control-socket name one character short
I have installed version 2.1.1 on FreeBSD 7.0 from source obtained at download link on www.freeradius.org. The server just works! Thank you Mr. DeKok et. al. I wanted to try radmin, so I copied control-socket from sites-available to sites-enabled. When I started the server I received # radiusd -X snip radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } Failed setting permissions on /usr/local/var/run/radiusd/radiusd.sock: No such file or directory # # ls /usr/local/var/run/radiusd radiusd.soc The socket was created but the name was missing a character I tried on a FreeBSD 6.2 box with the same results. Other than not being able to enable control-socket, everything else works fine. I did try building from the github sources, but received an error: . . . gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I/usr/home/tester/Work/RADIUS/radius-2.1.1z/src -c valuepair.c -fPIC -DPIC -o .libs/valuepair.o valuepair.c: In function `pairread': valuepair.c:1737: error: `pair' undeclared (first use in this function) valuepair.c:1737: error: (Each undeclared identifier is reported only once valuepair.c:1737: error: for each function it appears in.) valuepair.c:1742: error: break statement not within loop or switch valuepair.c:1747: error: case label not within a switch statement valuepair.c:1762: error: break statement not within loop or switch valuepair.c: At top level: valuepair.c:1768: error: syntax error before if gmake[4]: *** [valuepair.lo] Error 1 gmake[4]: Leaving directory `/usr/home/tester/Work/RADIUS/radius-2.1.1z/src/lib' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/home/tester/Work/RADIUS/radius-2.1.1z/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/home/tester/Work/RADIUS/radius-2.1.1z/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/home/tester/Work/RADIUS/radius-2.1.1z' gmake: *** [all] Error 2 Judging from the commit times, I believe valuepair.c was in the process of being changed and may already be fixed. When do you sleep Mr. DeKok? -- Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap/checkitem
On Friday 09 November 2007 14:26, Joe Vieira wrote: DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes i STILL don't get the attribute... I do this successfully with DEFAULT my-check-item == my-value Zoltan Ori Morehead State University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS will no longer start!
On Wednesday 24 January 2007 10:02, Michelle Gates wrote: read_config_files: reading clients /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name You should not have anything in the clients file all clients should be in clients.conf. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access to internet by mac using freeradius
On Thursday 02 November 2006 05:43, Ali Jawad wrote: I need something like the mac address filtering used in squid ...where only registered mac address are allowed through the proxy..any hints suggestions and/or tutorials are welcome. Use your DHCP server for that. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups - doku?
On Tuesday 19 September 2006 04:19, Michael Messner wrote: hello mailinglist, /etc/raddb/huntgroups: enterasys NAS-IP-Address == 141.201.43.115 enterasys NAS-IP-Address == 141.201.43.116 enterasys NAS-IP-Address == 141.201.43.117 cisco NAS-IP-Address == 141.201.43.118 cisco NAS-IP-Address == 141.201.43.119 cisco NAS-IP-Address == 141.201.43.120 is this the correct way? That is correct and is as the notes in huntgroups tell you. If you don't want to have to list all your IP addresses, you can also differentiate by NAS-Port-Type as a check item in users file. DEFAULT NAS-Port-Type == Ethernet, ... Filter-Id = Enterasys:version , ... DEFAULT NAS-Port-Type == Wireless-802.11, ... Tunnel-Type = VLAN, ... Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On Friday 01 September 2006 08:36, Ian Walker wrote: Been trying to get eap working with peap/mschapv2 but it doesn't seem to work. This is my radiusd.conf file: } peap { default_eap_type = mschapv2 mschapv2 { authtype = mschapv2 use_mppe = yes require_encryption = yes require_strong = yes } } You have some items misplaced. Check against the default configuration that came with the server. In particular, mschapv2 and the contents of that stanza. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: an infamous LDAP-FreeRadius question
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver2:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/20060206_ldap2_xxx_xxx.crt rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 Apparently your LDAP server is not accepting TLS/SSL connections on port 389. You'll need to fix that. See the docs on rlm_ldap for specifying the correct port for your ldaps connection. I think it is as simple as 'port = 636'. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: an infamous LDAP-FreeRadius question
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote: When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to whatever but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up. You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in configuring PEAP on freeRADIUS1.1.2
On Wednesday 05 July 2006 08:48, Pradeep Sengar wrote: rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100E:system library:fopen:Bad address rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls Did you create any certificates? Are they stored where you indicate in eap.conf? Do they have the proper permissions? Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Regular expression - Trying to rewrite User-Name
On Thursday 11 May 2006 16:30, Dennis Skinner wrote: Damian Porter wrote: the user-name is coming to the radius process without any dashes and i want to add dashes to separate the octets. I have looked an that document and it does not offer a solution for the problem. Are you responding to me? 0e35-353afe-3afe19-fe19 has dashes. Either it came that way or your Yes, he is. Mr Porter has 0e353afe19xx coming in. He wants 0e-35-3a-f3-19-xx. His replacement is not working as he wishes. He is wanting ([a-z0-9]{2}) ... to break up the 12 character string into 6 groups of 2 and then insert dashes between them. I don't have the answer, but that is the problem as I see it. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
On Thursday 06 April 2006 09:37, Venu Gopal wrote: Thanks a lot for the reply, i got this link for configuring radius, but wonder is there any modification to be done apart from cisco devices. I'm not sure what you mean. You have Cisco authenticating and want to have the same for Juniper? You probably need to define exactly what you are trying to accomplish and what you are working with. On the assumption that you have Cisco working and want Juniper, too: Decide what reply attributes you need and how you will differentiate the sources of the access request. Read about huntgroups. Or, you might include both Juniper and Cisco replies in the same users entry since the devices should ignore attributes they don't understand. I won't guarantee that will work as I've not done it myself. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and detail file permissions
On Friday 31 March 2006 14:17, Ben Plimpton wrote: But when I start radrelay the permissions change: [EMAIL PROTECTED] radacct]# radrelay -a /var/log/radius/radacct \ -d /etc/raddb -n ns2-new detail-combined [EMAIL PROTECTED] radacct]# ls -la total 44 drwx-- 9 radiusd radiusd 4096 Mar 31 12:08 . drwx-- 3 radiusd radiusd 4096 Mar 31 12:02 .. drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 11:42 127.0.0.1 drwxr-xr-x 2 radiusd radiusd 4096 Mar 17 16:17 216.17.128.39 drwxr-xr-x 2 radiusd radiusd 4096 Feb 7 00:30 216.237.65.2 drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 00:00 216.237.67.198 drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 09:34 216.237.67.217 drwxr-xr-x 2 radiusd radiusd 4096 Feb 14 09:49 216.237.72.66 drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 10:39 216.237.77.3 -rw--- 1 rootroot 0 Mar 31 12:08 detail-combined [EMAIL PROTECTED] radacct]# Am I missing something with the way I am starting up radrelay? Or are there permissions that I need to check somewhere else? Don't start radrelay as root. Start it as the same user you use to start RADIUS. In this case, radiusd. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with EAP-TLS
On Thursday 26 January 2006 13:33, dark0s dark0s wrote: Can you tell me if exist a PCMCIA card that doesn't request wpa_supplicant; i.e. a card that authenticates directly, after the configuration of freeradius 1.0.5 and openssl? This is off topic and has nothing to do with EAP-TLS or really freeRADIUS. The card doesn't authenticate but I think you mean a pcmcia for wireless on Windows XP, yes, there are many. I have grown to prefer ones that use Atheros or Intel chipsets but many others will work with XP's native supplicant. You must have SP2, KB885453 hot-fix and optionally, WPA2 rollup. If you are using a Linux, *BSD, or something else then you will need wpa_supplicant. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CIsco Pix and FreeRadius....
On Wednesday 18 January 2006 09:40, Sills, Tripp wrote: users: Matched entry DEFAULT at line 179 users: Matched entry DEFAULT at line 191 From the users file you can read: # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # Fall-Through variable is set to Yes. # # A special user named DEFAULT matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. You aren't matching tripp. Put your entries at the top or comment out all the DEFAULT entries you don't care about. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Roaming with WPA-Enterprise/Radius
On Wednesday 04 January 2006 07:07, DI PAOLA ., VIERI wrote: Is there a way of caching or pre-authenticating or propagating authentication between APs? Has anyone found a solution to this roaming problem in case one uses WPA-Enterprise/Radius? IAPP - IEEE 802.11F Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Openldap authentication
On Monday 02 January 2006 10:11, Robert WAKIM wrote: Thanks for the answer, I've tried radeapclient but it keeps segfaulting. I've browsed google to find a windows eap-md5 test client without any success. Sorry, I can't help with radeapclient. Do you have any advices on how to test the whole system? If they are convenient for you to get at, use one of your Enterasys switches. Set the RADIUS servers, set up any ports that you are going to test on. Set all other ports to 'forced authenticated'. Take care with the host data port (system management) so that you don't lock yourself out. Procedure varies with type of switch and firmware revision. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter-Id denying access
On Monday 05 December 2005 13:37, Josh wrote: insert into radcheck (UserName,Attribute,op,Value) values ('josh','Filter-Id','=','myvpntest'); Filter-Id should be a reply item. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS Configuration - Addition
On Friday 02 December 2005 22:53, Madhuraka Godahewa wrote: After having some trouble with the Windows XP and freeRADIUS, I was able to connect to the AP. But, in the configuration (Windows XP), I removed the check mark at 'Validate Server Certificate'. Then, suddenly, it started working. Anybody knows the reason for this? You don't have a copy of the root certificate on the supplicant or have not selected to use it? Further, after establishing the connection, I terminated the connection (by disabling the network connection). Then, I tried to connect again (by enabling). But, this time, the user machine connected to the AP automatically (without asking for the credentials.). It seems like something has cached these entries. Anybody knows how to clear this cache? It's in the registry under HKEY_CURRENT_USER\Software\Microsoft\EAPOL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Thursday 01 December 2005 09:19, Christian Poessinger wrote: Fixed it myself. After removing checkItem LM-Password userPassword checkItem NT-Password userPassword from the ldap.attrmap file, and adding checkItem userPasswordlmPassword instead, it worked. Now i can use RADIUS LDAP to auth my WLAN clients. Good! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Tuesday 29 November 2005 08:53, Christian Poessinger wrote: I requested and installed this fix, but I still get the same error message on the radius server. rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Are there any other errors in the log? The actual reason for rejection may come long before that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Tuesday 29 November 2005 11:07, Christian Poessinger wrote: You didn't configure a password for the user. Yes, I did. I have a userPassword atribute in my LDAP backend, also it contains a clear text password. I can fully use this account in the backend for ftp/ssh/http but not with peap/mschapv2 over radius. You have ntlm_auth in your mschap configuration. You don't want that for LDAP. You don't need anything NT in that module. The default configuration had everything commented out but authtype = MS-CHAP. Start with that and then add what you need. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Tuesday 29 November 2005 13:56, Christian Poessinger wrote: Nope, there is everything uncommented. I also tried to add this to the ldap.attrmap file: That's the problem everything is uncommented. Comment out ntlm_auth and with_ntdomain_hack. If you have plain text passwords, you aren't authenticating to a Windows domain controller, you don't have windbindd and nmbd running, you don't need want them in your mschap configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Monday 28 November 2005 04:31, Konne wrote: hi ca somebody post a howto what describe the configuration: - peap/mschapv2 with ldap and freeradius - client configuration (M$ Windows XP, SecureW2) thx There are many howtos available that can be found searching the mail archives or googling. Before you spend a lot of time on them, read the documentation that comes with FreeRADIUS and study the .conf files so that you might understand what's really going on. Many want to do a quick configuration based on a howto that doesn't always fit their case. When things go wrong, they don't know what to do and the howto can't help. See /doc in your FreeRADIUS sources for ldap documentation. The comments in eap.conf tell you how to do peap/mschapv2. As far as I know, SecureW2 does not do PEAP. You will have to use the XP's native supplicant. The configuration is straight forward but depends on what you are trying to do. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Monday 28 November 2005 12:32, Christian Poessinger wrote: rlm_eap_peap: Had sent TLV failure, rejecting. Use the latest available drivers for your wireless adaptor. I've encountered many strange connectivity issues that are fixed with new drivers. If the supplicant is XP SP2 you may need the Windows KB885453 hot fix. http://support.microsoft.com/?kbid=885453 You would have to beg Microsoft for it, but fortunately, it is available from many other sources on the Web. KB890937 supposedly includes this fix as well, but I've not used it. The KB893357 WPA2 roll up may also be applied. It doesn't address this problem but does seem to shorten the time taken to get the login prompt and connect. http://support.microsoft.com/?kbid=893357 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius WPA issue
On Wednesday 23 November 2005 11:09, Patrice PAPOT wrote: Hi, I make test on Windows Pocket PC and Windows mobile 2003 in WPA and TKIP. The mobile 2003 is not able to be authenticated and pocket PC with need for 1070 requetes to authenticate itself. Herewith the debug Help me pease There are not 1070 requests shown although the last exchange is 1070. You have an Access-Accept on request 1060 ID 231 timestamp 43844cd7 You have an Access-Accept on request 1070 ID 241 timestamp 43844cda Looks like only 3 seconds transpired between the two. I don't think FreeRADIUS is your problem. Check your Cisco AP and Windows Mobile confiugrations. At one point leap was used. Are you trying to use leap as well as peap? Set your AP only for what you intend to use on your supplicants. They don't work very well if you try to set them to use everything, it will confuse your supplicant. Please don't post the same question to different threads. Zoltan Ori. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MS_CHAP V2: problem with tunnel attributes on enterasys V2 switch
On Friday 28 October 2005 10:40, [EMAIL PROTECTED] wrote: I am new to this list and would like to know if someone out there has been successfull in implementing eap-PEAP user authentication and VLAN assignment with freeradius and Enterasys V2 switches ? The V2 switches (and all Enterasys switches) support EAP-MD5. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radlast and radwho fails
... Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = no radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. You cut it short. Debug output will tell you why radutmp is not being written if you look at what happens when a user logs in. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?
On Tuesday 16 August 2005 10:28, Jamie Crawford wrote: Everything seems to work great until the certificate negotiation, then it blows chunks. Bad or wrong certificates. Server and supplicant need a copy of the same trusted root certificate. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP supplicant and Secure Cerficate acceptance
On Monday 01 August 2005 16:37, [EMAIL PROTECTED] wrote: I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Does anyone else see this same problem? How can this step be automated so that my users are not requried this additional click? On the XP machines you can either uncheck the Validate server certificate in the EAP properties (not recommended) or you can specify the trusted root certificate that you are using (check the box in the list) and the RADIUS server names. The validation is not a big deal and you only have to do it once unless you are wiping the eapinfo from the registry on shutdown. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MD5 authentication
On Tuesday 21 June 2005 07:13, Sudha wrote: Hi List.. I'm trying EAP MD5 authentication using free radius but since MD5 doesn't generate any keys, I'm getting an error message Failed to generate key. Generally MD5 is used in the phase2 of TLS or PEAP and that is working fine. Is it possible to establish EAP MD5 authentication without using, TLS or PEAP. The information in the supplicant.conf file is as: If you have included MD5 in your eap.conf, it will work whether other EAP types, TLS or PEAP, are the default. The following has always worked for me. I'm assuming that you are doing this on a wired port and the NAS is configured properly. From the description of your problem, I am guessing it is not. eap { default_eap_type = peap ignore_unknown_eap_types = no md5 { } . . . } Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apple Airport Extreme with EAP-TTLS...
On Thursday 12 May 2005 05:21, Achim Friedland wrote: Afterwards I enter my username and password and everything seems to be okay. The 802.1x apple-window I counting my online-minutes, but I can't get any signalstrength information from the AP or send receive pakets via the AP. I think I not really connected. The airport syslog isn't very helpfull, it's just telling me that I'm connected... nothing more... Could there be some problems with the wpa keys or any other reason why my pakets disappear somewhere? In the users file I have nothing more than: ahzfAuth-Type := Local, User-Password == 1234 You haven't examined your debug output. The radiusd -A -X output: rad_recv: Access-Request packet from host 141.24.44.109:1024, id=44, length=192 Framed-MTU = 1466 NAS-IP-Address = 10.0.1.1 NAS-Identifier = ahzfnet AP1 User-Name = ahzf-intern Service-Type = Framed-User NAS-Port = 256 NAS-Port-Type = Ethernet NAS-Port-Id = wl0 Called-Station-Id = 00-11-24-06-2d-e1 Calling-Station-Id = 00-0d-93-86-5f-aa Connect-Info = CONNECT Ethernet 54Mbps Half duplex EAP-Message = 0x022b00100161687a662d696e7465726e Message-Authenticator = 0x217c1b8348128b645236df246a53c6b9 Thu May 12 03:29:16 2005 : Debug: users: Matched entry DEFAULT at line 227 Hmmm.. for some unknown reason User-Name is not matching your entry in the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd.conf:23: invalid timeout
On Monday 25 April 2005 08:57, [EMAIL PROTECTED] wrote: Hallo, freeradius 1.0.2 I'm using MPD VPN. Freeradius with mysql. when conecting from vpn client i have this output [pptp1] RADIUS: using /usr/local/etc/raddb/radiusd.conf [pptp1] RADIUS: rad_config: /usr/local/etc/raddb/radiusd.conf:23: invalid timeout i try to change every timeout parameters i radiusd.conf and nothing. whats is wrong ? Changing things at random is a sure way to break it. What is on line 23 of radiusd.conf? Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: radiusd.conf:23: invalid timeout
On Monday 25 April 2005 09:29, [EMAIL PROTECTED] wrote: [pptp1] RADIUS: using /usr/local/etc/raddb/radiusd.conf [pptp1] RADIUS: rad_config: /usr/local/etc/raddb/radiusd.conf:23:invalid Ok, I didn't know what I was talking about.. Is this the output when you start radius or debug output from radiusd -X? Is there more than this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS Alert read:fatal:bad certificate
2) I notice now that the certificate validation is working that I no longer am prompted to enter my username and password. Even after rebooting the WinXP computer, the connection to freeradius occurs automatically. I suppose this might be convenient in some circles but it's also a security risk in that if someone were to borrow my computer they would not be challenged before getting access to the network. Does anyone know where WinXP stores this info and if it can be configured to always prompt for user/pass? [HKEY_CURRENT_USER\Software\Microsoft\EAPOL\userEapInfo\] You can make eapol.reg file that will delete this info Windows Registry Editor version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\EAPOL] [-HKEY_CURRENT_USER\Software\Microsoft\EAPOL\userEapInfo\] [HKEY_CURRENT_USER\Software\Microsoft\EAPOL\userEapInfo\] Then make an Xeapol.bat file to regedit /u /s c:\windows\eapol.reg Use gpedit.msc to add this batch file into the user configuration logoff scripts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all Not Working? Can't Generate New Certs
On Friday 01 April 2005 11:45, Jim Seymour wrote: No certificate matches private key That may be the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all Not Working? Can't Generate New Certs
On Friday 01 April 2005 11:58, Jim Seymour wrote: Zoltan Ori [EMAIL PROTECTED] wrote: On Friday 01 April 2005 11:45, Jim Seymour wrote: No certificate matches private key That may be the problem. Indeed, it may well be. But what does that *mean*? What certificate? What private key? I have no idea what it's looking for or why. It might be that you are not a priveleged user or that old keys and certs are stored on your system or openssl.cnf may be pointing to a different key than the script generates. Print the CA.all script and look it over. It will tell you each step that is taken. Also, check out the openssl docs. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Windows XP Authentication
On Sunday 13 March 2005 13:47, chiam kuosiang wrote: When i tried to lauch peap authentication with the windows xp client, the radius snippet keep on showing Sending Access-Challenge. In D-Link DWL-900AP+, log show EAP-Failure modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 54 to 192.168.0.50:1206 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x621660927c5033dae390af4ffc09dfc5 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Your supplicant is not responding to the challenge. The conversation between it and the NAS may not be taking place properly. Check config on supplicant and NAS to make sure they agree. Do you have the latest drivers and patches on XP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius eap-peap problém
On Thursday 24 February 2005 10:53, Patrice PAPOT wrote: I use freeradius 1.0.2 in Eap-peap. My configuration hardware is: PDA -- AP Cisco --- Freeradius Not of error on the log but i have a popup on the PDA saying the certificate of the server has been emitted by a not recognized authority. The PDA should have a copy of the CA root certificate. I'm assuming that your PDA is Windows Mobile. Change the suffix of the root cert to .cer and copy it to the PDA and install it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install: Make command.
On Tuesday 15 February 2005 08:47, [EMAIL PROTECTED] wrote: Hi i read a post on how to install Free Radius with an XP supplicant (link shown below). I am a newbie to Linux and radius so hopefully you can be patient. I am running the latest version of FreeBSD, Openssl (openssl-0.9.7-stable-SNAP-20050209), and FreeRadius (freeradius-snapshot-20050209). I followed instructions from here: http://text.dslreports.com/forum/remark,9286052~mode=flat When i run the make command i get the following error. gmake[1]: Entering directory `/home/radius/freeradius-snapshot-20050209' Making all in libltdl... gmake[2]: Entering directory `/home/radius/freeradius-snapshot-20050209/libltdl' gmake[2]: *** No rule to make target `all'. Stop. gmake[2]: Leaving directory `/home/radius/freeradius-snapshot-20050209/libltdl' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/home/radius/freeradius-snapshot-20050209' make: *** [all] Error 2 so then. I haven't used the latest snapshot, but in recent installs on FreeBSD, I've had success by going to /libdtl executing ./configure and then changing top_builddir to ./.. in the Makefile. The go to the top directory and execute make, make install as usual. You will probably want to make clean before doing this or delete your freeRADIUS directories and untar a fresh version. I believe there is a thread on this in the archives because I'm not smart enough to come up with this on my own. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP and fatal unknown_ca
On Thursday 10 February 2005 10:46, Dudley Atkinson wrote: Perhaps so, but I'm not sure what I can put into the certificates to alter that behavior. There is no explicit domain entry in a certificate? If your windows domain is OFFICE-LAN, how would you construct your certificate information to incorporate that? You are thinking of the wrong type of domain. According to the e-mail header, jdatkinson.net is your domain. Mine is morehead-st.edu. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Allways 10 Times to authenticate
On Thursday 27 January 2005 07:59, Christian wrote: Alejandro, Yes im sure because radiusd -X counts the Requests and the count of the last one is allways 10 higher than the last ... It's hard to tell what you are seeing without a debug output. Take a closer look at the exchanges that are taking place. I don't think you have a problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP SP2 WAP/TKIP
On Thursday 27 January 2005 17:24, freeradius-users wrote: The doc section on freeradius.org is quite poor and the doc's about windows integration are quite old (they don't consider SP1 or SP2). The HOWTOs are quite helpful if you don't consider the OS and consider the concepts. Everything is there. So my first question is simple: Has anybody a configuration with freeradius and Windows XP SP2 (WPA/TKIP) running. (In my special case I don't want to deal with user-certificates, but with machine-based certificates. It is just a registry hack and already done.) Yes, WPA/TKIP XP SP1 with WPA roll-up patches, XP SP2, OS X v10.3 and WM2003SE (Dell Axim). Avoid the use of individual certificates by using PEAP(msChapV2). What specifics do you need? If not, does anybody knows howtos or documentation about that. I used as guides http://www.freeradius.org/doc/EAPTLS.pdf and the 05 October, 2004 802.1x port based Authentication HOWTO. Both of which are referenced on the first page of the site. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: running external script in FreeRadius
On Friday 21 January 2005 10:18, Schoggins, George wrote: I am running version 2.23 FreeRadius on Windows XP Pro. I'm not aware of any version 2.23 of freeRADIUS. The error I keep getting is file or directory not found. I have run the script in the exec-program-wait mode but the path is not working correctly. I have put the script in every directory and subdirectory in Radius and it still errors with file or directory not found. What is the command you are giving to run the script? What are the permissions on the script itself? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Permission denied on certificate-files
On Thursday 13 January 2005 07:57, Hedenborg Thomas wrote: Hi, nope didn't help... # ls -la certs/demoCA/cacert.pem -rw-r--r-- 1 root radiusd 1346 Oct 5 02:14 certs/demoCA/cacert.pem //Thomas Since you have: main: user = radiusd main: group = radiusd See what user 'radiusd' is allowed to do on your system and change accordingly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAp + GK (GNUGK) + FreeRadius
I have problem with configuration with FreeRadius + LDAP + GnuGK. Now, I have authetication, but my GnuGK don´t receive alias. My alias is the telephone number. My authentication use username and password, but I need to receive alias. What do I make to receive alias ? That's mostly a GnuGK question. For the LDAP and RADIUS part, you need to map your end-point's E.164 alias from LDAP to RADIUS (examine raddb/ldap.attrmap dictionary to see how). Then, send it in the reply to GnuGK. Your 'users' file entry might look something like this: DEFAULT # whatever check items you deem appropriate Tunnel-Type=IP, Tunnel-Medium-Type=E.164, Tunnel-Client-Endpoint=%{myLdapE164Alias} That's just a guess. Whatever attributes GnuGK is expecting (Tunnel-Connection-Id, Tunnel-Private-Group-Id ?) , I don't know. It may not even care about Tunnel-Type or Medium. You'll have to read up on that yourself. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAp + GK (GNUGK) + FreeRadius
On Monday 03 January 2005 12:17, Anderson Alves de Albuquerque wrote: I´m thinking if I would need to modify my filter in radius.conf. Now, my radius.conf is: filter=((uid=%u)(objectclass=radiusprofile)) I look my ldap sever log and there is one search by h323-ivr-in. But when I look GNUGK in port 7000, I don´t receive the alias OK, your LDAP log shows the search. You still need to specify that the attribute be xlated and sent in the reply from RADIUS. What does RADIUS show it is doing? If you would include the debug output (radiusd -X), and what attribute needs to be in the reply someone would be better equipped to tell you why it is not getting sent. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls not built because OpenSSL not found
On Monday 13 December 2004 08:07, Tim Winders wrote: On Sun, 12 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: An Enterasys - Freeradius Question Again
If you don't want to use radius auth for management access, how are you doing ?? Thx On the Cabletron/Enterasys 2nd gen. (6E2xxx / 2E2xxx) products it is a matter of using the LM menu to step through Security | Radius Configuration and setting RADIUS Management to DISABLED. This reverts you to using the local password for access of remote and local management. I know of no equivalent setting on the Matrix E1. My firmware needs to be updated it may be in the more recent releases. I had set up a user in the radius users file that sends the Filter-ID with mgmt=su. On the switch, set the radius last-resort-action for remote and local management to challenge in the event of not being able to access the the radius server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and EAP-MD5 setup.
On Tuesday 08 June 2004 01:14 pm, Alan DeKok wrote: Zoltan Ori [EMAIL PROTECTED] wrote: Another Access-Request packet is received. LDAP and the users file are once again processed but now EAP complains that User-Password is required for EAP-MD5 authentication. So run the server in debugging mode, to see which entries in LDAP it matches. OK The exchange of packets from radeapclient are enclose below. But not the debug output from the server. sigh Is there a huge blinking sign somewhere which says to ignore all of the documentation and FAQ? Some of us are pretty dense. Here is the debug output from the server. rad_recv: Access-Request packet from host 127.0.0.1:51644, id=140, length=93 User-Name = m099 User-Password = test123 NAS-IP-Address = 147.133.230.16 Message-Authenticator = 0x820f1368d333bb1f3bab23e9b92325f7 NAS-Port = 0 EAP-Message = 0x02d2000d016d30393939393939 Tue Jun 8 11:16:03 2004 : Debug: Processing the authorize section of radiusd.conf Tue Jun 8 11:16:03 2004 : Debug: modcall: entering group authorize for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modcall[authorize]: module preprocess returns ok for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 8 Tue Jun 8 11:16:03 2004 : Debug: radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040608' Tue Jun 8 11:16:03 2004 : Debug: rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040608 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modcall[authorize]: module auth_log returns ok for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modcall[authorize]: module mschap returns noop for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 8 Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: - authorize Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: performing user authorization for m099 Tue Jun 8 11:16:03 2004 : Debug: radius_xlat: '(uid=m099)' Tue Jun 8 11:16:03 2004 : Debug: radius_xlat: 'dc=morehead-st,dc=edu' Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: performing search in dc=morehead-st,dc=edu, with filter (uid=m099) request 10 done Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: looking for check items in directory... Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: Adding class as MSU-Class, value facstaff op=21 Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: looking for reply items in directory... Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: user m099 authorized to use remote access Tue Jun 8 11:16:03 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modcall[authorize]: module ldap returns ok for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 8 Tue Jun 8 11:16:03 2004 : Debug: rlm_eap: EAP packet type response id 210 length 13 Tue Jun 8 11:16:03 2004 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modcall[authorize]: module eap returns updated for request 8 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 8 Tue Jun 8 11:16:03 2004 : Debug: users: Matched DEFAULT at 10 Tue Jun 8 11:16:03 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 8 Tue Jun 8 11:16:03 2004 : Debug: modcall[authorize]: module files returns ok for request 8 Tue Jun 8 11:16:03 2004 : Debug: modcall: group authorize returns updated for request 8 Tue Jun 8 11:16:03 2004 : Debug: rad_check_password: Found Auth-Type LDAP Tue Jun 8 11:16:03 2004 : Debug: rad_check_password: Found Auth-Type EAP Tue Jun 8 11:16:03 2004 : Error: Warning: Found 2 auth-types on request for user 'm099' Tue Jun 8 11:16:03 2004 : Debug: auth: type EAP Tue Jun 8 11:16:03 2004 : Debug: Processing the authenticate section of radiusd.conf Tue Jun