-Id == 00259c14066e,Cleartext-Password := password Still I had to solve 2 issues: The first one is that if I want steve to login through more than NAS I have to add one line like above per NAS. Is a nicer way to do it? The second one is that I don't know how to do it for Ldap users. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict access per NAS
Hi, Is there a way to restrict an LDAP user to be authorized only from an specific NAS (Access Point)? I'm using FreeRADIUS Version 2.1.1 Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Half OT: Windows XP won't connect
Hi, I have a freeradius with LDAP, supplicants use either EAP-PEAP or EAP-TTLS. Sometimes, Windows (mainly XP) systems won't connect, packages arrive only to Access Point but no to radius server. Generally, solution is rebooting the AP but I wonder if I need to tweak something on AP, this the result from tcpdump: 12:45:07.808808 00:22:5f:43:f4:31 (oui Unknown) Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00 12:45:07.815594 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 94: 0x: 8001 007a 1018 0001 0001 ...z 0x0010: 0008 0x0020: 0016 0022 5f43 f431 776c 3000 ..._C.1wl0. 0x0030: 3014 0100 000f ac02 0... 0x0040: 0100 000f ac04 0100 000 ac01 12:45:07.819711 EAPOL start (1) v1, len 0 12:45:07.825580 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 0022 5f43 f431 776d 3000 ..._C.1wl0. 0x0030: 0101 00... 12:45:18.821489 IP 192.168.188.131.17500 192.168.188.255.17500: UDP, length 127 12:45:20.417512 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:45:20.417682 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 12:45:28.095608 ARP, Request who-has 192.168.188.131 tell 192.168.188.1, length 28 12:45:28.098097 ARP, Reply 192.168.188.131 is-at 00:1f:5b:bb:77:f2 (oui Unknown), length 28 12:45:31.165528 ARP, Request who-has 192.168.188.187 tell 192.168.188.1, length 28 12:45:31.169815 ARP, Reply 192.168.188.187 is-at 00:25:d3:74:49:ac (oui Unknown), length 28 12:45:48.919456 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:45:48.919612 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 12:46:04.655521 ARP, Request who-has 192.168.188.187 tell 192.168.188.1, length 28 12:46:04.656464 ARP, Reply 192.168.188.187 is-at 00:25:d3:74:49:ac (oui Unknown), length 28 12:46:09.114950 EAPOL start (1) v1, len 0 12:46:09.115553 02:25:9c:14:06:6e (oui Unknown) 00:25:9c:14:06:6e (oui Unknown), ethertype Unknown (0x886c), length 77: 0x: 8001 0069 1018 0001 0001 ...i 0x0010: 0019 0x0020: 0005 0022 5f43 f431 776d 3000 ..._.1wl0. 0x0030: 0101 00... 12:46:14.920025 ARP, Request who-has 192.168.188.1 (00:25:9c:14:06:6c (oui Unknown)) tell 192.168.188.187, length 28 12:46:14.920228 ARP, Reply 192.168.188.1 is-at 00:25:9c:14:06:6c (oui Unknown), length 28 Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: Causes of Failed binding
Hi, How does freeradius consider that Bind as user failed Thanks in advance!! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: SSL issues
: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /usr/local/var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating post_proxy_log
detail post_proxy_log {
detailfile =
/usr/local/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-auth {...} for more modules to load
Module: Instantiating reply_log
detail reply_log {
detailfile =
/usr/local/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /usr/local/etc/raddb/attrs.access_reject
key = %{User-Name}
}
}
}
server inner-tunnel-peap {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Instantiating auth_log
detail auth_log {
detailfile =
/usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /usr/local/etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = 192.168.1.5
port = 0
}
listen {
type = acct
ipaddr = 192.168.1.5
port = 0
}
listen {
type = status
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = YellowSubmarine
}
}
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on status address 127.0.0.1 port 18120 as server status
Ready to process requests.
You can read wireshark dump on:
http://pastebin.com/ZH2SfTFq
Thanks in advance
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Empty SubjectAltName on server certificate (EAP-PEAP)
Hi, I have a certificate with xpextensions but its SubjectAltName is empty. Is Mandatory or only is wrong when its content doesn't match with FQDN? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User enabled for one only NAS
2010/4/5 Sergio Belkin seb...@gmail.com: Hi, I've enabled on users file something like that: guest Cleartext-Password := guest How can I limit that user to one only NAS IP Address? Thanks in advance! -- -- Hmmm.. I wonder either if questions is somewhat stupid or freeradius can't do that... Greets. -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User enabled for one only NAS
Hi, I've enabled on users file something like that: guest Cleartext-Password := guest How can I limit that user to one only NAS IP Address? Thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/30 Julien Savoie julien.sav...@usainteanne.ca:
Check if you have this enabled in radiusd.conf
mschap {
with_ntdomain_hack = yes
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
and proxy.conf
realm DEFAULT {
strip
}
If you only have one domain this will work. If you have different domains
you'll need to setup the individual realms. Sounds like in your case you
don't though.
Hi Julien, file /etc/raddb/modules/mschap is as original one. I use
no domain, only user+password. Sorry, but I forget the subject before.
Thanks in advance!
Sergio Belkin wrote:
There are a few log entries like as as follows
Auth: Login incorrect (rlm_ldap: User not found):
[QSARGENTINA\\amumenthaler] (from client UP-PVIII-VIII-Bis port 0 via
TLS tunnel)
Please could you help me to find a fix?
-
--
--
Open Kairos http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Windows VIsta annoyance: sends local login credentials
2010/3/31 Julien Savoie julien.sav...@usainteanne.ca:
Sergio Belkin wrote:
and proxy.conf
realm DEFAULT {
strip
}
If you only have one domain this will work. If you have different
domains
you'll need to setup the individual realms. Sounds like in your case you
don't though.
Hi Julien, file /etc/raddb/modules/mschap is as original one. I use
no domain, only user+password. Sorry, but I forget the subject before.
Then you want to by default strip any realm/domain information off the
request. Information provided should be sufficient.
Really thanks, but the problem is that users use their personal
notebooks, they are students, not employees, so Windows login
usernames are not the same that ldap ones. It seems that Vista wants
to use SSO and sends their credential before. Because of that subject
is somewhat OT, but I guess that someone here was run into that
problem... thanks in advance!
--
--
Open Kairos http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-users@lists.freeradius.org
Hi, I am using FR 2.1.1, for host x86_64, with LDAP 802.1x/WPA + OpenLDAP for wireless network access. I've found that some clients using EAP-PEAP using mainly Windows Vista sends notebook credentials despite that is disabled automatically use of credentials... There are a few log entries like as as follows Auth: Login incorrect (rlm_ldap: User not found): [QSARGENTINA\\amumenthaler] (from client UP-PVIII-VIII-Bis port 0 via TLS tunnel) Please could you help me to find a fix? Thanks in advance! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dict_addattr: attribute name too long error when running raclient by cron
Hi, I have a simple script as follows: #! /bin/bash echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 16 | radclient localhost:18120 status YellowSubmarine | tee /var/log/radius/status-$(date -d yesterday +%Y%m%d).log #echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1 | radclient localhost:18120 status YellowSubmarine | tee -a /var/log/radius/status-$(date -d yesterday +%Y%m%d).log When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long crontab line is as follows: 58 9 * * * root /scripts/getRadiusStatus /tmp/whatsup 21 Please could you help to solve it? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addattr: attribute name too long error when running raclient by cron
2010/3/17 Sergio Belkin seb...@gmail.com: Hi, I have a simple script as follows: #! /bin/bash echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 16 | radclient localhost:18120 status YellowSubmarine | tee /var/log/radius/status-$(date -d yesterday +%Y%m%d).log #echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1 | radclient localhost:18120 status YellowSubmarine | tee -a /var/log/radius/status-$(date -d yesterday +%Y%m%d).log When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long crontab line is as follows: 58 9 * * * root /scripts/getRadiusStatus /tmp/whatsup 21 Please could you help to solve it? Thanks in advance -- Sorry, I fix myself I wanted to mean radclient on subject and launched by cron... -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dict_addattr: attribute name too long error when running raclient by cron
2010/3/17 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: When I run on the shell do it fine, but when it is launched by root it fails, resulting in: radclient: dict_init: /usr/local/share/freeradius/dictionary.freeradius[47]: dict_addattr: attribute name too long You have multiple versions of FreeRADIUS installed. Fix that. Alan DeKok. - Oh yeah, my fault, there was a really stupid mistake, current binaries are not on cron path, as you say there was unused and older binaries on /usr/bin, and cron was picking radclient from there. Thanks! -- -- Open Kairos http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About FreeRADIUS-Stats-Client-IP-Address
Hi, When I issue the following command on the shell: echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 35, FreeRADIUS-Stats-Client-IP-Address = 10.128.255.80 | radclient localhost:18120 status MySecret It gets global statistic and *not only* those of Client. Is there a way to get *only* stats from Client? Thanks in advance! -- -- SB http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question About rlm_sql_log (it was Re: Time connected)
2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: 2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I guess that you're using database module, aren't you? You should too. Much simpler than parsing detail file. Ivan Kalik Kalik Informatika ISP - Hi, I was reading about rlm_sql_log. I mean I don't want to rely on sql for authorization and authentication. Can I use that module only for easiest log handling *only* ? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question About rlm_sql_log (it was Re: Time connected)
2009/11/3 Ivan Kalik t...@kalik.net: Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' I guess that you're using database module, aren't you? You should too. Much simpler than parsing detail file. I was reading about rlm_sql_log. Why? That has nothing to do with anything you would want. I mean I don't want to rely on sql for authorization and authentication. So don't. Use it just for accounting. Can I use that module only for easiest log handling *only* ? What does that mean? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I want to find some way to analyze logs, and so can get eg: last user status or how long a time that a user has been connected. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Time connected
Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time connected
2009/10/29 Ivan Kalik t...@kalik.net: Sergio Belkin wrote: Hi, Sorry for the stupid question, but I'd want to get how many time every user is connected, please could you provide some kind of guideliness? Using Version 2.1.1. SELECT Count(*) FROM radacct WHERE UserName='some_username' Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I guess that you're using database module, aren't you? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status X User
Hi, Is there a way to get the las time that user got Accept-Accept and Accept-Reject, of course I can parse log files but I wonder if there a radius tool that can do it. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status X User
2009/10/23 Alexander Clouter a...@digriz.org.uk: Sergio Belkin seb...@gmail.com wrote: Is there a way to get the las time that user got Accept-Accept and Accept-Reject, of course I can parse log files but I wonder if there a radius tool that can do it. your data - SQL SELECT * FROM postauth WHERE user_name = 'blar' AND packet_type = 'Access-Reject' ORDER BY timestamp DESC LIMIT 1 Then for the latter replace 'Access-Accept' with 'Access-Reject'? Cheers -- Alexander Clouter .sigmonster says: Zeus gave Leda the bird. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ooops, I have no mysql, except that there is a way to dump log files to mysql database :) Sorry if the question sounds stupid :) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa/wpa2 on logs
2009/10/14 Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/10/2009 18:53, Sergio Belkin wrote: Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! No. Information about the security association is not contained in EAP authentication attempts. Thanks Arran! At least it's good to know that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa/wpa2 on logs
Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weekly and daily logs
Sorry for the stupid question Is possible on FreeRADIUS Version 2.1.1 create log files both on daily and weekly basis? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/9/1 Ivan Kalik t...@kalik.net:
I have configured three virtual servers: default, inner (uses
eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel
attempts go to default server log files.
cron performs a daily task that more or less perform something like
that:
Please I beg you that give me an idea what I am failing.
I clarifiy a bit: But I've found that some OK are sent to default
server log file *only*. and nothing to inner tunnel log files.
PEAP and TTLS will have OKs for both inner and outer identities. PAP,
MSCHAP etc will have only single OK.
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan, But in my case PAP and MSCHAP nver are used without TTLS
or PEAP. So I don't understand why some OK's was sent to default
server log. Because of that now I use
requests =
${logdir}/radiusd-%{%{Virtual-Server}-%Y%m%d.log and now there are no
entries on default log server, I wonder if what I am doing is right, I
mean if I am omitting some OK doing that...
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/9/3 Sergio Belkin seb...@gmail.com:
2009/9/1 Ivan Kalik t...@kalik.net:
I have configured three virtual servers: default, inner (uses
eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel
attempts go to default server log files.
cron performs a daily task that more or less perform something like
that:
Please I beg you that give me an idea what I am failing.
I clarifiy a bit: But I've found that some OK are sent to default
server log file *only*. and nothing to inner tunnel log files.
PEAP and TTLS will have OKs for both inner and outer identities. PAP,
MSCHAP etc will have only single OK.
Ivan Kalik
Kalik Informatika ISP
Thanks Ivan, But in my case PAP and MSCHAP nver are used without TTLS
or PEAP. So I don't understand why some OK's was sent to default
server log. Because of that now I use
requests =
${logdir}/radiusd-%{%{Virtual-Server}-%Y%m%d.log and now there are no
entries on default log server, I wonder if what I am doing is right, I
mean if I am omitting some OK doing that...
Thanks in advance!
Sergio Belkin -
Sorry for be repeating but I meant: I don't understand why some OK's
was sent to default
server log *only*.
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Out and into tunnel log files
2009/8/31 Sergio Belkin seb...@gmail.com:
Hi,
I have configured three virtual servers: default, inner (uses
eap-ttls), inner-peap (uses eap-peap). I guess that out of tunnel
attempts go to default server log files.
cron performs a daily task that more or less perform something like that:
grep OK /var/log/radius/radiusd-*-$date.log | awk '{print $10}' | sort
-fu | wc -l
That way I get how many users could get an Access-Accept. Well I've
found that that is not right. Because some supplicant can send
different identities into and out of tunnel. So I'd like to use:
grep OK /var/log/radius/radiusd-inner*-$date.log | awk '{print $10}' |
sort -fu | wc -l
But I've found that some OK are sent to default server log file. So
I can't get right statistic. Please could you help to do it? Below are
debug info:
Please I beg you that give me an idea what I am failing.
I clarifiy a bit: But I've found that some OK are sent to default
server log file *only*. and nothing to inner tunnel log files.
I don't understand why if I have on radiusd.conf
log {
destination = files
file = ${logdir}/radius.log
requests =
${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
on debug messages *only* appears:
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
Now I am using requests =
${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log but I don't
know if it is right because ${logdir}/radiusd-%DEFAULT}-%Y%m%d.log
from DEFAULT server (out of tunnel) are not generated at all, and they
were useful because showed the Mac Address of supplicant.
If you want to see more of my config you can do it on:
http://pastebin.com/m65441172
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Logs in database (It was Re: rlm_ldap logs)
2009/8/28 Sergio Belkin seb...@gmail.com: Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Shame on me! That's is something that already logs do: Fri Aug 28 18:48:08 2009 : Auth: Login incorrect (rlm_ldap: User not found): [zz...@zz.zzz] (from client port 0 via TLS tunnel) Thanks y Sorry Even so I'd like to find a way to store radius logs on a database. Does exist such a tool? I need to perform some queries on them, for example, what users that had an incorrect login (eg bad password or certificate) after some time they could get an OK. Perhaps, some of you have an idea about how can I do that. Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out and into tunnel log files
: Instantiating files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /usr/local/var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating post_proxy_log
detail post_proxy_log {
detailfile =
/usr/local/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-auth {...} for more modules to load
Module: Instantiating reply_log
detail reply_log {
detailfile =
/usr/local/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /usr/local/etc/raddb/attrs.access_reject
key = %{User-Name}
}
}
}
server inner-tunnel-peap {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Instantiating auth_log
detail auth_log {
detailfile =
/usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /usr/local/etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = 192.168.1.5
port = 0
}
listen {
type = acct
ipaddr = 192.168.1.5
port = 0
}
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Ready to process requests.
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap logs
Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prevent uid sharing or hot to allow use uid only once
Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-message and supplicant
Hi, Is possible that Reply-message can be seen from laptops running the supplicant? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information alan Does file attrs.access_reject has to with you are talking about? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 John Dennis jden...@redhat.com: Sergio Belkin wrote: Hi, Let's suppose that John Doe comes and login with jdoe uid, then Joe comes and wants to use wireless network, but he has not entry neither Ldap nor in radius users file, so he ask for jdoe that pass him its uid and password to login. Sorry if that sounds somewhat stupid but can we prevent that from radius? (please don't tell me to fire John Doe ;) ). I don't understand the problem or what you're trying to solve. So what if Joe mistakenly tries to used John's username, it won't work as he won't know Joe's password. This is no different than an attempted network break in which should be prevented by locking your resources down and ensuring strong passwords. Never in any instance will resources authorized for one user be granted to another user unless you've configured something wrong. If the problem is that both John and Joe want the same username then one needs to explain to Joe that username is already in use and he'll have to use another one. -- John Dennis jden...@redhat.com What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry for the stupid question, what does EAP-Message =* ANY mean? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent uid sharing or hot to allow use uid only once
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, What I meant if that employee John pass his coworker Joe their credentials, both user and password, well that could not be so terrible. Now, let's suppose then that your company organize an event an come 100 people, they want to use wireless network, so John comes and has the great idea of passing their credentials to attendants, so you have more than 100 people using the same uid and password at once... simultaneous-use - only allow one instance of the user/pass to be online at a time. Should I enable accouning for that? sure, another person might be on instead of John...but then John wont be able to get online...He'd very quickly be miffed that he'd lost his access due to someone else using his credentials alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still with ldap error
Hi, Some months ago I mentioned a problem that it seems to be non-fatal but it still is there: Fri May 22 10:00:50 2009 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Fri May 22 10:00:50 2009 : Info: rlm_ldap: Attempting reconnect This problem appears more or less every 90 seconds. on ldap logs you can see things like that: May 22 04:16:40 ldap-server slapd[27663]: conn=219 fd=14 ACCEPT from IP=127.0.0.1:56359 (IP=127.0.0.1:389) May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn=uid=jojo0l4,ou=people,dc=domain,dc=edu method=128 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 BIND dn=uid=jojo0l4,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 04:16:40 ldap-server slapd[27663]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND anonymous mech=implicit ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn=uid=jojoi1,ou=people,dc=domain,dc=edu method=128 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 BIND dn=uid=jojoi1,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 04:17:19 ldap-server slapd[27663]: conn=219 op=1 RESULT tag=97 err=0 text= May 22 04:18:01 ldap-server slapd[27663]: conn=219 fd=14 closed (idletimeout) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 ACCEPT from IP=IPADDRESS:57845 (IP=0.0.0.0:636) May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 TLS established tls_ssf=256 ssf=256 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn=uid=jojo2,ou=people,dc=domain,dc=edu method=128 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 BIND dn=uid=jojo2,ou=people,dc=domain,dc=edu mech=SIMPLE ssf=0 May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=0 RESULT tag=97 err=0 text= May 22 09:31:50 ldap-server slapd[17574]: conn=219 op=1 UNBIND May 22 09:31:50 ldap-server slapd[17574]: conn=219 fd=23 closed May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 ACCEPT from IP=IPADDRESS:36313 (IP=0.0.0.0:636) May 22 10:07:45 ldap-server slapd[22236]: conn=219 fd=17 TLS established tls_ssf=256 ssf=256 I've tried modifying idletimeout y timelimit on slapd.conf, and modifying limits per ldap radius user. I was playing with timeout and timelimit and nothing changed it. Raising and lowering Using FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2008 at 15:14:37 I'd thank you your help! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
somewhat ot: Check radius server name on linux supplicant
Hi, I'm stuck with a problem to which I haven't found an easy solution. Let's say we use either EAP-PEAP or EAP-TTLS. Both on Windows you cave ways to check not only ca certificate but also radius server name. I've tried: *NetworkManager: It can't check radius server name. *wicd: You could use customized scripts but make things harder and replace NetworkManager which is the default network tool on modern distros. *kwlan: It's like wicd an more KDE oriented. *wpasupplicant: It can check server name! But also on Fedora 10 I haven't found a way for NetworkManager apply its config file. Mostly modern and end users distros don't pay attention to wpasupplicant config file. On Windows (and I am not presicely a MS fan) you can check server name either by itself or by SecureW2. On Mac it prompts you showing radius server name. Sadly, I haven't found on Linux to check radius server name. I fear this: Let's say I have a radius server which use a certificate signed by WhateverSign. You get a certificate signed by WhateverSign too. You use a trustable ca certificate, don't you? Well, you config a cheating Access Point. Then a user come and connect to that cheating Access Point. Please tell me if that risk exists and if is wothy of worrying. If it is, how I can do for check radius server name on modern distro Linux? Thanks in advance and happy new year -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP per user
Hi, I wonder if radius force to a given user eg jdoe that only get from an Access Point always the same IP address? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP per user
2008/12/17 t...@kalik.net: AP uses DHCP not radius to assign IPs. So - no. You can reserve IPs for devices but not users. Ivan Kalik Kalik Informatika ISP Dana 17/12/2008, Sergio Belkin seb...@gmail.com piše: Hi, I wonder if radius force to a given user eg jdoe that only get from an Access Point always the same IP address? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Thanks Ivan, I guess that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
2008/12/15 a.l.m.bu...@lboro.ac.uk: hi, why go backwards when you have the right wireless technology in place? you need to look at the windows client end of things. I'd suggest looking at automating the setup..the best thing would be to have another wireless SSID (eg 'setup for XYZ' - where XYZ is your current SSID) - and have that as an open wifi that can only (ONLY!) access one single IP on which lives a web server with auto setup tools - eg .NET or VBS for MS windows, XML for MAC and even a setup file for iPhone/iPod touch etc. (this would have to be a webredirect so as soon as they associate, any DNS or port 80/8080/3128 etc get sent to the index page.) - another web delivery option is to prepackage eg open1x (open1x.sf.net) or SecureW2 (another supplicant) and get them to use that as you did note, the problem is with the client setup.. thats the current difficulty with 802.1X. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... All in all, you and Paul have provided me interesting info... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Somewhat OT: Captive portal on acess points instead complex?supplicant at level end user?
2008/12/15 Alexander Clouter a...@digriz.org.uk: Sergio Belkin seb...@gmail.com wrote: Thanks for ideas, In fact, some things you suggest I am using right now :) for example: *Automatized SecureW2 installer (ttls) *Web Page with secondary password for peap But even so, some users find somewhat hard to use. We seem to have no real problems with SecureW2 and our userbase. Mac OS X users 'import' the configuration (if they are 10.3 or 10.4) and WinXP users get a light time of it would my SecureW2 preconfiguration script with some NSIS wrapper action to spoonfeed them during problematic bits. Of course SecureW2 + WinXP + SP3 + wired 802.1X is fruity at the moment which is out current problem, however that's a grumble for another thread. The only problems we have is that we are 'awkward' and force WPA2 only and do not give into those WPA (version 1) TKIP weenies. I've tried with no success at this moment use more than one SSID on OpenWRT on Linksys WRT54GL... Do not ever go down this route[1]. It completely negates the point of having a WPA Enterprise network when someone comes along with an evil twin network and gets the user to install a 'springboard' application to get onto the better network. It's as counterproductive as using PEAP/TTLS without full certificate validation :-/ If you want my NSIS and/or SecureW2 INF file do drop me an email. The springboard'ing issue we resolved by dumping everything onto a CD and distributed them to the masses that way. Even if this is not an option for you (like us in education with 'student welcome packs') if you make the CD's readily available near hotspots and what not in public areas people will find what they need. Cheers Alex [1] I have convinced my self it's safe for a wired network, getting non-802.1X clients 802.1X'ified, but just not worth the risk for wireless clients -- Alexander Clouter .sigmonster says: Succumb to natural tendencies. Be hateful and boring. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Recently we upgraded from OpenWrt White Russian to Kamikaze. By now, problem about discarding packets is no more. Most of the issues were that at random times took long time get Access-Accept or even AP din't get any frames from supplicants... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slightly OT: Problem with Vista
2008/12/11 a.l.m.bu...@lboro.ac.uk: hi, which version of FreeRADIUS are you using? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Release 2.1.2, but it seems a supplicant issue... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Captive portal on acess points instead complex supplicant at level end user?
Hi, Currently I'm using: *OpenWRT Kamikaze in AP's *Freeradius 2.1.2 *LDAP End users either use ttls or peap on their notebooks, as I have a LDAP server, each use his username and a password. Problem with this approach is that is somewhat complex for end users, they must either install a software or do a complicated configuration (think in end users terms, please). I'd want to have a open wireless network and that each user access to captive portal and enter his username and password, that captive portal redirects request to freeradius and freeradius in turn queries to ldap server. I'd want to know if CoovaAP (or something similar, what?) can perform such task as portal captive installed on APs. I'd be glad to read suggestions Thanks in advance!! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slightly OT: Problem with Vista
0x0020: 0005 001f 3a1b 4e8b 776c 3000 1000 :.N.wl0. 0x0030: 5000 fc59 fb00 0101 00PY. 00:10:40.337119 EAP code=1 id=1 length=0 Please, what could be the problem? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
2008/12/5 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: That solved it. Now it remains a little problem on radiusd.log: Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Your LDAP server is likely timeout out the connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html My LDAP server has: idletimeout 30 timelimit 300 is not 30 enough? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user queries for uid anonymous in ldap
2008/12/3 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap
log, I wonder why radius bothers to query for anonymous uid and not
only for uid into the tunnel
Because you configured the ldap module *outside* of the tunnel, too.
If you don't list it in sites-enabled/default, it will only do queries
for inside of the TLS tunnel.
Thanks Alan!
That solved it. Now it remains a little problem on radiusd.log:
Thu Dec 4 09:07:51 2008 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Dec 4 09:07:51 2008 : Info: rlm_ldap: Attempting reconnect
Thu Dec 4 09:10:41 2008 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Dec 4 09:10:41 2008 : Info: rlm_ldap: Attempting reconnect
Thu Dec 4 09:12:14 2008 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Dec 4 09:12:14 2008 : Info: rlm_ldap: Attempting reconnect
Thu Dec 4 09:14:30 2008 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Dec 4 09:14:30 2008 : Info: rlm_ldap: Attempting reconnect
Thu Dec 4 09:18:09 2008 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Dec 4 09:18:09 2008 : Info: rlm_ldap: Attempting reconnect
What are these problem from? radius or ldap?
ldap module config is as follows:
ldap {
server = ldap.palermo.edu
identity = cn=freeradius,ou=applications,dc=palermo,dc=edu
password = somepass
basedn = ou=people,dc=palermo,dc=edu
filter = (uid=%u)
ldap_connections_number = 1
timeout = 60
timelimit = 120
net_timeout = 10
tls {
cacertfile = /etc/raddb/cacert.pem
randfile= /dev/urandom
}
access_attr = radiusAllowed
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
EOF
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius user queries for uid anonymous in ldap
Hi, I use freeradius with EAP-TTLS y EAP-PEAP, below there is ldap log, I wonder why radius bothers to query for anonymous uid and not only for uid into the tunnel Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 ACCEPT from IP=123.45.67.89:56075 (IP=0.0.0.0:636) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 fd=15 TLS established tls_ssf=256 ssf=256 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn=cn=freeradius,ou=applications,dc=cadorna,dc=edu method=128 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 BIND dn=cn=freeradius,ou=applications,dc=cadorna,dc=edu mech=SIMPLE ssf=0 Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=0 RESULT tag=97 err=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=anonymous) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=anonymous) Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:26 sinclair slapd[11285]: conn=1264 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=glinde) Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:27 sinclair slapd[11285]: conn=1264 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH base=ou=people,dc=cadorna,dc=edu scope=2 deref=0 filter=(uid=jinfan) Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SRCH attr=radiusPassword radiusAllowed Dec 3 08:54:28 sinclair slapd[11285]: conn=1264 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 3 08:55:05 sinclair slapd[11285]: conn=1264 fd=15 closed (idletimeout) Does make sense to query for anonymous? Thanks in advance Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
I've upgraded to OpenWRT Kamikaze and problem seems goes away... 2008/11/6 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: Alan, thanks, That's really a quite convincing answer :) Yup. I'm not just a random loudmouth on this list. Of course I believe you , but please understand me, It's hard to me to realize that either Linksys make non-standard products or OpenWRT (white russian) developers had made such a mistake. shrug There are many, many, RADIUS client implementations that are nearly as bad. So, I'd be glad to know what AP's are standard compliant is there a list? Nope. I don't think very many are fully standards compliant. I suggest updating the Wiki with any issues you find. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somewhat OT: Mac OS self asigned IP issues
Hi, I am using OpenWRT Kamikaze and sometimes there is a problem with Mac OS clients. Clients get Access-Accept, but Mac OS says that only gets a self asigned IP and then it can't surf the web. Problem happens using either TTLS or PAP. It is a problem of Mac OS or a OpenWRT one? I'd be glad to read suggestions and comments... Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-User?
Sorry for the stupid question, what does Framed-User stand for? I hope not to be stoned to death because of such a question :) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User found on DEFAULT server log but not in tunneled virtual server log
= mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel-peap
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /usr/local/var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /usr/local/etc/raddb/attrs.access_reject
key = %{User-Name}
}
}
}
server inner-tunnel-peap {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
/usr/local/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{%
{Virtual-Server}:-DEFAULT}-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /usr/local/etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = 111.222.333.5
port = 0
}
listen {
type = acct
ipaddr = 111.222.333.5
port = 0
}
Listening on authentication address 111.222.333.5 port 1812
Listening on accounting address 111.222.333.5 port 1813
Ready to process requests.
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/5 aland [EMAIL PROTECTED]: On Wed, Nov 05, 2008 at 12:43:07AM -0200, Sergio Belkin wrote: OK, AP's are broken, now with best regards, how I convince to my boss that he should buy more than 30 new AP's, should I tell him... read the freeradius mailing list? Tell him that I co-wrote RFC 5080, which says that these AP's are broken: When sending requests, RADIUS clients MUST NOT reuse Identifiers for a source IP address and source UDP port until either a valid response has been received, or the request has timed out. These AP's violate the standards, and are broken. I know, because my name is on the standards. My name is also on the RADIUS guidelines document, which says how people should use RADIUS in the future. And my name is going on 3-4 other RADIUS standards. So it's not people on the FreeRADIUS list told me, but instead the people who wrote the standards say that the AP is broken. Alan DeKok. - Alan, thanks, That's really a quite convincing answer :) Of course I believe you , but please understand me, It's hard to me to realize that either Linksys make non-standard products or OpenWRT (white russian) developers had made such a mistake. So, I'd be glad to know what AP's are standard compliant is there a list? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/4 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I think is worthwhile to remark that that problem exists even using OpewnWRT on Linksys WRT54GL and not using original firmware... Which may be based on similar code to the original firmware. Is there a way to at least to minimize those errors? I've heard some people complains that sometimes try to reconnect and sometimes the only solution is reboot the AP. Fix the NAS. As you noted earlier, this doesn't happen with another NAS. The conclusion is that the NAS is broken. But what do you mean for fix the nas? Should I use another brand/model of AP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/4 Sergio Belkin [EMAIL PROTECTED]: 2008/11/4 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I think is worthwhile to remark that that problem exists even using OpewnWRT on Linksys WRT54GL and not using original firmware... Which may be based on similar code to the original firmware. Is there a way to at least to minimize those errors? I've heard some people complains that sometimes try to reconnect and sometimes the only solution is reboot the AP. Fix the NAS. As you noted earlier, this doesn't happen with another NAS. The conclusion is that the NAS is broken. But what do you mean for fix the nas? Should I use another brand/model of AP? What I am trying to tell you is are the about of 30 AP's that I am using broken? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/11/4 [EMAIL PROTECTED]: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg45635.html There is nothing to see in server debug for the packet that's discarded. Ivan Kalik Kalik Informatika ISP Dana 4/11/2008, Marinko Tarlac [EMAIL PROTECTED] piše: Sorry for bothering but does anyone know what's wrong with these nases? Is there any way to go a little deeper than #radiusd -x ? Jelle wrote: Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all appear to be broken. To bad, but then again a reason to integrate the N standard with other AP's... :) 2008/11/4 Stephen Bowman [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] But what do you mean for fix the nas? Should I use another brand/model of AP? What I am trying to tell you is are the about of 30 AP's that I am using broken? Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK, AP's are broken, now with best regards, how I convince to my boss that he should buy more than 30 new AP's, should I tell him... read the freeradius mailing list? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/10/5 Alan DeKok [EMAIL PROTECTED]: Jelle Langbroek wrote: I can tell you that with my tests, I figured out that it's happening with all sorts of clients (MacOSX, XP, Vista). The supplicant's aren't involved here. It's the NAS that retransmits the RADIUS packets. It appears only to be happing with the WAP54G (and now the WRT54GL you say). When I replaced the WAP54G with a WAP200, the errors disappeared with the same clients. i.e. the WAP54G is broken. It doesn't do RADIUS properly. I tested this on many locations with many different clients and everywhere the same results. It must be the WAP54G then. Yes. I'm still using those AP's and I keep getting the error in the logs. It's indeed quite random. The error seems not harmful (although the sourcecode of freeRadius says the AP is broken). :) It's a common complaint on this list. Some issues are FreeRADIUS bugs. Others are broken NASes. I'm in the process of putting together a RADIUS validation test suite, so that manufacturers can see if their products are compliant *before* shipping them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think is worthwhile to remark that that problem exists even using OpewnWRT on Linksys WRT54GL and not using original firmware... Is there a way to at least to minimize those errors? I've heard some people complains that sometimes try to reconnect and sometimes the only solution is reboot the AP. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log partially solved
2008/10/27 Sergio Belkin [EMAIL PROTECTED]:
2008/10/27 [EMAIL PROTECTED]:
detail auth_log {
detailfile =
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type}
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
..
But still, it says nothing if supplicant is using TTLS or PAP which is
what I'd like to see as filenames suffixes. Am I missing something?
Try EAP-Type-TTLS and EAP-Type-PEAP instead of EAP-Type.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Sorry, but I don't understand, if I set
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_EAP-Type-TTLS
always be appended with _EAP-Type-TTLS and if I set
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type-TTLS}
won't work either.
Am I doing something wrong?
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
Well I came back to my earlier configuration:
---snip---
detail auth_log {
detailfile =
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type}
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
---snip---
So far is the best I could do, I guess:
auth-detail-20081029_MS-CHAP-V2 means PEAP try (?)
auth-detail-20081029_NAK means unacceptable type
auth-detail-20081029_Identity means TTLS (??)
auth-detail-20081029_ means Access Accept (??)
I'd like to read more about it...
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log partially solved
Hi, I am using freeradiusd 2.0.2
I have edited config files, so radiusd.conf has:
---snip---
detail auth_log {
detailfile =
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type}
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
---snip---
and /etc/raddb/sites-available/default has:
eap {
ok = return
}
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
auth_log
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Now, I get files log as follows:
-rw--- 1 radiusd radiusd928 Oct 27 11:01 auth-detail-20081027_NAK
-rw--- 1 radiusd radiusd411 Oct 27 11:01 auth-detail-20081027_MS-CHAP-V2
-rw--- 1 radiusd radiusd 6757 Oct 27 11:10 auth-detail-20081027_Identity
-rw--- 1 radiusd radiusd 1195 Oct 27 11:10 auth-detail-20081027_
But still, it says nothing if supplicant is using TTLS or PAP which is
what I'd like to see as filenames suffixes. Am I missing something?
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log partially solved
2008/10/27 [EMAIL PROTECTED]:
detail auth_log {
detailfile =
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type}
# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
..
But still, it says nothing if supplicant is using TTLS or PAP which is
what I'd like to see as filenames suffixes. Am I missing something?
Try EAP-Type-TTLS and EAP-Type-PEAP instead of EAP-Type.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, but I don't understand, if I set
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_EAP-Type-TTLS
always be appended with _EAP-Type-TTLS and if I set
${radacctdir}/requests/%{Client-IP-Address}/auth-detail-%Y%m%d_%{EAP-Type-TTLS}
won't work either.
Am I doing something wrong?
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status Access from detail authentication log
= anonymous NAS-IP-Address = 192.168.134.204 Called-Station-Id = 001d7edc22f4 Calling-Station-Id = 0016447e5a79 NAS-Identifier = 001d7edc22f4 NAS-Port = 29 Framed-MTU = 1400 State = 0x188848171d8f5dcb0bc882eaac65b2e0 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207004f158000451703010040bb5dbf55827b2cf722b2ac8309afa04e839f6cc432524a60e4130a25fca5246f1644df960e7e5109e4d728cd1a0e16f53c9741917a95497c068e8cbace5d2ea6 Message-Authenticator = 0xb254f4b7fa9e4b6a8010d27210310955 Fri Aug 22 10:58:03 2008 Packet-Type = Access-Request User-Name = ngalan FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 111.111.111.111 -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
2008/6/13 Jelle Langbroek [EMAIL PROTECTED]: Hi, Thanks for your reply. I began testing different setups immediately. I located 1 AP which didn't regenerate the error (AP1) and swapped it with one which did generate the error (AP2). I then saw that AP1 (which now was located on the place of AP2), began generating the same errors. The clients are fixed , so I tested with the same clients on that location. My conclusion: 1) The error probably has something to do with the WAP54G, but; 2) The error is only produced in combination with some clients (don't know if it's a hardware issue, because it seems to have nothing to do with the OS. OSX and Windows Vista/XP are all 'sometimes' producing the error. 3) It might have something to do with overlapping channels, but my tests are not yet conclusive about that. It's all so much trial and error... I decided to just buy another AP (WAP200) to test and see if the same error pops up. I'm also going to try an Asus WL-G330ge, just to be sure. More on that later... Jelle ps: The models I use are Linksys WAP54G, v3.1, with firmware version 3.05. 2008/6/11 Alan DeKok [EMAIL PROTECTED]: jelle-e wrote: Everything seems to run smoothly but before every login attempt the logs say (something like): Error: Discarding conflicting packet from client NAS-NAME port 3072 - ID: 3 due to recent request 28. That's pretty definitive. After that the user logs in correctly. I have no idea where to start searching for the answer. Since this error appears to occur on every AP, I don't think they're all 'broken'. It's possible. If they're all the same manufacturer and software version, they could all have the same bug. Does anybody have an idea? Thanks in advance! Run tcpdump or wireshark to look at the packets. Odds are the AP's *are* sending conflicting packets. Look for 2 packets from the same client IP port, with the same RADIUS code and ID, within a second of each other. If the packet contents are different, then the AP is broken. i.e. You can believe that FreeRADIUS is broken, but *only* on your system... and not on the other 10,000 systems with 100's of 1000's of AP's. Or, you can believe that your AP's are broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I use the EAP/TTLS and EAP/PAP scheme. I have the same error as you but is somewhat at ramdom. In my case, APs Linksys WRT54GL has OpenWRT WhiteRussian installed. Could be some bad in clients? I've seen things too weirds in Mac OS X clients... I'd like to know if your problems have been fixed with Asus WL-G330ge. Also, I think that overlapping channels can be causing the error, so I'll change that... Greets- -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem compiling freeradius-2.1.0 on Centos 5 x86_64
Hi, I have a freeradius 2.0.2 working fine with no problems on Centos 5 x86_64, I had no problem at compiling time. I want to test version 2.1.0 from freeradius. But it failed as follows: [snip] Making all in main... gmake[4]: Entering directory `/root/freeradius-server-2.1.0/src/main' /root/freeradius-server-2.1.0/libtool --mode=link gcc -o radmin radmin.lo gcc -o radmin .libs/radmin.o .libs/radmin.o: In function `main': /root/freeradius-server-2.1.0/src/main/radmin.c:117: undefined reference to `using_history' /root/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_insert' /root/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_bind_key' /root/freeradius-server-2.1.0/src/main/radmin.c:176: undefined reference to `readline' /root/freeradius-server-2.1.0/src/main/radmin.c:185: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/root/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/freeradius-server-2.1.0' make: *** [all] Error 2 [snip] What's wrong? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling freeradius-2.1.0 on Centos 5 x86_64
2008/9/12 Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I have a freeradius 2.0.2 working fine with no problems on Centos 5 x86_64, I had no problem at compiling time. I want to test version 2.1.0 from freeradius. But it failed as follows: This is a configure script issue that's fixed in git, and in 2.1.1. Alan DeKok. - Hi Alan, is not 2.1.1 released as stable, is it? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
2008/7/8 joris [EMAIL PROTECTED]: Hello, After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP (in my case, i'm interested in EAP-TTLS). Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? Cheers, Joris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What documentation says is that you can't use encrypted password in LDAP with EAP/PEAP. But you can use EAP/TTLS + PAP with LDAP. The main problem for this approach is that the f**k Windows has not native support for TTLS, so you should install some software eg: SecureW2... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
Please, any idea?
Still I have log filenames such as:
auth-detail-20080630 and say nothing about eap method
and contains something like:
Mon Jun 30 08:32:26 2008
Packet-Type = Access-Request
User-Name = anonymous
NAS-IP-Address = 10.128.255.84
Called-Station-Id = 001d7edc23a2
Calling-Station-Id = 001b773a9ab2
NAS-Identifier = 001d7edc23a2
NAS-Port = 18
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020e01616e6f6e796d6f7573
Message-Authenticator = 0x9919cd335c2d96b125469208dd722a9d
Thanks in advance
2008/6/26 Sergio Belkin [EMAIL PROTECTED]:
2008/6/26 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
What am I doing wrong?
You are running auth_log BEFORE eap?
Alan DeKok.
I have the following in sites-enabled/default :
Which has auth_log BEFORE eap, which is WRONG.
How do you expect to log the EAP type when the EAP module hasn't been
run yet?
Alan DeKok.
-
OK, but this the *default* order in the file I didn't know that order
matters in this case.
I've changed order and this the debug output:
FreeRADIUS Version 2.0.2, for host x86_64-unknown-linux-gnu, built on
Mar 5 2008 at 16:09:30
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
user = radiusd
group = radiusd
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 10.30.0.101 {
require_message_authenticator = no
secret = stopnene-Green-22
shortname = oficina
}
client 10.128.255.100 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-PB
}
client 10.128.255.10 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-SS
}
client 10.128.255.11 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-1
}
client 10.128.255.12 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-2
}
client 10.128.255.13 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-3
}
client 10.128.255.14 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-4
}
client 10.128.255.15 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-5
}
client 10.128.255.16 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-6
}
client 10.128.255.17 {
require_message_authenticator = no
secret = stopnene-Red-3
shortname = DOWNI-7
}
client 10.128.255.80 {
require_message_authenticator = no
secret = stopnene-Red-398952
shortname = DOWNVIII-PB
}
client 10.128.255.81 {
require_message_authenticator = no
secret = stopnene-Red-398952
shortname = DOWNVIII-I
}
client 10.128.255.82 {
require_message_authenticator = no
secret = stopnene-Red-398952
shortname = DOWNVIII-II
}
client 10.128.255.83 {
require_message_authenticator = no
secret = stopnene-Red-398952
shortname = DOWNVIII-III
}
client 10.128.255.84 {
require_message_authenticator = no
secret = stopnene-Red-398952
shortname = DOWNVIII-IV
}
client
Re: EAP method in logs
2008/6/25 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
I use freeradius 2.0.2, and people can use either ttls or peap as they
want (or can). I'd want to know if it's possible to see what EAP
methodare using users through radius logs...
The EAP type is available in the EAP-Type attribute. You can use it
just like anything else: %{EAP-Type} ...
Alan, Do I need to use rlm_perl anyway?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP method in logs
2008/6/26 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
Alan, Do I need to use rlm_perl anyway?
No. The EAP-Type attribute is added by the EAP module. Once the
attribute is there, it can be used, edited, updated, etc. just like
User-Name, or NAS-IP-Address.
Alan DeKok.
I edited so radiusd.conf:
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d%{EAP-Type}
and added EAP-Message =* ANY to attrs file, but I see no difference
(any file witt a new name wasn't created)
What am I doing wrong?
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
