Re: EAP-SIM Module Failed to Load
Thanks so much I will try that. Much regards ken.farring...@802.co.uk Phil Mayers p.may...@imperial.ac.uk wrote: On 25/08/2013 12:03, ken.farrington wrote: /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or it wasn't installed. I can't remember if you need to build with --experimental-modules or whatever the ./configure options is called. Also, upgrade to 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recommendations for a GUI front end for FreeRadius
FreeRadius is a great product that works very well, but is difficult for novices to maintain. I don't have any problems using the Linux shell and vi to configure, but I need something more user friendly for others. Can anyone recommend an open-source GUI for FreeRadius - preferably something that runs as an Apache web site under Linux? Thanks for any suggestions! Ken Morley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
Hello, So when do you want to get your goods? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to use groups within freeradius
Phil you examples was straight on, and very helpful. I ended up using SQLgroup within /etc/freeradius/users + huntgrousps and the groups that I've created it worked the very 1st time, with no problems. To answer your other question, this is with freeradius version; root@TACACS:/etc/init.d# freeradius -v | grep Version freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar 30 2007 at 22:44:34 root@TACACS:/etc/init.d# Thanks -Original Message- From: freeradius-users-bounces+kfelix=jdltech@lists.freeradius.org on behalf of Phil Mayers Sent: Tue 6/28/2011 3:55 AM To: freeradius-users@lists.freeradius.org Subject: Re: how to use groups within freeradius On 06/27/2011 09:29 PM, Ken Felix wrote: Can anybody post a simple howto with regards to using groups within freeradius? What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined Which version of FreeRADIUS are you using? Anyway, the group config you've written doesn't do what you want. All it says is if you're this username and coming from these IPs, you're in the gruop. You're not actually acting in the group membership. There are lots of ways to do this, but personally I prefer to keep SQL groups entirely user-based, and use huntgroups for NAS IPs, then compare the two. So: raddb/huntgrousp: restricted NAS-IP-Address == 192.0.2.1 raddb/sites-enabled/xxx: authozie { if (Huntgroup-Name == restricted) { if (SQL-Group == restricted) { # ok to login } else { reject } } } ...or if you prefer to us a users file, in raddb/users: DEFAULT Huntgroup-Name == restricted, SQL-Group == restricted Fall-Through = No DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject Fall-Through = No There are lots of other ways to accomplish this. The point being, you need to actually check the group, and if you define the group so that it depends on the username, and they thing they're permitted to access, then you're essentially writing a whitelist and would need something like, in your example, raddb/users: DEFAULT SQL-Group == xxx Fall-Through = No DEFAULT SQL-Group == yyy Fall-Through = No DEFAULT Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use groups within freeradius
Can anybody post a simple howto with regards to using groups within freeradius? What we would like todo is restricted some user from logging into various firewalls. I've created usergroups and defined mysql select * from usergroup ; +--+-+--+ | UserName | GroupName | priority | +--+-+--+ | | login users |1 | | asa1.test| adminasa|1 | | test.user| Login users |1 | +--+-+--+ and mysql select * from radgroupcheck ; ++---++++ | id | GroupName | Attribute | op | Value | ++---++++ | 1 | adminasa | NAS-IP-Address | == | 10.252.128.11 | | 2 | adminasa | NAS-IP-Address | == | 10.252.253.199 | | 3 | adminasa | NAS-IP-Address | == | 10.250.32.68 | | 4 | adminasa | NAS-IP-Address | == | 10.250.32.69 | | 5 | adminasa | NAS-IP-Address | == | 10.254.32.68 | | 6 | adminasa | NAS-Identifier | == | 10.252.128.11 | ++---++++ 6 rows in set (0.00 sec) debug shows the following; Sending Access-Reject of id 10 to 10.159.103.154 port 1812 Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.252.128.11:1025, id=40, length=67 User-Name = asa1.test User-Password = 30 NAS-IP-Address = 10.252.128.11 NAS-Port = 43 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module chap returns noop for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = asa1.test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 18 modcall[authorize]: module files returns notfound for request 18 radius_xlat: 'asa1.test' rlm_sql (sql): sql_set_user escaped user -- 'asa1.test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'asa1.test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'asa1.test' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'asa1.test' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'asa1.test' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 18 modcall: leaving group authorize (returns ok) for request 18 auth: type Crypt Login OK: [asa1.test] (from client SBBC port 43) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 18 rlm_sql (sql): Processing sql_postauth radius_xlat: 'asa1.test' rlm_sql (sql): sql_set_user escaped user -- 'asa1.test' radius_xlat: 'INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(), NOW(), '0', 'Local', '', 'Access-Accept', '')' radius_xlat: '/var/log/freeradius/sqltrace.sql' rlm_sql (sql) in sql_postauth: query is INSERT into radacct (UserName, NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId, AcctTerminateCause, NASIdentifier) values
Re: eappeap_postproxy() - set fake-proxy_reply
Hello, Could I explain in more detail? I want proxying PEAP, with old server which can not deal with EAP. This worked on 2.0.4 but didn't work on 2.1.10. I can't understand what's wrong. Compared those debug output, I noticed difference, after ''[eap] Passing reply back for EAP-MS-CHAP-V2'' mschap_postproxy() was called in 2.0.4, but not in 2.0.10. thanks. configuration prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes checkrad = ${sbindir}/checkrad proxy_requests = yes listen { type = auth ipaddr = * port = 0 } log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } realm legacy { authhost = 192.168.1.5:1645 secret = testing123 } client 10.0.0.0/8 { secret = testing456 shortname = priv10 nastype = other } thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = tetest123 private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = DEFAULT cache { enable = no lifetime = 24 # hours max_entries = 255 } } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = inner-tunnel } mschapv2 { } } } server inner-tunnel { authorize { update control { Proxy-To-Realm := legacy } } authenticate { eap } post-proxy { eap } } authorize { eap { ok = return } } authenticate { eap } post-proxy { eap } debug output FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Feb 16 2011 at 10:52:08 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf main { allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers realm legacy { authhost = 192.168.1.5:1645 secret = testing123 } radiusd: Loading Clients client 10.0.0.0/8 { require_message_authenticator = no secret = testing456 shortname = priv10 nastype = other } radiusd: Instantiating modules radiusd:
eappeap_postproxy() - set fake-proxy_reply
Hello, I can't think I understand what went wrong but it works. just escaping from first NULL check in eap_post_proxy() or commit: add0068afc3b732c27c9cc116d7ec331f9a32735 says I misconfigured PEAP proxy? --- src/modules/rlm_eap/types/rlm_eap_peap/peap.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index 0d9a031..36c012b 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -571,7 +571,7 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) request-proxy = NULL; rad_assert(fake-reply == NULL); - fake-reply = request-proxy_reply; + fake-reply = fake-proxy_reply = request-proxy_reply; request-proxy_reply = NULL; if ((debug_flag 0) fr_log_fp) { @@ -585,7 +585,7 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) fake-options = ~RAD_REQUEST_OPTION_PROXY_EAP; RDEBUG2(Passing reply back for EAP-MS-CHAP-V2); module_post_proxy(0, fake); + fake-proxy_reply = NULL; /* * FIXME: If rcode returns fail, do something -- 1.7.2.3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fix freeing eap_handler as opaque (and typo)
Hello, I hope this would be hint for fixing segfault and better solution. Thanks. Subject: [PATCH 1/2] freeing EAP opaque with one arg --- src/modules/rlm_eap/eap.h |1 + src/modules/rlm_eap/mem.c |8 src/modules/rlm_eap/rlm_eap.c |6 -- src/modules/rlm_eap/rlm_eap.h |1 + 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/modules/rlm_eap/eap.h b/src/modules/rlm_eap/eap.h index 0150ef2..6d845ad 100644 --- a/src/modules/rlm_eap/eap.h +++ b/src/modules/rlm_eap/eap.h @@ -107,6 +107,7 @@ typedef struct _eap_handler { void*opaque; void(*free_opaque)(void *opaque); + void*inst_holder; int status; diff --git a/src/modules/rlm_eap/mem.c b/src/modules/rlm_eap/mem.c index c5a5973..e702b19 100644 --- a/src/modules/rlm_eap/mem.c +++ b/src/modules/rlm_eap/mem.c @@ -136,6 +136,14 @@ EAP_HANDLER *eap_handler_alloc(rlm_eap_t *inst) return handler; } +void eap_opaque_free(EAP_HANDLER *handler) +{ + if (!handler) + return; + + eap_handler_free(handler-inst_holder, handler); +} + void eap_handler_free(rlm_eap_t *inst, EAP_HANDLER *handler) { if (!handler) diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c index 5cc74bc..c91bd0e 100644 --- a/src/modules/rlm_eap/rlm_eap.c +++ b/src/modules/rlm_eap/rlm_eap.c @@ -347,10 +347,11 @@ static int eap_authenticate(void *instance, REQUEST *request) * can retrieve it in the post-proxy stage, and * send a response. */ + handler-inst_holder = inst; rcode = request_data_add(request, inst, REQUEST_DATA_EAP_HANDLER, handler, -(void *) eap_handler_free); +(void *) eap_opaque_free); rad_assert(rcode == 0); return RLM_MODULE_HANDLED; @@ -372,10 +373,11 @@ static int eap_authenticate(void *instance, REQUEST *request) * can retrieve it in the post-proxy stage, and * send a response. */ + handler-inst_holder = inst; rcode = request_data_add(request, inst, REQUEST_DATA_EAP_HANDLER, handler, -(void *) eap_handler_free); +(void *) eap_opaque_free); rad_assert(rcode == 0); /* diff --git a/src/modules/rlm_eap/rlm_eap.h b/src/modules/rlm_eap/rlm_eap.h index 84b4b50..0de2ae6 100644 --- a/src/modules/rlm_eap/rlm_eap.h +++ b/src/modules/rlm_eap/rlm_eap.h @@ -105,6 +105,7 @@ EAP_DS *eap_ds_alloc(void); EAP_HANDLER*eap_handler_alloc(rlm_eap_t *inst); void eap_packet_free(EAP_PACKET **eap_packet); void eap_ds_free(EAP_DS **eap_ds); +void eap_opaque_free(EAP_HANDLER *handler); void eap_handler_free(rlm_eap_t *inst, EAP_HANDLER *handler); inteaplist_add(rlm_eap_t *inst, EAP_HANDLER *handler); -- Subject: [PATCH 2/2] fix typo --- src/modules/rlm_eap/types/rlm_eap_peap/peap.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index b77d647..0d9a031 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -1133,8 +1133,8 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) request-proxy = fake-packet; memset(request-proxy-src_ipaddr, 0, sizeof(request-proxy-src_ipaddr)); - memset(request-proxy-src_ipaddr, 0, - sizeof(request-proxy-src_ipaddr)); + memset(request-proxy-dst_ipaddr, 0, + sizeof(request-proxy-dst_ipaddr)); request-proxy-src_port = 0; request-proxy-dst_port = 0; fake-packet = NULL; -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with Rewriting RAD_REQUEST in rlm_perl for proxy
Greetings! I'm using freeradius installed from the freeradius.i386 1.1.3-1.2.el rpm on CentOS 5 (recompiled RedHat). I'd like to use freeradius as an accounting proxy between two other machines, in order to rewrite some Attributes (User-Name and Acct- Session-Id) before they arrive at their final destination. I need to rewrite any reference to a username to a unique ID number (long story). I embarked on using rlm_perl for this task, I have the proxy working, but when the data arrives at it's destination the Attributes have not been changed. I'm hoping someone has changed attributes before they are sent along to their Accounting radius server in a similar manner, with rlm_perl. I have tried changing many hashes, and to be honest I'm very new to freeradius and I'm not sure which one should be changed. That's where I seem to be stuck, how to change RAD_REQUEST{'User-Name'} so when it is proxied it sends my rewrites. Thank you for any help or pointers you can provide! Examples of what I have done are below. -Ken Here is one example of what I have tried in the perl module I wrote: from my_filter.pl: ... # Function to handle pre_proxy sub pre_proxy { # For debugging purposes only print start pre_proxy ***\n; $RAD_REPLY{'User-Name'} = 12345678; $RAD_REQUEST{'User-Name'} = 12345678; $RAD_REPLY{'Acct-Session-Id'} = 12345678; $RAD_REQUEST{'Acct-Session-Id'} = 12345678; log_request_attributes; print returning from pre_proxy ***\n; return RLM_MODULE_UPDATED; } ... In the modules section of radiusd.conf I have: ... perl { module = /etc/raddb/modules/my_filter.pl func_pre_proxy = pre_proxy func_post_proxy = post_proxy } ... and also in radiusd.conf: ... pre-proxy { perl } post-proxy { perl } ... Here is the output I get when I feed radiusd a faked (to protect the innocent) request: # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/ detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded perl perl: module = /etc/raddb/modules/orange_filter.pl perl: func_authorize = authorize perl: func_authenticate = authenticate
Fwd: Help with Rewriting RAD_REQUEST in rlm_perl for proxy
Sorry, my bad, I upgraded to 2.0.5 and this all started to work fine :-) -Ken Begin forwarded message: Greetings! I'm using freeradius installed from the freeradius.i386 1.1.3-1.2.el rpm on CentOS 5 (recompiled RedHat). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Alan DeKok wrote: (1) The shared secret is wrong (2) The code is buggy There are no alternatives. This is often due to broken MD5 libraries, or 32/64-bit issues. But FreeRADIUS hasn't had those kind of bugs for *years*. Yep, you were right, there must be some corruption or crap on the Fedora system I was using as a test client. I installed 1.1.6 on a Suse box I have, copied exactly the same raddb onto it, and radtest worked first time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Alan DeKok wrote: (1) The shared secret is wrong (2) The code is buggy There are no alternatives. This is often due to broken MD5 libraries, or 32/64-bit issues. But FreeRADIUS hasn't had those kind of bugs for *years*. I suspect you may well be right. Upgrading FC6 hasn't made a difference. Time to reformat and reinstall from scratch I suppose :-( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Josh Howlett wrote: What happens if, using radtest, you specify the username *without* the realm from the remote machine? It fails just the same way It fails whether user is in /etc/passwd or /etc/raddb/users It fails whether Auth := local is in there or not It fails whether I check for User-password or Cleartext-password = rad_recv: Access-Request packet from host nnn.nnn.nnn.nnn:32773, id=209, length=58 User-Name = username User-Password = \356za\360V\202oljug\263\025M!) NAS-IP-Address = 255.255.255.255 NAS-Port = 212 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 35 modcall[authorize]: module preprocess returns ok for request 35 radius_xlat: '/var/log/radius/radacct/nnn.nnn.nnn.nnn/auth-detail-20070704' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/nnn.nnn.nnn.nnn/auth-detail-20070704 modcall[authorize]: module auth_log returns ok for request 35 modcall[authorize]: module chap returns noop for request 35 modcall[authorize]: module mschap returns noop for request 35 rlm_realm: No '@' in User-Name = username, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = username rlm_realm: Proxying request from user username to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 35 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 35 users: Matched entry DEFAULT at line 20 modcall[authorize]: module files returns ok for request 35 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 35 modcall: leaving group authorize (returns ok) for request 35 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 35 modcall[authenticate]: module unix returns notfound for request 35 modcall: leaving group authenticate (returns notfound) for request 35 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! = If I try another user with no Auth := local in the user definition, just the username and User-password, it is much the same until: = modcall[authorize]: module suffix returns noop for request 37 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 37 users: Matched entry username at line 6 modcall[authorize]: module files returns ok for request 37 modcall[authorize]: module pap returns updated for request 37 modcall: leaving group authorize (returns updated) for request 37 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 37 rlm_pap: login attempt with password pÌ?¶ákýÌ2p?c?¡MS rlm_pap: Using clear text password NoAuthpwd1. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 37 modcall: leaving group PAP (returns reject) for request 37 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Edvin Seferovic wrote: Does this have anything to do with the authentication method and AD ? I don't think so. Neither do I! We're not looking at AD yet. A colleague of mine tried to set it up for JRS by roughly copying someone else's configuration. It failed. So I reinstalled FreeRadius and samba from scratch and started again; re-introducing changes one at at time. I acan make ntlm_auth work from command line but not from FreeRadius yet - so I dropped it and am trying to ensure I can run a minimal test. Ken are you using 64bit OS maybe? I had the same problem ( shared secret was incorrect ) due a broken library on 64bit version of SuSE 9.1. Er, I don't think so! Well, I hope not! (wondering how to tell for sure...) # uname -a Linux ficus.ccs.bbk.ac.uk 2.6.20-1.2962.fc6 #1 SMP Tue Jun 19 18:24:12 EDT 2007 i686 i686 i386 GNU/Linux # # getconf LONG_BIT 32 # # getconf WORD_BIT 32 # # file /usr/local/bin/radclient /usr/local/bin/radclient: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped # # # cat /proc/cpuinfo processor : 3 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Xeon(TM) CPU 3.00GHz stepping: 10 cpu MHz : 3000.487 cache size : 2048 KB physical id : 3 siblings: 2 core id : 0 cpu cores : 1 fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl cid cx16 xtpr lahf_lm bogomips: 5999.40 clflush size: 64 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shared secret is incorrect - but it is identical!
I'm trying to get FreeRadius working on a Fedora Core 6 server with a view to eventually using it to authenticate against Windows Active Directory via ntlm_auth for the Janet Roaming Service. The first attempts at configuring it failed rather drastically so I went back to the beginning and I'm doing things one step at at time, making one-line changes to configs then using radtest and/or radclient to ensure it still works. I can now authenticate a users defined in users file, or in the Unix passwd file, from radtest on local machine. (i.e. the same one the server is running on). Next step is to check that I can use FreeRadius over the network by trying radclient on another machine. It doesn't work from the networked machine. I see the invalid signature (err=2)! (Shared secret is incorrect.) message. Debug log says to double check the shared secret on the server. I have more than double checked it. I'm using the same shared secret on both machines. I know the shared secret is correct because it works from the local machine. But obviously it isn't! Because the encrypted password can't be read on the server. What can I do to make sure the shared secret truly is correct? The definitions for both hosts are identical in the clients.conf file. At one point I manually edited them to swap the names of servers while leaving the secrets the same, just in case there was some hidden unprintable character - but the new local one still worked, proving that the two entries in the clients.conf file are in fact identical. The shared secrets used in the radtest command are identical. I'm cutting and pasting the *same* radtest command in, not retyping it. To test for sure I put radclient commands in scripts on the remote machine, where they failed. Then I ftped them from the machine they failed on to the other one - where they worked! So it *has* to be the same! And if I alter it in any way there then radtest fails so its not getting a free passage just because its local. I have a horrid fear I've missed something totally obvious about how radclient works and that I'm doing something really really stupid stupid - but I can't see what. And I've been stuck here for over a week now. Any clues? From the local machine I get: === [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 121 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Accept packet from host server.IP.addr:1812, id=121, length=20 === But when I try from the remote machine I get: === /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 184 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=184, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 246 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=246, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 7 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=7, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) == I strongly suspect that I am doing something stupid on the client side, because the same request works from the local server. But just in case its relevant, on the server in debug mode the failed transaction looks like this: == rad_recv: Access-Request packet from host client.IP.addr:32772, id=61, length=68 User-Name = [EMAIL PROTECTED] User-Password = V\303\245\321\364Fb\334\373\275\242\203\\o6\264 NAS-IP-Address = 255.255.255.255 NAS-Port = 122 Processing the authorize section of radiusd.conf modcall:
More on double free or corruption errors
I strongly suspect its a Fedora problem, not a Freeradius problem. (Or else I made a boo-boo configuring the OS) Alan DeKok replied to matthew zeier: Let me clear: I cannot reproduce this problem here. No one else has seen the same problem. May or may not be relevant, but I've got two supposedly identical Fedora 6 machines, one gets a similar error, the other doesn't!. Both upgraded with yum to current level, followed by manual install and configure of Freeradius 1.1.5 - I cut and pasted the commands from one machine to the other and I FTPed the files including ones I modified. (And the one it works on is the SECOND one I installed, so its not a failure to copy correctly!) I think there must be some difference in my /usr/local/lib/libltdl.so.3.1.4 - they are slightly different sizes. I have no idea why, I used the same commands to install both systems. I will compare them. Just in case it means anything to anyone I attach the command output, but as I said my guess is its a Fedora problem [EMAIL PROTECTED] raddb]# radiusd -v radiusd: FreeRADIUS Version 1.1.5, for host i686-pc-linux-gnu, built on Mar 9 2007 at 13:16:16 Copyright (C) 2000-2006 The FreeRADIUS server project. [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 --More--*** glibc detected *** radiusd: double free or corruption (fasttop): 0x81029498 *** === Backtrace: = /lib/libc.so.6[0x24b09d] /lib/libc.so.6(cfree+0x90)[0x24e6f0] /usr/local/lib/libltdl.so.3[0x14151b] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xbe)[0x141eae] radiusd(find_module_instance+0x317)[0x8000cbb7] radiusd(setup_modules+0x1d8)[0x8000d168] radiusd(main+0x45c)[0x8001079c] /lib/libc.so.6(__libc_start_main+0xdc)[0x1faf2c] radiusd[0x80004771] === Memory map: 0011-00123000 r-xp fd:00 13959203 /lib/libpthread-2.5.so 00123000-00124000 r-xp 00012000 fd:00 13959203 /lib/libpthread-2.5.so 00124000-00125000 rwxp 00013000 fd:00 13959203 /lib/libpthread-2.5.so 00125000-00127000 rwxp 00125000 00:00 0 00127000-0013c000 r-xp fd:00 13087333 /usr/local/lib/libradius-1.1.5.so 0013c000-0013d000 rwxp 00014000 fd:00 13087333 /usr/local/lib/libradius-1.1.5.so 0013d000-0013e000 rwxp 0013d000 00:00 0 0013e000-00143000 r-xp fd:00 13086902 /usr/local/lib/libltdl.so.3.1.4 00143000-00144000 rwxp 4000 fd:00 13086902 /usr/local/lib/libltdl.so.3.1.4 00144000-0014b000 r-xp fd:00 13087742 /usr/lib/libkrb5support.so.0.1 0014b000-0014c000 rwxp 6000 fd:00 13087742 /usr/lib/libkrb5support.so.0.1 0014e000-0014f000 r-xp 0014e000 00:00 0 [vdso] 0014f000-00161000 r-xp fd:00 13082790 /usr/lib/libz.so.1.2.3 00161000-00162000 rwxp 00011000 fd:00 13082790 /usr/lib/libz.so.1.2.3 00162000-0016b000 r-xp fd:00 13959208 /lib/libnss_files-2.5.so 0016b000-0016c000 r-xp 8000 fd:00 13959208 /lib/libnss_files-2.5.so 0016c000-0016d000 rwxp 9000 fd:00 13959208 /lib/libnss_files-2.5.so 0016d000-00171000 r-xp fd:00 13959206 /lib/libnss_dns-2.5.so 00171000-00172000 r-xp 3000 fd:00 13959206 /lib/libnss_dns-2.5.so 00172000-00173000 rwxp 4000 fd:00 13959206 /lib/libnss_dns-2.5.so 00173000-0017e000 r-xp fd:00 13959199 /lib/libgcc_s-4.1.1-20070105.so.1 0017e000-0017f000 rwxp a000 fd:00 13959199 /lib/libgcc_s-4.1.1-20070105.so.1 001a-001e1000 r-xp fd:00 13959361 /lib/libssl.so.0.9.8b 001e1000-001e5000 rwxp 0004 fd:00 13959361 /lib/libssl.so.0.9.8b 001e5000-0031c000 r-xp fd:00
Compile error -- HELP
I am trying to install freeradius 1.1.4 on solaris 10 using the following commands. ../configure --without-rlm-x99-token configure creates the Makefile I then run make and get the following error:gcc -shared -Wl,-h -Wl,libradius-1.1.4.so -o .libs/libradius-1.1.4.so .libs/crypt.o ..libs/dict.o .libs/filters.o .libs/hash.o .libs/hmac.o .libs/hmacsha1.o ..libs/isaac.o .libs/log.o .libs/misc.o .libs/missing.o .libs/md4.o ..libs/md5.o .libs/print.o .libs/radius.o .libs/rbtree.o .libs/sha1.o ..libs/snprintf.o .libs/token.o .libs/udpfromto.o .libs/valuepair.o -lcrypt -lc (cd .libs rm -f libradius.so ln -s libradius-1.1.4.so libradius.so) false cru .libs/libradius.a crypt.o dict.o filters.o hash.o hmac.o hmacsha1.o isaac.o log.o misc.o missing.o md4.o md5.o print.o radius.o rbtree.o sha1.o snprintf.o token.o udpfromto.o valuepair.o make[4]: *** [libradius.la] Error 1 make[4]: Leaving directory `/export/home/freeradius-1.1.4/src/lib' make[3]: *** [common] Error 2 make[3]: Leaving directory `/export/home/freeradius-1.1.4/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/export/home/freeradius-1.1.4/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/export/home/freeradius-1.1.4' make: *** [all] Error 2 Thanks _ Win a Zunemake MSN® your homepage for your chance to win! http://homepage.msn.com/zune?icid=hmetagline - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Try the environment variable REMOTE_USER #!/usr/bin/perl print Content-type: text/html\n\n; foreach $key (keys %ENV) { print $key -- $ENV{$key}br; } Ken Alan DeKok wrote: Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
or even easier, if apache is setup for SSI, you can just plunk this into your web page where you want the authenticated username: !--#echo var=REMOTE_USER-- Ken Alan DeKok wrote: Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config problem: ntlm_auth works outside of freeradius, but not in
The ntlm_auth command works from the command line, but not within freeradius (1.0.1) on RHEL 3.0 update 4 Below is my ntlm_auth command from within radiusd.conf and the debug output and the successful command line run of the ntlm_auth program. Where do I look for what I have misconfigured? Im happy that I configured the client section correctly and my 3005 is now talking to freeradius, but Ill be happier when it can actually authorize. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) User-Name = ken george User-Password = 262144 Vendor-3076-Attr-32 = 0x0015 NAS-IP-Address = 10.10.61.5 NAS-Port-Type = Virtual rad_lowerpair: User-Name now 'ken george' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = ken george, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_realm: No '\' in User-Name = ken george, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched DEFAULT at 204 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type win_domain auth: type win_domain Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 radius_xlat: '/usr/bin/ntlm_auth --username=ken george --password=xx --domain=usmisgnet' Exec-Program: /usr/bin/ntlm_auth --username=ken george --password= xx --domain=usmisgnet Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program: returned: 1 rlm_exec (win_domain): External script failed modcall[authenticate]: module win_domain returns fail for request 1 modcall: group Auth-Type returns fail for request 1 auth: Failed to validate the user. Login incorrect: [ken george] (from client VPN3005_Pri port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Thread 2 waiting to be assigned a request rad_recv: Access-Request packet from host 10.10.61.5:1045, id=2, length=74 Sending Access-Reject of id 2 to 10.10.61.5:1045 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 2 with timestamp 42dd17f4 Nothing to do. Sleeping until we see a request. [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --username=ken george --password= xx --domain=usmisgnet NT_STATUS_OK: Success (0x0) Thanks! Ken George Systems and Network Engineering Mi Services Group, Inc. +1 610-230-2500 x129 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help configuring ntlm_auth w/ freeradius 1.0.1
Alan as you suggested (thanks) I have commented out LDAP and I am now attempting to authenticate via ntlm_auth. I've configured and started Samba and windindd. I can authenticate via ntlm_auth outside of Freeradius, but not with it. I KNOW THE PROBLEM IS WITH MY CONFIGURATION AND NOT FREERADIUS! I'd appreciate help in locating / understanding what I have misconfigured? Also, my final goal is to authenticate clients to a Cisco Aironet 1200 via our Windows 2003 Active Directory usernames and passwords is ntlm_auth the correct method to use? [EMAIL PROTECTED] raddb]# ntlm_auth --username=test ops --password=xx --domain=usmisgnet --request-NT-key NT_STATUS_OK: Success (0x0) Below are the ntlm_auth section of radiusd.conf and the radtest string used and the debug output from the other window. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } radtest test ops xx localhost 0 testing123 radiusd -xxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf [NORMAL OUTPUT SUPPRESSED] Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32784, id=232, length=60 --- Walking the entire request list --- Waking up in 31 seconds... Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) Threads: total/active/spare threads = 5/0/5 User-Name = test ops User-Password = m1sg0ps NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_lowerpair: User-Name now 'test ops' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test ops, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_realm: No '\' in User-Name = test ops, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [test ops] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:32784, id=232, length=60 Sending Access-Reject of id 232 to 127.0.0.1:32784 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 232 with timestamp 42d3e0ec Nothing to do. Sleeping until we see a request. Ken George Systems and Network Engineering Mi Services Group, Inc. +1 610-230-2500 x129 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help installing 1.0.4 on RHEL update 4
#include snmp.h #include snmp_impl.h int main() { int a = 1; ; return 0; } configure:8649: checking gethostbyaddr_r() syntax configure:8672: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15 configure:8754: checking gethostbyname_r() syntax configure:8766: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15 configure:8847: checking ctime_r() syntax configure:8858: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15 configure: In function `main': configure:8854: too many arguments to function `ctime_r' configure: failed program was: #line 8849 configure #include confdefs.h #include time.h int main() { ctime_r(NULL, NULL, 0) ; return 0; } configure:8883: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15 Ken George Systems and Network Engineering Mi Services Group, Inc. +1 610-230-2500 x129 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating to a Windows 2003 active directory
Does anyone have a working radiusd.conf and users file I could see as I have been unsuccessful configuring Freeradius 1.0.1 to talk to my Active Directory. When I try to test with radtest I get the following: [EMAIL PROTECTED] freeradius-1.0.4]# radtest ken george xx localhost 1 testing123 Sending Access-Request of id 105 to 127.0.0.1:1812 User-Name = ken george User-Password = xx NAS-IP-Address = phllnxsrv01 NAS-Port = 1 Re-sending Access-Request of id 105 to 127.0.0.1:1812 User-Name = ken george User-Password = \030\035`\222\375Q\267\301\357\270O\352\335Kj3 NAS-IP-Address = phllnxsrv01 NAS-Port = 1 Re-sending Access-Request of id 105 to 127.0.0.1:1812 User-Name = ken george User-Password = \030\035`\222\375Q\267\301\357\270O\352\335Kj3 NAS-IP-Address = phllnxsrv01 NAS-Port = 1 Is my radtest string correct? Exerpts from radiusd.conf and users follow: Radiusd.conf # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = phldcsrv01.us.mi-services.net identity = cn=ken george,o=US Users,c=us.mi-services.net password = 262144 basedn = o=phldcsrv01,c=us.mi-services.net filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } (output suppressed) authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds the %{Client-IP-Address} attribute to the request. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log # attr_filter # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute
radiusd sending output to stdout without -X flag
Hi all, I have downloaded, compiled, configured the latest CVS snapshot and it works fine. I have a question, the server is logging to stdout no matter what I do. I am not running with X flag. Any ideas? I have config setup to log to syslog, tried file also, no luck. Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pppoe-server and Framed-Route
We've added framed routes with freeradius like so: Framed-IP-Address = x.x.x.1, Framed-Route += x.x.x.2/32 x.x.x.1 1, Framed-Route += x.x.x.2/32 x.x.x.1 2, Framed-Route += x.x.x.2/32 x.x.x.1 3, or Framed-IP-Address = x.x.x.1, Framed-Route = x.x.x.x/30 x.x.x.1 1 This is using pppoe, but with redback as terminal server for dsl, so it's a bit different than what you are doing. Ken Alan DeKok wrote: George Chelidze [EMAIL PROTECTED] wrote: I'd like to add a route to my ppp server box so I add Framed-Route to reply items. All attributes are passed back to pppd as it creates /var/run/radattr.pppX which contains all attributes but route is not added to the system. I understand it's not radius question but it's at least related and maybe someone has seen this before and solved it. It's a problem with PPPoE. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation for multiple Radius Servers
Hi guys I've been playing with Ruslan's patched rlm_sqlippool module (http://www.onlinebilling.ru/freeradius/rlm_sqlippool.tar.gz), but I've been unable to get it to compile at all. I'm using Debian Sarge (testing), and the freeradius 1.0.1 source. It's been at least seven years since I've debugged any C at all and everything I've tried so far has led to a dead end. I'm pretty sure I'm missing something, but I can't figure out what's actually wrong. If anyone has compiled this on Debian or has any ideas, I'd be extremely grateful for any help. If I can't get this module, or the older version of this module working properly (I haven't yet been able to get multiple ip pools working for the default user with the unpatched rlm_sqlippool module), I'm going to have to abandon Freeradius. Ken. (Thanks to Alan and Ruslan for their time and help). This is what happens: Making static dynamic in rlm_sqlippool... make[6]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_sqlippool' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -c rlm_sqlippool.c -o rlm_sqlippool.o In file included from rlm_sqlippool.c:24: rlm_sql.h:46: error: parse error before SQL_CONFIG rlm_sql.h:46: warning: function declaration isn't a prototype rlm_sql.h:47: error: parse error before SQL_CONFIG rlm_sql.h:47: warning: function declaration isn't a prototype rlm_sql.h:48: error: parse error before SQL_CONFIG rlm_sql.h:48: warning: function declaration isn't a prototype rlm_sql.h:49: error: parse error before SQL_CONFIG rlm_sql.h:49: warning: function declaration isn't a prototype rlm_sql.h:50: error: parse error before SQL_CONFIG rlm_sql.h:50: warning: function declaration isn't a prototype rlm_sql.h:51: error: parse error before SQL_CONFIG rlm_sql.h:51: warning: function declaration isn't a prototype rlm_sql.h:52: error: parse error before SQL_CONFIG rlm_sql.h:52: warning: function declaration isn't a prototype rlm_sql.h:53: error: parse error before SQL_CONFIG rlm_sql.h:53: warning: function declaration isn't a prototype rlm_sql.h:54: error: parse error before SQL_CONFIG rlm_sql.h:54: warning: function declaration isn't a prototype rlm_sql.h:55: error: parse error before SQL_CONFIG rlm_sql.h:55: warning: function declaration isn't a prototype rlm_sql.h:56: error: parse error before SQL_CONFIG rlm_sql.h:56: warning: function declaration isn't a prototype rlm_sql.h:57: error: parse error before SQL_CONFIG rlm_sql.h:57: warning: function declaration isn't a prototype rlm_sql.h:58: error: parse error before SQL_CONFIG rlm_sql.h:58: warning: function declaration isn't a prototype rlm_sql.h:59: error: parse error before SQL_CONFIG rlm_sql.h:59: warning: function declaration isn't a prototype rlm_sql.h:66: error: parse error before SQL_CONFIG rlm_sql.h:66: warning: no semicolon at end of struct or union rlm_sql.h:70: error: parse error before '}' token ... etc, and then ends: rlm_sqlippool.c:1038: error: `data' undeclared (first use in this function) rlm_sqlippool.c:1038: error: parse error before ')' token rlm_sqlippool.c: In function `sqlippool_detach': rlm_sqlippool.c:1115: error: `data' undeclared (first use in this function) rlm_sqlippool.c:1115: error: parse error before ')' token rlm_sqlippool.c:1113: warning: unused parameter `instance' make[6]: *** [rlm_sqlippool.o] Error 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP Allocation for multiple Radius Servers
Hi, I've been working on building and configuring a cluster which will, amongst other things, run Freeradius (I hope). Currently everything is okay, but now I appear to be stuck. At the moment I'm dymanically allocating IP's using the IPPool module, which is working fine on a single server. Unfortunately the rest of the cluster needs to know which IP's have been assigned. The running system: Debian Sarge (up to date), Openldap (which is being used for authorisation and authentication), FreeRADIUS 1.0.1. Accounting is being handled by MySQL which is not currently on the cluster. If the IPPool module could talk to MySQL I wouldn't have a problem. I'm thinking of nfs mounting the database files required for the various pools, but I don't think that's very practical. Does anyone have any advice or ideas? At this point I'm basically burnt out, and any help would be greatly appreciated, even if it's just a link to something I've missed in google. Thank you for your time, Ken. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation for multiple Radius Servers
Alan DeKok [EMAIL PROTECTED] wrote: Ken Doyle [EMAIL PROTECTED] wrote: If the IPPool module could talk to MySQL I wouldn't have a problem. I'm thinking of nfs mounting the database files required for the various pools, but I don't think that's very practical. There was an rlm_sqlippool a while ago... ftp://rd.ranetka.ru/pub/sql-ip-pool/rlm_sqlippool.tar.gz That might work. Alan DeKok. Thanks for the help Alan, however rd.ranetka.ru does not seem to resolve, and the one other link to this module that I could find (ftp://lopez.globe.net.nz/Linux/freeradius/rlm_sqlippool.tar.gz) does not resolve either. Given that I missed turning up this module in my initial searching, I'm hoping there is another link to this module somewhere. I'll keep looking, but this project needs to go into production soon, and any help would be appreciated, even if it's just a local copy you have lying around. Thanks again for your help, Ken. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation for multiple Radius Servers
Alan DeKok [EMAIL PROTECTED] wrote: http://www.striker.ottawa.on.ca/~aland/rlm_sqlippool.tar.gz It may not be there for long, though. Alan DeKok. Thanks Alan, greatly appreciated. It downloaded and extracted fine. I'll go off and tinker with it now. Hopefully that's the last hurdle out of the way. Ken. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco wireless access point 1231 w/ Freeradius
Hello. I am trying to set up a freeradius server to authenticate MAC addresses for my cisco wireless access points. The access point I want it to work with is a Cisco 1231. Now, I set up freeradius and I have an SMC access point (SMC 2552) that it works just fine with. Authenticates just like it's supposed to. I ran freeradius with the -X parameter and watched everything go by. No problems. So then, I configured the Cisco device. It took a while, but I finally got the Cisco device to talk to freeradius. It queries freeradius and freeradius gives the EXACT same response that the SMC AP gets and uses, but the Cisco seems to completely ignore it. It makes multiple duplicate requests. I looked on the FAQ page and saw the entry about duplicate tries, so I tried starting with the -i option, but that made no difference. I've been googling all over the net all day and can't figure out what I'm missing. I'm hoping it's something really silly and easy, like some special parameter you need to work with a Cisco device. Does anyone have any ideas? If you need more details on versions and things, I can post them up. I'm just hoping this is going to be one of those duh moments with an easy answer, though. :) If anyone has any ideas, I'd love to hear them. Thanks! -Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
Kostas Kalevras wrote: On Wed, 28 Jul 2004, Ken A wrote: Edgars wrote: i am writing my own program to get them in human-readable form:) Edgars Yep. I made some changes that make it easier for me to start from scratch with a language I'm more familiar with (perl) than to modify dialupadmin to do what I want, especially since I'm not very good with php, and there are many things in dialupadmin I would want to change. What do you mean by that? Sorry, that wasn't meant to suggest that there's anything wrong with dialupadmin. It's just overkill here. I don't do php, and my application is for support people who don't need much of the functionality of dialupadmin. I just need to lookup radacct records by UserName or IP, and display the accounting records for that user or ip, and be able to sort on any column quickly. ~150 lines of perl did it. Ken A I added a couple of columns to the radacct table, so my records include several Ascend attributes not in the standard table: (Ascend-Disconnect-Cause, Ascend-XmitRate, Ascend-DataRate). And, I was getting duplicate STOP records in the radacct table, so I also put a unique index on (sessionid,username,nasipaddress) and changed the INSERT STOP record in sql.conf to a REPLACE INTO instead of INSERT INTO and that seems to have resolved the problem. Ken A Ken A wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
Edgars wrote: i am writing my own program to get them in human-readable form:) Edgars Yep. I made some changes that make it easier for me to start from scratch with a language I'm more familiar with (perl) than to modify dialupadmin to do what I want, especially since I'm not very good with php, and there are many things in dialupadmin I would want to change. I added a couple of columns to the radacct table, so my records include several Ascend attributes not in the standard table: (Ascend-Disconnect-Cause, Ascend-XmitRate, Ascend-DataRate). And, I was getting duplicate STOP records in the radacct table, so I also put a unique index on (sessionid,username,nasipaddress) and changed the INSERT STOP record in sql.conf to a REPLACE INTO instead of INSERT INTO and that seems to have resolved the problem. Ken A Ken A wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin perl scripts clean_radacct and truncate_radacct
In dialup admin's perl goodies, 'clean_radacct' and 'truncate_radacct' subtract a $days_back value of 35 or 90 from the current day of the month (say 28). This results in negative values for the day of the month, so the date passed to mysql is not formatted correctly. $back_days = 90; ... ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; $date = POSIX::strftime(%Y-%m-%d %T,$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst); print $date\n; ... To fix, use unix time or Date::Calc $back_days = 90; $secs = (time()-($back_days*86400)); $date = POSIX::strftime(%Y-%m-%d %T,localtime($secs)); print Removing sessions with Stop Time $date\n; Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin perl scripts clean_radacct and truncate_radacct
Kostas Kalevras wrote: On Wed, 28 Jul 2004, Ken A wrote: In dialup admin's perl goodies, 'clean_radacct' and 'truncate_radacct' subtract a $days_back value of 35 or 90 from the current day of the month (say 28). This results in negative values for the day of the month, so the date passed to mysql is not formatted correctly. $back_days = 90; ... ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; $date = POSIX::strftime(%Y-%m-%d %T,$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst); print $date\n; ... Hmm, let's see: $back_days = 90; 1:33am /src/cvs/radiusd/dialup_admin/bin # date +%Y-%m-%d 2004-07-29 1:33am /src/cvs/radiusd/dialup_admin/bin # ./clean_radacct 2004-04-30 01:33:08 So it works correctly, that's what strftime is supposed to do anyway and it seems to be handling it just fine. Oh! A workaround then, for a posix issue on this old bsd system that doesn't like negative values passed to strftime(). Thanks, Ken A To fix, use unix time or Date::Calc $back_days = 90; $secs = (time()-($back_days*86400)); $date = POSIX::strftime(%Y-%m-%d %T,localtime($secs)); print Removing sessions with Stop Time $date\n; Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql accounting
Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
duh! I didn't know it was there. Thanks. Ken A Milver S. Nisay wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) if dialup_admin is too technical for you, you can decide to create your own customized PHP/Perl scripts to do whatever output you like. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing attributes using an external program
Thanks Alan I'll give it a try. Ken - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 5:08 PM Subject: Re: Removing attributes using an external program Ken Wolstencroft [EMAIL PROTECTED] wrote: I can add and rewrites attributes from an external program, but I can not figure out a way of removing them. It's not generally recommended, but try the -= operator. See the man page for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing attributes using an external program
Hi, Is it possible to remove request and reply attributes using an external program ? Basically I want to filter both request and reply attributes stored in an SQL database. I can add and rewrites attributes from an external program, but I can not figure out a way of removing them. Any idea's will be much appreciated. Thanks, Ken --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #3358 - 8 msgs
PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: Radiusd is in /usr/local/sbin libradius-0.9.3.so is in /usr/local/lib/ What is crle ? (I'm a bit of a Linux/Unix newbie). Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, June 15, 2004 0:26 am Subject: Freeradius-Users digest, Vol 1 #3358 - 8 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Setting up a proxy radius server (Alan DeKok) 2. test post to list, please ignore (Matthew Schumacher) 3. Re: Won't run on Solais 8 (Cameron Gregg) 4. Re: ldap sha1 mschap peap pap (Damjan) 5. Authenticating to different LDAP servers (Michael Check) 6. unknown client (Timothy Tan) 7. Re: rlm_sqlcounter Max-Daily-Session?? (nsinit) 8. radius log (apellido jr., wilfredo p.) --__--__-- Message: 1 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Setting up a proxy radius server Date: Mon, 14 Jun 2004 15:44:56 -0400 Reply-To: [EMAIL PROTECTED] Stephen Petersen [EMAIL PROTECTED] wrote: By the docs its setup to do proxy. In plain language what conf files need to be edited. clients.conf proxy.conf I've edit client.conf and proxy.conf and can't get any proxying happening. Try running it debug mode, as suggested in the FAQ, README, and INSTALL. Alan DeKok. --__--__-- Message: 2 To: list [EMAIL PROTECTED] From: Matthew Schumacher [EMAIL PROTECTED] Subject: test post to list, please ignore Date: Mon, 14 Jun 2004 23:59:34 +0200 Reply-To: [EMAIL PROTECTED] this is a test --__--__-- Message: 3 Date: Tue, 15 Jun 2004 09:36:05 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Won't run on Solais 8 Reply-To: [EMAIL PROTECTED] Ken Connell wrote: FreeRadius 0.9.3 It's been great on Redhat, but on a Solaris 8 box I get the following: fatal: libradius-0.9.3.so: open failed: No such file or directory What directory is your libradius-0.9.3.so in? Also where is radiusd? Could be a library path issuewhat is the output of crle? Cam --__--__-- Message: 4 Date: Tue, 15 Jun 2004 01:34:10 +0200 From: Damjan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: ldap sha1 mschap peap pap Reply-To: [EMAIL PROTECTED] TTLS uses different tunneled authentication methods. Check those to see what's possible. TTLS + PAP should work doesnt it. --=20 damjan | =D0=B4=D0=B0=D0=BC=D1=98=D0=B0=D0=BD This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! --__--__-- Message: 5 Date: Mon, 14 Jun 2004 20:14:28 -0500 Subject: Authenticating to different LDAP servers From: Michael Check [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hello all, We are using freeRADIUS version 0.9.3 on a MacOSX box running 10.2.6 We have a Patton dial-in access server that is using freeRADIUS to AAA off Active Directory running on a W2K box (192.168.2.5) with domain marshall.com We have now set up a W2003 server (10.0.1.5) running active directory for a domain msi.com The domains are on separate LANs but completely routable between. The Patton is on the marshall.com side of the network and uses LDAP through freeRADIUS and works great. Our desire is to configure freeRADIUS to authenticate specific users off the msi.com domain also using LDAP. I configured radiusd.conf to authorize off the new server and it does, but when authentication comes around, it tries to authenticate off the firstLDAP server it finds which is 192.168.2.5 I have tracked the issue to the fact that the radiusd.conf file specificallystates that authentication does not cascade (fall through?) but authorization does. Here are the conf file areas: modules { # snip ldap ldap1 { server = 192.168.2.5 identity = cn=ldapuser,cn=users,dc=marshall,dc=com password = foo basedn = cn=users,dc=marshall,dc=com filter = (sAMAccountName=%{Stripped-User-Name:-%{User- Name}})access_attr=msNPAllowDialin password_attribute=userPassword # snip } ldap ldap2 { server = 10.0.1.5 identity = cn=radiusserver,cn=users,dc=msi,dc=com password = foo basedn = ou=merchandisers,dc=msi,dc=com filter = (sAMAccountName
Re: Freeradius-Users digest, Vol 1 #3362 - 15 msgs
I ran crle as you mentioned, and /usr/local/lib is there in the path... Not sure if I'm going to spend too much more time on this one. Thinking of using a RedHat box and be done with it. Thanks for the help. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, June 15, 2004 10:39 am Subject: Freeradius-Users digest, Vol 1 #3362 - 15 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) (Cameron Gregg) 2. Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la' (Michael Schwartzkopff) 3. Re: copying accounting (Alexander Serkin) 4. Re: copying accounting (Robert Haskins) 5. Re: copying accounting (Alan DeKok) 6. Re: radius log (Alan DeKok) 7. Re: Accounting question for EAP-TTLS for Pre 2 (Alan DeKok) 8. Re: copying accounting (Alexander Serkin) 9. Re: copying accounting (Alan DeKok) 10. Re: Accounting question for EAP-TTLS for Pre 2 (Gary McKinney) 11. Re: configuring freeradius on freebsd 4.10 (Paul Hampson) 12. Re: rlm_expr question (Alan DeKok) 13. Freeradius and OpenLdap (Jawhar TAZI) 14. Re: Freeradius and OpenLdap (Michael Schwartzkopff) 15. Re: Modify packet proxied to a specific realm (Alan DeKok) --__--__-- Message: 1 Date: Wed, 16 Jun 2004 00:35:47 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) Reply-To: [EMAIL PROTECTED] Ken Connell wrote: PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: Radiusd is in /usr/local/sbin libradius-0.9.3.so is in /usr/local/lib/ What is crle ? (I'm a bit of a Linux/Unix newbie). Ken Connell crle (on solaris), it sets/shows the library paths. A bit like ldconfig on linux i think. run crle and see what the output is. Mine looks like this: $ crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib $ You need to make sure /usr/local/lib is in your default library path. If is isn't, you will need to do something like: $crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib I'm a bit sketchy on all this myself, I'm just passing on what has worked for me. Of course you should be able to do a 'man crle' to get all the nitty-gritty info. If /usr/local/lib is already there (in your default path) then I'm not sure why your library can't be foundmaybe something to do with the way freeradius was compiled. I find solaris very frustrating at times, especially using GNU tools mixed with sun tools. Hope this helps. Cam PS you can also use ldd program name to see what libraries it needs and if it can find them. Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 -- __--__-- Message: 3 Date: Tue, 15 Jun 2004 09:36:05 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Won't run on Solais 8 Reply-To: [EMAIL PROTECTED] Ken Connell wrote: FreeRadius 0.9.3 It's been great on Redhat, but on a Solaris 8 box I get the following: fatal: libradius-0.9.3.so: open failed: No such file or directory What directory is your libradius-0.9.3.so in? Also where is radiusd? Could be a library path issuewhat is the output of crle? Cam --__--__-- Message: 2 From: Michael Schwartzkopff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la'Date: Tue, 15 Jun 2004 15:11:32 +0200 Reply-To: [EMAIL PROTECTED] =2DBEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I am triying to compile the latest snapshot: 20040615, but make results in = an=20 error: /root/freeradius-snapshot-20040615/libtool --mode=3Dlink gcc - release 1.1.0= =2Dpre0=20 \ =2D -module -export-dynamic -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS==20 =2D -DOPENSSL_NO_KRB5 -I../../../../include -I../..- I../rlm_eap_tls=20=2D -DOPENSSL_NO_KRB5 -I./../../libeap \ =2D -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo=20
Re: Freeradius-Users digest, Vol 1 #3362 - 15 msgs
With a bit more digging (thanks to Cam), I found that I had to add /usr/local/lib to the trudted path using crle. crle -u -s:/usr/local/lib It's up an running now. Thanks for the help. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, June 15, 2004 10:39 am Subject: Freeradius-Users digest, Vol 1 #3362 - 15 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) (Cameron Gregg) 2. Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la' (Michael Schwartzkopff) 3. Re: copying accounting (Alexander Serkin) 4. Re: copying accounting (Robert Haskins) 5. Re: copying accounting (Alan DeKok) 6. Re: radius log (Alan DeKok) 7. Re: Accounting question for EAP-TTLS for Pre 2 (Alan DeKok) 8. Re: copying accounting (Alexander Serkin) 9. Re: copying accounting (Alan DeKok) 10. Re: Accounting question for EAP-TTLS for Pre 2 (Gary McKinney) 11. Re: configuring freeradius on freebsd 4.10 (Paul Hampson) 12. Re: rlm_expr question (Alan DeKok) 13. Freeradius and OpenLdap (Jawhar TAZI) 14. Re: Freeradius and OpenLdap (Michael Schwartzkopff) 15. Re: Modify packet proxied to a specific realm (Alan DeKok) --__--__-- Message: 1 Date: Wed, 16 Jun 2004 00:35:47 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) Reply-To: [EMAIL PROTECTED] Ken Connell wrote: PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: Radiusd is in /usr/local/sbin libradius-0.9.3.so is in /usr/local/lib/ What is crle ? (I'm a bit of a Linux/Unix newbie). Ken Connell crle (on solaris), it sets/shows the library paths. A bit like ldconfig on linux i think. run crle and see what the output is. Mine looks like this: $ crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib $ You need to make sure /usr/local/lib is in your default library path. If is isn't, you will need to do something like: $crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib I'm a bit sketchy on all this myself, I'm just passing on what has worked for me. Of course you should be able to do a 'man crle' to get all the nitty-gritty info. If /usr/local/lib is already there (in your default path) then I'm not sure why your library can't be foundmaybe something to do with the way freeradius was compiled. I find solaris very frustrating at times, especially using GNU tools mixed with sun tools. Hope this helps. Cam PS you can also use ldd program name to see what libraries it needs and if it can find them. Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 -- __--__-- Message: 3 Date: Tue, 15 Jun 2004 09:36:05 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Won't run on Solais 8 Reply-To: [EMAIL PROTECTED] Ken Connell wrote: FreeRadius 0.9.3 It's been great on Redhat, but on a Solaris 8 box I get the following: fatal: libradius-0.9.3.so: open failed: No such file or directory What directory is your libradius-0.9.3.so in? Also where is radiusd? Could be a library path issuewhat is the output of crle? Cam --__--__-- Message: 2 From: Michael Schwartzkopff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la'Date: Tue, 15 Jun 2004 15:11:32 +0200 Reply-To: [EMAIL PROTECTED] =2DBEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I am triying to compile the latest snapshot: 20040615, but make results in = an=20 error: /root/freeradius-snapshot-20040615/libtool --mode=3Dlink gcc - release 1.1.0= =2Dpre0=20 \ =2D -module -export-dynamic -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS==20 =2D -DOPENSSL_NO_KRB5 -I../../../../include -I../..- I../rlm_eap_tls=20=2D -DOPENSSL_NO_KRB5 -I./../../libeap \ =2D -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo=20 peap.lo ../../../../lib
Re: I need exact instructions please
Hi Linda, A good way of getting started with FreeRadius is to get a copy the O'Reilly RADIUS book. Its a good starting point. All the best, Ken - Original Message - From: Mike Ockenga [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 23, 2004 3:36 PM Subject: RE: I need exact instructions please -Original Message- From: Linda Pagillo [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: I need exact instructions please Hello everyone: Would someone be so kind as to send me exact directions on how to configure and use freeradius version 0.9.3? FreeRADIUS does a lot of things. When you post questions, you'll have to specify what you want to do, or no one can help you. where to start or what to do. I searched all over the freeradius website and i did not see any instructions regarding how to configure or use it. Any and all help would be very much appreciated. Thank you in advance. The server and the site have plenty of documentation. Read that and then post specific questions, please. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.665 / Virus Database: 428 - Release Date: 4/21/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Monitor script.
Hi, Does anybody out there have a quck radius monitor script they'd be willing to share? I have radius/AAA servers behind a CSS. I would like to monitor AAA services and conditionally-act on a failure. I am using radclient to successfully test the service. Thanks a bunch, Ken. == Ken Gage, Qualcomm Inc. 858.651.2737 Happiness is that state of consciousness which proceeds from the achievement of one's values Ayn Rand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication question
I would use LDAP to authorize and Kerberos to authenticate and slave Kerberos servers for failover. I would also use PAM with Kerberos modules. FWIW I would use LDAP authentication if something doesn't do Kerberos. On Tue, 2004-01-27 at 09:55, Craven, James wrote: I am trying to set up FreeRADIUS to authenticate to a Kerberos server first and then failover to an LDAP server if Kerberos is unavailable. Can this be done and how? or would PAM be a better option? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't authenticate EAP-TLS with Intel Adapter
Intel adapters can be a little tricky. Try switching off the power management settings for the adapters. This can usually be found in the device driver properties for the card. Also use the latest Intel driver for the adapter. Good luck, I hope this helps, Ken - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 03, 2004 7:01 PM Subject: Can't authenticate EAP-TLS with Intel Adapter Hello, I have a Freeradius 0.9.3 installation running on a Redhat 9 machine. It works GREAT for my home laptop. Thanks so much for this excellent software. I'm running a DLink 900+ AP and my home laptop has a matching DLink 650+ PCMCIA wireless card. I'm using EAP-TLS on Windows XP and it is working great for that machine. I recently got a new Dell Latitude D600 laptop for work and I cannot seem to get this silly machine to correctly connect to the wireless network using EAP-TLS. I first tried the same certificate I created (using OpenSSL) and have been using on my personal laptop. It gets to Attempting Authentication and just stays there. I also tried creating a new certificate for this machine, but got the same results. I don't see anything obvious in the log file for FreeRadius, but I'm attaching the relevant information in hopes that someone can offer an idea of what might be wrong. The new machine has a built-in Intel(R) PRO/Wireless LAN 2100 3A Mini PCI Adapter. It is running Windows XP + SP1 and patches. I guess I'm unsure why a different wireless card would have trouble, as it seems to talk to the AP just fine. Thanks for any help you can give. Craig Ready to process requests rad_recv: Access-Request packet from host 192.168.0.50:1248, id=106, length=135 User-Name = csetera NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = 00-40-05-CA-6D-42 Calling-Station-Id = 00-04-23-53-0D-63 NAS-Identifier = DWL-900AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c0163736574657261 Message-Authenticator = 0xe5b9e009b38dac2fb879dd1a06885026 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type notification id 1 length 12 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 users: Matched csetera at 91 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 1 length 12 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Challenge of id 106 to 192.168.0.50:1248 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x0f1812cd9e34e3291e6614767b2ef0cf2608f73fa740ded30adc1d88ff5b012f9f5b4915 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1248, id=107, length=135 User-Name = csetera NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = 00-40-05-CA-6D-42 Calling-Station-Id = 00-04-23-53-0D-63 NAS-Identifier = DWL-900AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203000c0163736574657261 Message-Authenticator = 0xb189b0090592766341676a4d888e29ea modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_eap: EAP packet type notification id 3 length 12 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 1 users: Matched csetera at 91 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 1 rlm_eap: EAP packet type notification id 3 length 12 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns ok for request 1 modcall: group authenticate returns ok for request 1 Sending Access-Challenge of id 107 to 192.168.0.50:1248 EAP-Message = 0x010400060d20 Message-Authenticator = 0x State = 0xc813bc0205103cd2019947a069e31de32908f73fac424fb83bd323f40336a2002c26867d Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 106 with timestamp 3ff70826 Waking up in 3