Re: EAP-SIM Module Failed to Load
Thanks so much I will try that. Much regards ken.farring...@802.co.uk Phil Mayers p.may...@imperial.ac.uk wrote: On 25/08/2013 12:03, ken.farrington wrote: /usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module 'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No such file or directory Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or it wasn't installed. I can't remember if you need to build with --experimental-modules or whatever the ./configure options is called. Also, upgrade to 2.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recommendations for a GUI front end for FreeRadius
FreeRadius is a great product that works very well, but is difficult for novices to maintain. I don't have any problems using the Linux shell and vi to configure, but I need something more user friendly for others. Can anyone recommend an open-source GUI for FreeRadius - preferably something that runs as an Apache web site under Linux? Thanks for any suggestions! Ken Morley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
Hello, So when do you want to get your goods? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to use groups within freeradius
Phil
you examples was straight on, and very helpful. I ended up using SQLgroup
within /etc/freeradius/users + huntgrousps and the groups that I've created
it worked the very 1st time, with no problems. To answer your other
question, this is with freeradius version;
root@TACACS:/etc/init.d# freeradius -v | grep Version
freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar
30 2007 at 22:44:34
root@TACACS:/etc/init.d#
Thanks
-Original Message-
From: freeradius-users-bounces+kfelix=jdltech@lists.freeradius.org on
behalf of Phil Mayers
Sent: Tue 6/28/2011 3:55 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: how to use groups within freeradius
On 06/27/2011 09:29 PM, Ken Felix wrote:
Can anybody post a simple howto with regards to using groups within
freeradius? What we would like todo is restricted some user from
logging into various firewalls. I've created usergroups and defined
Which version of FreeRADIUS are you using?
Anyway, the group config you've written doesn't do what you want. All it
says is if you're this username and coming from these IPs, you're in
the gruop.
You're not actually acting in the group membership.
There are lots of ways to do this, but personally I prefer to keep SQL
groups entirely user-based, and use huntgroups for NAS IPs, then compare
the two. So:
raddb/huntgrousp:
restricted NAS-IP-Address == 192.0.2.1
raddb/sites-enabled/xxx:
authozie {
if (Huntgroup-Name == restricted) {
if (SQL-Group == restricted) {
# ok to login
}
else {
reject
}
}
}
...or if you prefer to us a users file, in raddb/users:
DEFAULT Huntgroup-Name == restricted, SQL-Group == restricted
Fall-Through = No
DEFAULT Huntgroup-Name == restricted, Auth-Type := Reject
Fall-Through = No
There are lots of other ways to accomplish this. The point being, you
need to actually check the group, and if you define the group so that it
depends on the username, and they thing they're permitted to access,
then you're essentially writing a whitelist and would need something
like, in your example, raddb/users:
DEFAULT SQL-Group == xxx
Fall-Through = No
DEFAULT SQL-Group == yyy
Fall-Through = No
DEFAULT Auth-Type := Reject
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use groups within freeradius
Can anybody post a simple howto with regards to using groups within freeradius?
What we would like todo is restricted some user from logging into various
firewalls. I've created usergroups and defined
mysql select * from usergroup ;
+--+-+--+
| UserName | GroupName | priority |
+--+-+--+
| | login users |1 |
| asa1.test| adminasa|1 |
| test.user| Login users |1 |
+--+-+--+
and
mysql select * from radgroupcheck ;
++---++++
| id | GroupName | Attribute | op | Value |
++---++++
| 1 | adminasa | NAS-IP-Address | == | 10.252.128.11 |
| 2 | adminasa | NAS-IP-Address | == | 10.252.253.199 |
| 3 | adminasa | NAS-IP-Address | == | 10.250.32.68 |
| 4 | adminasa | NAS-IP-Address | == | 10.250.32.69 |
| 5 | adminasa | NAS-IP-Address | == | 10.254.32.68 |
| 6 | adminasa | NAS-Identifier | == | 10.252.128.11 |
++---++++
6 rows in set (0.00 sec)
debug shows the following;
Sending Access-Reject of id 10 to 10.159.103.154 port 1812
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.252.128.11:1025, id=40, length=67
User-Name = asa1.test
User-Password = 30
NAS-IP-Address = 10.252.128.11
NAS-Port = 43
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
modcall[authorize]: module preprocess returns ok for request 18
modcall[authorize]: module chap returns noop for request 18
modcall[authorize]: module mschap returns noop for request 18
rlm_realm: No '@' in User-Name = asa1.test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 18
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 18
modcall[authorize]: module files returns notfound for request 18
radius_xlat: 'asa1.test'
rlm_sql (sql): sql_set_user escaped user -- 'asa1.test'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'asa1.test' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'asa1.test' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'asa1.test' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'asa1.test' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'asa1.test' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module sql returns ok for request 18
modcall: leaving group authorize (returns ok) for request 18
auth: type Crypt
Login OK: [asa1.test] (from client SBBC port 43)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 18
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'asa1.test'
rlm_sql (sql): sql_set_user escaped user -- 'asa1.test'
radius_xlat: 'INSERT into radacct (UserName, NASIPAddress, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, CallingStationId,
AcctTerminateCause, NASIdentifier) values ('asa1.test', '10.252.128.11', NOW(),
NOW(), '0', 'Local', '', 'Access-Accept', '')'
radius_xlat: '/var/log/freeradius/sqltrace.sql'
rlm_sql (sql) in sql_postauth: query is INSERT into radacct (UserName,
NASIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
CallingStationId, AcctTerminateCause, NASIdentifier) values
Re: eappeap_postproxy() - set fake-proxy_reply
Hello,
Could I explain in more detail? I want proxying PEAP, with
old server which can not deal with EAP. This worked on 2.0.4
but didn't work on 2.1.10. I can't understand what's wrong.
Compared those debug output, I noticed difference, after
''[eap] Passing reply back for EAP-MS-CHAP-V2''
mschap_postproxy() was called in 2.0.4, but not in 2.0.10.
thanks.
configuration
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
checkrad = ${sbindir}/checkrad
proxy_requests = yes
listen {
type = auth
ipaddr = *
port = 0
}
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
realm legacy {
authhost = 192.168.1.5:1645
secret = testing123
}
client 10.0.0.0/8 {
secret = testing456
shortname = priv10
nastype = other
}
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = tetest123
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = DEFAULT
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = inner-tunnel
}
mschapv2 {
}
}
}
server inner-tunnel {
authorize {
update control {
Proxy-To-Realm := legacy
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
authorize {
eap {
ok = return
}
}
authenticate {
eap
}
post-proxy {
eap
}
debug output
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Feb 16 2011 at
10:52:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
realm legacy {
authhost = 192.168.1.5:1645
secret = testing123
}
radiusd: Loading Clients
client 10.0.0.0/8 {
require_message_authenticator = no
secret = testing456
shortname = priv10
nastype = other
}
radiusd: Instantiating modules
radiusd:
eappeap_postproxy() - set fake-proxy_reply
Hello,
I can't think I understand what went wrong but it works.
just escaping from first NULL check in eap_post_proxy()
or commit: add0068afc3b732c27c9cc116d7ec331f9a32735 says
I misconfigured PEAP proxy?
---
src/modules/rlm_eap/types/rlm_eap_peap/peap.c |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
index 0d9a031..36c012b 100644
--- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -571,7 +571,7 @@ static int eappeap_postproxy(EAP_HANDLER *handler,
void *data)
request-proxy = NULL;
rad_assert(fake-reply == NULL);
- fake-reply = request-proxy_reply;
+ fake-reply = fake-proxy_reply = request-proxy_reply;
request-proxy_reply = NULL;
if ((debug_flag 0) fr_log_fp) {
@@ -585,7 +585,7 @@ static int eappeap_postproxy(EAP_HANDLER *handler,
void *data)
fake-options = ~RAD_REQUEST_OPTION_PROXY_EAP;
RDEBUG2(Passing reply back for EAP-MS-CHAP-V2);
module_post_proxy(0, fake);
+ fake-proxy_reply = NULL;
/*
* FIXME: If rcode returns fail, do something
--
1.7.2.3
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fix freeing eap_handler as opaque (and typo)
Hello,
I hope this would be hint for fixing segfault and
better solution.
Thanks.
Subject: [PATCH 1/2] freeing EAP opaque with one arg
---
src/modules/rlm_eap/eap.h |1 +
src/modules/rlm_eap/mem.c |8
src/modules/rlm_eap/rlm_eap.c |6 --
src/modules/rlm_eap/rlm_eap.h |1 +
4 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/modules/rlm_eap/eap.h b/src/modules/rlm_eap/eap.h
index 0150ef2..6d845ad 100644
--- a/src/modules/rlm_eap/eap.h
+++ b/src/modules/rlm_eap/eap.h
@@ -107,6 +107,7 @@ typedef struct _eap_handler {
void*opaque;
void(*free_opaque)(void *opaque);
+ void*inst_holder;
int status;
diff --git a/src/modules/rlm_eap/mem.c b/src/modules/rlm_eap/mem.c
index c5a5973..e702b19 100644
--- a/src/modules/rlm_eap/mem.c
+++ b/src/modules/rlm_eap/mem.c
@@ -136,6 +136,14 @@ EAP_HANDLER *eap_handler_alloc(rlm_eap_t *inst)
return handler;
}
+void eap_opaque_free(EAP_HANDLER *handler)
+{
+ if (!handler)
+ return;
+
+ eap_handler_free(handler-inst_holder, handler);
+}
+
void eap_handler_free(rlm_eap_t *inst, EAP_HANDLER *handler)
{
if (!handler)
diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index 5cc74bc..c91bd0e 100644
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -347,10 +347,11 @@ static int eap_authenticate(void *instance, REQUEST
*request)
* can retrieve it in the post-proxy stage, and
* send a response.
*/
+ handler-inst_holder = inst;
rcode = request_data_add(request,
inst, REQUEST_DATA_EAP_HANDLER,
handler,
-(void *) eap_handler_free);
+(void *) eap_opaque_free);
rad_assert(rcode == 0);
return RLM_MODULE_HANDLED;
@@ -372,10 +373,11 @@ static int eap_authenticate(void *instance, REQUEST
*request)
* can retrieve it in the post-proxy stage, and
* send a response.
*/
+ handler-inst_holder = inst;
rcode = request_data_add(request,
inst, REQUEST_DATA_EAP_HANDLER,
handler,
-(void *) eap_handler_free);
+(void *) eap_opaque_free);
rad_assert(rcode == 0);
/*
diff --git a/src/modules/rlm_eap/rlm_eap.h b/src/modules/rlm_eap/rlm_eap.h
index 84b4b50..0de2ae6 100644
--- a/src/modules/rlm_eap/rlm_eap.h
+++ b/src/modules/rlm_eap/rlm_eap.h
@@ -105,6 +105,7 @@ EAP_DS *eap_ds_alloc(void);
EAP_HANDLER*eap_handler_alloc(rlm_eap_t *inst);
void eap_packet_free(EAP_PACKET **eap_packet);
void eap_ds_free(EAP_DS **eap_ds);
+void eap_opaque_free(EAP_HANDLER *handler);
void eap_handler_free(rlm_eap_t *inst, EAP_HANDLER *handler);
inteaplist_add(rlm_eap_t *inst, EAP_HANDLER *handler);
--
Subject: [PATCH 2/2] fix typo
---
src/modules/rlm_eap/types/rlm_eap_peap/peap.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
index b77d647..0d9a031 100644
--- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -1133,8 +1133,8 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t
*tls_session)
request-proxy = fake-packet;
memset(request-proxy-src_ipaddr, 0,
sizeof(request-proxy-src_ipaddr));
- memset(request-proxy-src_ipaddr, 0,
- sizeof(request-proxy-src_ipaddr));
+ memset(request-proxy-dst_ipaddr, 0,
+ sizeof(request-proxy-dst_ipaddr));
request-proxy-src_port = 0;
request-proxy-dst_port = 0;
fake-packet = NULL;
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with Rewriting RAD_REQUEST in rlm_perl for proxy
Greetings!
I'm using freeradius installed from the freeradius.i386 1.1.3-1.2.el
rpm on CentOS 5 (recompiled RedHat).
I'd like to use freeradius as an accounting proxy between two other
machines, in order to rewrite some Attributes (User-Name and Acct-
Session-Id) before they arrive at their final destination. I need to
rewrite any reference to a username to a unique ID number (long story).
I embarked on using rlm_perl for this task, I have the proxy working,
but when the data arrives at it's destination the Attributes have not
been changed. I'm hoping someone has changed attributes before they
are sent along to their Accounting radius server in a similar manner,
with rlm_perl.
I have tried changing many hashes, and to be honest I'm very new to
freeradius and I'm not sure which one should be changed. That's where
I seem to be stuck, how to change RAD_REQUEST{'User-Name'} so when it
is proxied it sends my rewrites.
Thank you for any help or pointers you can provide! Examples of what I
have done are below.
-Ken
Here is one example of what I have tried in the perl module I wrote:
from my_filter.pl:
...
# Function to handle pre_proxy
sub pre_proxy {
# For debugging purposes only
print start pre_proxy ***\n;
$RAD_REPLY{'User-Name'} = 12345678;
$RAD_REQUEST{'User-Name'} = 12345678;
$RAD_REPLY{'Acct-Session-Id'} = 12345678;
$RAD_REQUEST{'Acct-Session-Id'} = 12345678;
log_request_attributes;
print returning from pre_proxy ***\n;
return RLM_MODULE_UPDATED;
}
...
In the modules section of radiusd.conf I have:
...
perl {
module = /etc/raddb/modules/my_filter.pl
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
}
...
and also in radiusd.conf:
...
pre-proxy {
perl
}
post-proxy {
perl
}
...
Here is the output I get when I feed radiusd a faked (to protect the
innocent) request:
# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/
detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded perl
perl: module = /etc/raddb/modules/orange_filter.pl
perl: func_authorize = authorize
perl: func_authenticate = authenticate
Fwd: Help with Rewriting RAD_REQUEST in rlm_perl for proxy
Sorry, my bad, I upgraded to 2.0.5 and this all started to work fine :-) -Ken Begin forwarded message: Greetings! I'm using freeradius installed from the freeradius.i386 1.1.3-1.2.el rpm on CentOS 5 (recompiled RedHat). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Alan DeKok wrote: (1) The shared secret is wrong (2) The code is buggy There are no alternatives. This is often due to broken MD5 libraries, or 32/64-bit issues. But FreeRADIUS hasn't had those kind of bugs for *years*. Yep, you were right, there must be some corruption or crap on the Fedora system I was using as a test client. I installed 1.1.6 on a Suse box I have, copied exactly the same raddb onto it, and radtest worked first time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Alan DeKok wrote: (1) The shared secret is wrong (2) The code is buggy There are no alternatives. This is often due to broken MD5 libraries, or 32/64-bit issues. But FreeRADIUS hasn't had those kind of bugs for *years*. I suspect you may well be right. Upgrading FC6 hasn't made a difference. Time to reformat and reinstall from scratch I suppose :-( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Josh Howlett wrote:
What happens if, using radtest, you specify the username *without* the
realm from the remote machine?
It fails just the same way
It fails whether user is in /etc/passwd or /etc/raddb/users
It fails whether Auth := local is in there or not
It fails whether I check for User-password or Cleartext-password
=
rad_recv: Access-Request packet from host nnn.nnn.nnn.nnn:32773,
id=209, length=58
User-Name = username
User-Password = \356za\360V\202oljug\263\025M!)
NAS-IP-Address = 255.255.255.255
NAS-Port = 212
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 35
modcall[authorize]: module preprocess returns ok for request 35
radius_xlat:
'/var/log/radius/radacct/nnn.nnn.nnn.nnn/auth-detail-20070704'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/var/log/radius/radacct/nnn.nnn.nnn.nnn/auth-detail-20070704
modcall[authorize]: module auth_log returns ok for request 35
modcall[authorize]: module chap returns noop for request 35
modcall[authorize]: module mschap returns noop for request 35
rlm_realm: No '@' in User-Name = username, looking up
realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = username
rlm_realm: Proxying request from user username to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 35
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 35
users: Matched entry DEFAULT at line 20
modcall[authorize]: module files returns ok for request 35
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 35
modcall: leaving group authorize (returns ok) for request 35
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 35
modcall[authenticate]: module unix returns notfound for
request 35
modcall: leaving group authenticate (returns notfound) for
request 35
auth: Failed to validate the user.
WARNING: Unprintable characters in the password. ?
Double-check the shared secret on the server and the NAS!
=
If I try another user with no Auth := local in the user
definition, just the username and User-password, it is much
the same until:
=
modcall[authorize]: module suffix returns noop for request 37
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 37
users: Matched entry username at line 6
modcall[authorize]: module files returns ok for request 37
modcall[authorize]: module pap returns updated for request 37
modcall: leaving group authorize (returns updated) for request 37
rad_check_password: Found Auth-Type pap
auth: type PAP
Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 37
rlm_pap: login attempt with password pÌ?¶ákýÌ2p?c?¡MS
rlm_pap: Using clear text password NoAuthpwd1.
rlm_pap: Passwords don't match
modcall[authenticate]: module pap returns reject for request 37
modcall: leaving group PAP (returns reject) for request 37
auth: Failed to validate the user.
WARNING: Unprintable characters in the password. ?
Double-check the shared secret on the server and the NAS!
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Edvin Seferovic wrote: Does this have anything to do with the authentication method and AD ? I don't think so. Neither do I! We're not looking at AD yet. A colleague of mine tried to set it up for JRS by roughly copying someone else's configuration. It failed. So I reinstalled FreeRadius and samba from scratch and started again; re-introducing changes one at at time. I acan make ntlm_auth work from command line but not from FreeRadius yet - so I dropped it and am trying to ensure I can run a minimal test. Ken are you using 64bit OS maybe? I had the same problem ( shared secret was incorrect ) due a broken library on 64bit version of SuSE 9.1. Er, I don't think so! Well, I hope not! (wondering how to tell for sure...) # uname -a Linux ficus.ccs.bbk.ac.uk 2.6.20-1.2962.fc6 #1 SMP Tue Jun 19 18:24:12 EDT 2007 i686 i686 i386 GNU/Linux # # getconf LONG_BIT 32 # # getconf WORD_BIT 32 # # file /usr/local/bin/radclient /usr/local/bin/radclient: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped # # # cat /proc/cpuinfo processor : 3 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Xeon(TM) CPU 3.00GHz stepping: 10 cpu MHz : 3000.487 cache size : 2048 KB physical id : 3 siblings: 2 core id : 0 cpu cores : 1 fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl cid cx16 xtpr lahf_lm bogomips: 5999.40 clflush size: 64 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shared secret is incorrect - but it is identical!
I'm trying to get FreeRadius working on a Fedora Core 6 server with a view to eventually using it to authenticate against Windows Active Directory via ntlm_auth for the Janet Roaming Service. The first attempts at configuring it failed rather drastically so I went back to the beginning and I'm doing things one step at at time, making one-line changes to configs then using radtest and/or radclient to ensure it still works. I can now authenticate a users defined in users file, or in the Unix passwd file, from radtest on local machine. (i.e. the same one the server is running on). Next step is to check that I can use FreeRadius over the network by trying radclient on another machine. It doesn't work from the networked machine. I see the invalid signature (err=2)! (Shared secret is incorrect.) message. Debug log says to double check the shared secret on the server. I have more than double checked it. I'm using the same shared secret on both machines. I know the shared secret is correct because it works from the local machine. But obviously it isn't! Because the encrypted password can't be read on the server. What can I do to make sure the shared secret truly is correct? The definitions for both hosts are identical in the clients.conf file. At one point I manually edited them to swap the names of servers while leaving the secrets the same, just in case there was some hidden unprintable character - but the new local one still worked, proving that the two entries in the clients.conf file are in fact identical. The shared secrets used in the radtest command are identical. I'm cutting and pasting the *same* radtest command in, not retyping it. To test for sure I put radclient commands in scripts on the remote machine, where they failed. Then I ftped them from the machine they failed on to the other one - where they worked! So it *has* to be the same! And if I alter it in any way there then radtest fails so its not getting a free passage just because its local. I have a horrid fear I've missed something totally obvious about how radclient works and that I'm doing something really really stupid stupid - but I can't see what. And I've been stuck here for over a week now. Any clues? From the local machine I get: === [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 121 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Accept packet from host server.IP.addr:1812, id=121, length=20 === But when I try from the remote machine I get: === /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 184 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=184, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 246 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=246, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret Sending Access-Request of id 7 to server.IP.addr port 1812 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 122 rad_recv: Access-Reject packet from host server.IP.addr:1812, id=7, length=20 rad_verify: Received Access-Reject packet from client server.IP.addr port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) == I strongly suspect that I am doing something stupid on the client side, because the same request works from the local server. But just in case its relevant, on the server in debug mode the failed transaction looks like this: == rad_recv: Access-Request packet from host client.IP.addr:32772, id=61, length=68 User-Name = [EMAIL PROTECTED] User-Password = V\303\245\321\364Fb\334\373\275\242\203\\o6\264 NAS-IP-Address = 255.255.255.255 NAS-Port = 122 Processing the authorize section of radiusd.conf modcall:
More on double free or corruption errors
I strongly suspect its a Fedora problem, not a Freeradius problem. (Or else I made a boo-boo configuring the OS) Alan DeKok replied to matthew zeier: Let me clear: I cannot reproduce this problem here. No one else has seen the same problem. May or may not be relevant, but I've got two supposedly identical Fedora 6 machines, one gets a similar error, the other doesn't!. Both upgraded with yum to current level, followed by manual install and configure of Freeradius 1.1.5 - I cut and pasted the commands from one machine to the other and I FTPed the files including ones I modified. (And the one it works on is the SECOND one I installed, so its not a failure to copy correctly!) I think there must be some difference in my /usr/local/lib/libltdl.so.3.1.4 - they are slightly different sizes. I have no idea why, I used the same commands to install both systems. I will compare them. Just in case it means anything to anyone I attach the command output, but as I said my guess is its a Fedora problem [EMAIL PROTECTED] raddb]# radiusd -v radiusd: FreeRADIUS Version 1.1.5, for host i686-pc-linux-gnu, built on Mar 9 2007 at 13:16:16 Copyright (C) 2000-2006 The FreeRADIUS server project. [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 --More--*** glibc detected *** radiusd: double free or corruption (fasttop): 0x81029498 *** === Backtrace: = /lib/libc.so.6[0x24b09d] /lib/libc.so.6(cfree+0x90)[0x24e6f0] /usr/local/lib/libltdl.so.3[0x14151b] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xbe)[0x141eae] radiusd(find_module_instance+0x317)[0x8000cbb7] radiusd(setup_modules+0x1d8)[0x8000d168] radiusd(main+0x45c)[0x8001079c] /lib/libc.so.6(__libc_start_main+0xdc)[0x1faf2c] radiusd[0x80004771] === Memory map: 0011-00123000 r-xp fd:00 13959203 /lib/libpthread-2.5.so 00123000-00124000 r-xp 00012000 fd:00 13959203 /lib/libpthread-2.5.so 00124000-00125000 rwxp 00013000 fd:00 13959203 /lib/libpthread-2.5.so 00125000-00127000 rwxp 00125000 00:00 0 00127000-0013c000 r-xp fd:00 13087333 /usr/local/lib/libradius-1.1.5.so 0013c000-0013d000 rwxp 00014000 fd:00 13087333 /usr/local/lib/libradius-1.1.5.so 0013d000-0013e000 rwxp 0013d000 00:00 0 0013e000-00143000 r-xp fd:00 13086902 /usr/local/lib/libltdl.so.3.1.4 00143000-00144000 rwxp 4000 fd:00 13086902 /usr/local/lib/libltdl.so.3.1.4 00144000-0014b000 r-xp fd:00 13087742 /usr/lib/libkrb5support.so.0.1 0014b000-0014c000 rwxp 6000 fd:00 13087742 /usr/lib/libkrb5support.so.0.1 0014e000-0014f000 r-xp 0014e000 00:00 0 [vdso] 0014f000-00161000 r-xp fd:00 13082790 /usr/lib/libz.so.1.2.3 00161000-00162000 rwxp 00011000 fd:00 13082790 /usr/lib/libz.so.1.2.3 00162000-0016b000 r-xp fd:00 13959208 /lib/libnss_files-2.5.so 0016b000-0016c000 r-xp 8000 fd:00 13959208 /lib/libnss_files-2.5.so 0016c000-0016d000 rwxp 9000 fd:00 13959208 /lib/libnss_files-2.5.so 0016d000-00171000 r-xp fd:00 13959206 /lib/libnss_dns-2.5.so 00171000-00172000 r-xp 3000 fd:00 13959206 /lib/libnss_dns-2.5.so 00172000-00173000 rwxp 4000 fd:00 13959206 /lib/libnss_dns-2.5.so 00173000-0017e000 r-xp fd:00 13959199 /lib/libgcc_s-4.1.1-20070105.so.1 0017e000-0017f000 rwxp a000 fd:00 13959199 /lib/libgcc_s-4.1.1-20070105.so.1 001a-001e1000 r-xp fd:00 13959361 /lib/libssl.so.0.9.8b 001e1000-001e5000 rwxp 0004 fd:00 13959361 /lib/libssl.so.0.9.8b 001e5000-0031c000 r-xp fd:00
Compile error -- HELP
I am trying to install freeradius 1.1.4 on solaris 10 using the following commands. ../configure --without-rlm-x99-token configure creates the Makefile I then run make and get the following error:gcc -shared -Wl,-h -Wl,libradius-1.1.4.so -o .libs/libradius-1.1.4.so .libs/crypt.o ..libs/dict.o .libs/filters.o .libs/hash.o .libs/hmac.o .libs/hmacsha1.o ..libs/isaac.o .libs/log.o .libs/misc.o .libs/missing.o .libs/md4.o ..libs/md5.o .libs/print.o .libs/radius.o .libs/rbtree.o .libs/sha1.o ..libs/snprintf.o .libs/token.o .libs/udpfromto.o .libs/valuepair.o -lcrypt -lc (cd .libs rm -f libradius.so ln -s libradius-1.1.4.so libradius.so) false cru .libs/libradius.a crypt.o dict.o filters.o hash.o hmac.o hmacsha1.o isaac.o log.o misc.o missing.o md4.o md5.o print.o radius.o rbtree.o sha1.o snprintf.o token.o udpfromto.o valuepair.o make[4]: *** [libradius.la] Error 1 make[4]: Leaving directory `/export/home/freeradius-1.1.4/src/lib' make[3]: *** [common] Error 2 make[3]: Leaving directory `/export/home/freeradius-1.1.4/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/export/home/freeradius-1.1.4/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/export/home/freeradius-1.1.4' make: *** [all] Error 2 Thanks _ Win a Zunemake MSN® your homepage for your chance to win! http://homepage.msn.com/zune?icid=hmetagline - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Try the environment variable REMOTE_USER
#!/usr/bin/perl
print Content-type: text/html\n\n;
foreach $key (keys %ENV) {
print $key -- $ENV{$key}br;
}
Ken
Alan DeKok wrote:
Ayres G.J. [EMAIL PROTECTED] wrote:
I am developing a web system that authenticates users to a web site
through free radius using the mod_auth_radius module for apache. It all
works fine, but I would like to get the username of the user that has
authenticated for use on pages once they have authenticated.
It's in the HTTP headers. The username password are sent in every
request.
I am not sure how to go about this. I guess that the values are set in a
cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I
could retrieve the values, either through HTML or PHP?
Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the
module source code for where the headers are, and the PHP docs for how
to get at them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
or even easier, if apache is setup for SSI, you can just plunk this into your web page where you want the authenticated username: !--#echo var=REMOTE_USER-- Ken Alan DeKok wrote: Ayres G.J. [EMAIL PROTECTED] wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config problem: ntlm_auth works outside of freeradius, but not in
The ntlm_auth command works from the
command line, but not within freeradius (1.0.1) on RHEL 3.0 update 4
Below is my ntlm_auth command from within
radiusd.conf and the debug output and the successful command line run of the
ntlm_auth program.
Where do I look for what I have
misconfigured? Im happy that I configured the client section
correctly and my 3005 is now talking to freeradius, but Ill be happier
when it can actually authorize.
ntlm_auth = /usr/bin/ntlm_auth
--request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so
far)
User-Name = ken george
User-Password = 262144
Vendor-3076-Attr-32 = 0x0015
NAS-IP-Address = 10.10.61.5
NAS-Port-Type = Virtual
rad_lowerpair: User-Name now 'ken
george'
Processing the authorize section of
radiusd.conf
modcall: entering group authorize for
request 1
modcall[authorize]: module
preprocess returns ok for request 1
modcall[authorize]: module
chap returns noop for request 1
modcall[authorize]: module
mschap returns noop for request 1
rlm_realm: No '@' in User-Name = ken
george, looking up realm NULL
rlm_realm: No such
realm NULL
modcall[authorize]: module
suffix returns noop for request 1
rlm_realm: No '\' in
User-Name = ken george, looking up realm NULL
rlm_realm: No such
realm NULL
modcall[authorize]: module
ntdomain returns noop for request 1
rlm_eap: No EAP-Message, not doing
EAP
modcall[authorize]: module
eap returns noop for request 1
users: Matched DEFAULT
at 204
modcall[authorize]: module
files returns ok for request 1
modcall: group authorize returns ok for
request 1
rad_check_password: Found
Auth-Type win_domain
auth: type win_domain
Processing the authenticate section
of radiusd.conf
modcall: entering group Auth-Type for
request 1
radius_xlat: '/usr/bin/ntlm_auth
--username=ken george --password=xx
--domain=usmisgnet'
Exec-Program: /usr/bin/ntlm_auth
--username=ken george --password= xx
--domain=usmisgnet
Exec-Program output:
NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext:
NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
rlm_exec (win_domain): External script
failed
modcall[authenticate]: module
win_domain returns fail for request 1
modcall: group Auth-Type returns fail for
request 1
auth: Failed to validate the user.
Login incorrect: [ken george] (from client
VPN3005_Pri port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
rad_recv: Access-Request packet from host
10.10.61.5:1045, id=2, length=74
Sending Access-Reject of id 2 to 10.10.61.5:1045
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 2 with timestamp
42dd17f4
Nothing to do. Sleeping until we see
a request.
[EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth
--username=ken george --password= xx
--domain=usmisgnet
NT_STATUS_OK: Success (0x0)
Thanks!
Ken George
Systems and
Network Engineering
Mi Services
Group, Inc.
+1 610-230-2500
x129
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help configuring ntlm_auth w/ freeradius 1.0.1
Alan as you suggested (thanks) I have commented out LDAP and I am now
attempting to authenticate via ntlm_auth. I've configured and started
Samba and windindd.
I can authenticate via ntlm_auth outside of Freeradius, but not with it.
I KNOW THE PROBLEM IS WITH MY CONFIGURATION AND NOT FREERADIUS!
I'd appreciate help in locating / understanding what I have
misconfigured?
Also, my final goal is to authenticate clients to a Cisco Aironet 1200
via our Windows 2003 Active Directory usernames and passwords is
ntlm_auth the correct method to use?
[EMAIL PROTECTED] raddb]# ntlm_auth --username=test ops
--password=xx --domain=usmisgnet --request-NT-key
NT_STATUS_OK: Success (0x0)
Below are the ntlm_auth section of radiusd.conf and the radtest string
used and the debug output from the other window.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
radtest test ops xx localhost 0 testing123
radiusd -xxyz -l stdout
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
[NORMAL OUTPUT SUPPRESSED]
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32784, id=232,
length=60
--- Walking the entire request list ---
Waking up in 31 seconds...
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Threads: total/active/spare threads = 5/0/5
User-Name = test ops
User-Password = m1sg0ps
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_lowerpair: User-Name now 'test ops'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test ops, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_realm: No '\' in User-Name = test ops, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module ntdomain returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [test ops] (from client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:32784, id=232,
length=60
Sending Access-Reject of id 232 to 127.0.0.1:32784
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 232 with timestamp 42d3e0ec
Nothing to do. Sleeping until we see a request.
Ken George
Systems and Network Engineering
Mi Services Group, Inc.
+1 610-230-2500 x129
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help installing 1.0.4 on RHEL update 4
#include snmp.h
#include snmp_impl.h
int main() {
int a = 1;
; return 0; }
configure:8649: checking gethostbyaddr_r() syntax
configure:8672: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE
-DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15
configure:8754: checking gethostbyname_r() syntax
configure:8766: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE
-DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15
configure:8847: checking ctime_r() syntax
configure:8858: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE
-DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15
configure: In function `main':
configure:8854: too many arguments to function `ctime_r'
configure: failed program was:
#line 8849 configure
#include confdefs.h
#include time.h
int main() {
ctime_r(NULL, NULL, 0)
; return 0; }
configure:8883: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE
-DNDEBUG conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15
Ken George
Systems and Network Engineering
Mi Services Group, Inc.
+1 610-230-2500 x129
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating to a Windows 2003 active directory
Does anyone have a working radiusd.conf and users file I could see as I
have been unsuccessful configuring
Freeradius 1.0.1 to talk to my Active Directory.
When I try to test with radtest I get the following:
[EMAIL PROTECTED] freeradius-1.0.4]# radtest ken george xx
localhost 1 testing123
Sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = ken george
User-Password = xx
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = ken george
User-Password = \030\035`\222\375Q\267\301\357\270O\352\335Kj3
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Re-sending Access-Request of id 105 to 127.0.0.1:1812
User-Name = ken george
User-Password = \030\035`\222\375Q\267\301\357\270O\352\335Kj3
NAS-IP-Address = phllnxsrv01
NAS-Port = 1
Is my radtest string correct?
Exerpts from radiusd.conf and users follow:
Radiusd.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = phldcsrv01.us.mi-services.net
identity = cn=ken george,o=US
Users,c=us.mi-services.net
password = 262144
basedn = o=phldcsrv01,c=us.mi-services.net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = demand
# default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
# profile_attribute = radiusProfileDn
access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = {clear}
#
# The server can usually figure this out on its own,
and pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with 0x, such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading 0x, NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
(output suppressed)
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the
request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been
set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute
radiusd sending output to stdout without -X flag
Hi all, I have downloaded, compiled, configured the latest CVS snapshot and it works fine. I have a question, the server is logging to stdout no matter what I do. I am not running with X flag. Any ideas? I have config setup to log to syslog, tried file also, no luck. Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pppoe-server and Framed-Route
We've added framed routes with freeradius like so: Framed-IP-Address = x.x.x.1, Framed-Route += x.x.x.2/32 x.x.x.1 1, Framed-Route += x.x.x.2/32 x.x.x.1 2, Framed-Route += x.x.x.2/32 x.x.x.1 3, or Framed-IP-Address = x.x.x.1, Framed-Route = x.x.x.x/30 x.x.x.1 1 This is using pppoe, but with redback as terminal server for dsl, so it's a bit different than what you are doing. Ken Alan DeKok wrote: George Chelidze [EMAIL PROTECTED] wrote: I'd like to add a route to my ppp server box so I add Framed-Route to reply items. All attributes are passed back to pppd as it creates /var/run/radattr.pppX which contains all attributes but route is not added to the system. I understand it's not radius question but it's at least related and maybe someone has seen this before and solved it. It's a problem with PPPoE. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation for multiple Radius Servers
Hi guys I've been playing with Ruslan's patched rlm_sqlippool module (http://www.onlinebilling.ru/freeradius/rlm_sqlippool.tar.gz), but I've been unable to get it to compile at all. I'm using Debian Sarge (testing), and the freeradius 1.0.1 source. It's been at least seven years since I've debugged any C at all and everything I've tried so far has led to a dead end. I'm pretty sure I'm missing something, but I can't figure out what's actually wrong. If anyone has compiled this on Debian or has any ideas, I'd be extremely grateful for any help. If I can't get this module, or the older version of this module working properly (I haven't yet been able to get multiple ip pools working for the default user with the unpatched rlm_sqlippool module), I'm going to have to abandon Freeradius. Ken. (Thanks to Alan and Ruslan for their time and help). This is what happens: Making static dynamic in rlm_sqlippool... make[6]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_sqlippool' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -c rlm_sqlippool.c -o rlm_sqlippool.o In file included from rlm_sqlippool.c:24: rlm_sql.h:46: error: parse error before SQL_CONFIG rlm_sql.h:46: warning: function declaration isn't a prototype rlm_sql.h:47: error: parse error before SQL_CONFIG rlm_sql.h:47: warning: function declaration isn't a prototype rlm_sql.h:48: error: parse error before SQL_CONFIG rlm_sql.h:48: warning: function declaration isn't a prototype rlm_sql.h:49: error: parse error before SQL_CONFIG rlm_sql.h:49: warning: function declaration isn't a prototype rlm_sql.h:50: error: parse error before SQL_CONFIG rlm_sql.h:50: warning: function declaration isn't a prototype rlm_sql.h:51: error: parse error before SQL_CONFIG rlm_sql.h:51: warning: function declaration isn't a prototype rlm_sql.h:52: error: parse error before SQL_CONFIG rlm_sql.h:52: warning: function declaration isn't a prototype rlm_sql.h:53: error: parse error before SQL_CONFIG rlm_sql.h:53: warning: function declaration isn't a prototype rlm_sql.h:54: error: parse error before SQL_CONFIG rlm_sql.h:54: warning: function declaration isn't a prototype rlm_sql.h:55: error: parse error before SQL_CONFIG rlm_sql.h:55: warning: function declaration isn't a prototype rlm_sql.h:56: error: parse error before SQL_CONFIG rlm_sql.h:56: warning: function declaration isn't a prototype rlm_sql.h:57: error: parse error before SQL_CONFIG rlm_sql.h:57: warning: function declaration isn't a prototype rlm_sql.h:58: error: parse error before SQL_CONFIG rlm_sql.h:58: warning: function declaration isn't a prototype rlm_sql.h:59: error: parse error before SQL_CONFIG rlm_sql.h:59: warning: function declaration isn't a prototype rlm_sql.h:66: error: parse error before SQL_CONFIG rlm_sql.h:66: warning: no semicolon at end of struct or union rlm_sql.h:70: error: parse error before '}' token ... etc, and then ends: rlm_sqlippool.c:1038: error: `data' undeclared (first use in this function) rlm_sqlippool.c:1038: error: parse error before ')' token rlm_sqlippool.c: In function `sqlippool_detach': rlm_sqlippool.c:1115: error: `data' undeclared (first use in this function) rlm_sqlippool.c:1115: error: parse error before ')' token rlm_sqlippool.c:1113: warning: unused parameter `instance' make[6]: *** [rlm_sqlippool.o] Error 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP Allocation for multiple Radius Servers
Hi, I've been working on building and configuring a cluster which will, amongst other things, run Freeradius (I hope). Currently everything is okay, but now I appear to be stuck. At the moment I'm dymanically allocating IP's using the IPPool module, which is working fine on a single server. Unfortunately the rest of the cluster needs to know which IP's have been assigned. The running system: Debian Sarge (up to date), Openldap (which is being used for authorisation and authentication), FreeRADIUS 1.0.1. Accounting is being handled by MySQL which is not currently on the cluster. If the IPPool module could talk to MySQL I wouldn't have a problem. I'm thinking of nfs mounting the database files required for the various pools, but I don't think that's very practical. Does anyone have any advice or ideas? At this point I'm basically burnt out, and any help would be greatly appreciated, even if it's just a link to something I've missed in google. Thank you for your time, Ken. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation for multiple Radius Servers
Alan DeKok [EMAIL PROTECTED] wrote: Ken Doyle [EMAIL PROTECTED] wrote: If the IPPool module could talk to MySQL I wouldn't have a problem. I'm thinking of nfs mounting the database files required for the various pools, but I don't think that's very practical. There was an rlm_sqlippool a while ago... ftp://rd.ranetka.ru/pub/sql-ip-pool/rlm_sqlippool.tar.gz That might work. Alan DeKok. Thanks for the help Alan, however rd.ranetka.ru does not seem to resolve, and the one other link to this module that I could find (ftp://lopez.globe.net.nz/Linux/freeradius/rlm_sqlippool.tar.gz) does not resolve either. Given that I missed turning up this module in my initial searching, I'm hoping there is another link to this module somewhere. I'll keep looking, but this project needs to go into production soon, and any help would be appreciated, even if it's just a local copy you have lying around. Thanks again for your help, Ken. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation for multiple Radius Servers
Alan DeKok [EMAIL PROTECTED] wrote: http://www.striker.ottawa.on.ca/~aland/rlm_sqlippool.tar.gz It may not be there for long, though. Alan DeKok. Thanks Alan, greatly appreciated. It downloaded and extracted fine. I'll go off and tinker with it now. Hopefully that's the last hurdle out of the way. Ken. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco wireless access point 1231 w/ Freeradius
Hello. I am trying to set up a freeradius server to authenticate MAC addresses for my cisco wireless access points. The access point I want it to work with is a Cisco 1231. Now, I set up freeradius and I have an SMC access point (SMC 2552) that it works just fine with. Authenticates just like it's supposed to. I ran freeradius with the -X parameter and watched everything go by. No problems. So then, I configured the Cisco device. It took a while, but I finally got the Cisco device to talk to freeradius. It queries freeradius and freeradius gives the EXACT same response that the SMC AP gets and uses, but the Cisco seems to completely ignore it. It makes multiple duplicate requests. I looked on the FAQ page and saw the entry about duplicate tries, so I tried starting with the -i option, but that made no difference. I've been googling all over the net all day and can't figure out what I'm missing. I'm hoping it's something really silly and easy, like some special parameter you need to work with a Cisco device. Does anyone have any ideas? If you need more details on versions and things, I can post them up. I'm just hoping this is going to be one of those duh moments with an easy answer, though. :) If anyone has any ideas, I'd love to hear them. Thanks! -Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
Kostas Kalevras wrote: On Wed, 28 Jul 2004, Ken A wrote: Edgars wrote: i am writing my own program to get them in human-readable form:) Edgars Yep. I made some changes that make it easier for me to start from scratch with a language I'm more familiar with (perl) than to modify dialupadmin to do what I want, especially since I'm not very good with php, and there are many things in dialupadmin I would want to change. What do you mean by that? Sorry, that wasn't meant to suggest that there's anything wrong with dialupadmin. It's just overkill here. I don't do php, and my application is for support people who don't need much of the functionality of dialupadmin. I just need to lookup radacct records by UserName or IP, and display the accounting records for that user or ip, and be able to sort on any column quickly. ~150 lines of perl did it. Ken A I added a couple of columns to the radacct table, so my records include several Ascend attributes not in the standard table: (Ascend-Disconnect-Cause, Ascend-XmitRate, Ascend-DataRate). And, I was getting duplicate STOP records in the radacct table, so I also put a unique index on (sessionid,username,nasipaddress) and changed the INSERT STOP record in sql.conf to a REPLACE INTO instead of INSERT INTO and that seems to have resolved the problem. Ken A Ken A wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
Edgars wrote: i am writing my own program to get them in human-readable form:) Edgars Yep. I made some changes that make it easier for me to start from scratch with a language I'm more familiar with (perl) than to modify dialupadmin to do what I want, especially since I'm not very good with php, and there are many things in dialupadmin I would want to change. I added a couple of columns to the radacct table, so my records include several Ascend attributes not in the standard table: (Ascend-Disconnect-Cause, Ascend-XmitRate, Ascend-DataRate). And, I was getting duplicate STOP records in the radacct table, so I also put a unique index on (sessionid,username,nasipaddress) and changed the INSERT STOP record in sql.conf to a REPLACE INTO instead of INSERT INTO and that seems to have resolved the problem. Ken A Ken A wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin perl scripts clean_radacct and truncate_radacct
In dialup admin's perl goodies, 'clean_radacct' and 'truncate_radacct' subtract a $days_back value of 35 or 90 from the current day of the month (say 28). This results in negative values for the day of the month, so the date passed to mysql is not formatted correctly. $back_days = 90; ... ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; $date = POSIX::strftime(%Y-%m-%d %T,$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst); print $date\n; ... To fix, use unix time or Date::Calc $back_days = 90; $secs = (time()-($back_days*86400)); $date = POSIX::strftime(%Y-%m-%d %T,localtime($secs)); print Removing sessions with Stop Time $date\n; Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin perl scripts clean_radacct and truncate_radacct
Kostas Kalevras wrote: On Wed, 28 Jul 2004, Ken A wrote: In dialup admin's perl goodies, 'clean_radacct' and 'truncate_radacct' subtract a $days_back value of 35 or 90 from the current day of the month (say 28). This results in negative values for the day of the month, so the date passed to mysql is not formatted correctly. $back_days = 90; ... ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; $date = POSIX::strftime(%Y-%m-%d %T,$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst); print $date\n; ... Hmm, let's see: $back_days = 90; 1:33am /src/cvs/radiusd/dialup_admin/bin # date +%Y-%m-%d 2004-07-29 1:33am /src/cvs/radiusd/dialup_admin/bin # ./clean_radacct 2004-04-30 01:33:08 So it works correctly, that's what strftime is supposed to do anyway and it seems to be handling it just fine. Oh! A workaround then, for a posix issue on this old bsd system that doesn't like negative values passed to strftime(). Thanks, Ken A To fix, use unix time or Date::Calc $back_days = 90; $secs = (time()-($back_days*86400)); $date = POSIX::strftime(%Y-%m-%d %T,localtime($secs)); print Removing sessions with Stop Time $date\n; Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql accounting
Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
duh! I didn't know it was there. Thanks. Ken A Milver S. Nisay wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) if dialup_admin is too technical for you, you can decide to create your own customized PHP/Perl scripts to do whatever output you like. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing attributes using an external program
Thanks Alan I'll give it a try. Ken - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 5:08 PM Subject: Re: Removing attributes using an external program Ken Wolstencroft [EMAIL PROTECTED] wrote: I can add and rewrites attributes from an external program, but I can not figure out a way of removing them. It's not generally recommended, but try the -= operator. See the man page for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing attributes using an external program
Hi, Is it possible to remove request and reply attributes using an external program ? Basically I want to filter both request and reply attributes stored in an SQL database. I can add and rewrites attributes from an external program, but I can not figure out a way of removing them. Any idea's will be much appreciated. Thanks, Ken --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #3358 - 8 msgs
PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb:
Radiusd is in /usr/local/sbin
libradius-0.9.3.so is in /usr/local/lib/
What is crle ? (I'm a bit of a Linux/Unix newbie).
Ken Connell
Intermediate Network Engineer
Computer Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709
- Original Message -
From: [EMAIL PROTECTED]
Date: Tuesday, June 15, 2004 0:26 am
Subject: Freeradius-Users digest, Vol 1 #3358 - 8 msgs
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Setting up a proxy radius server (Alan DeKok)
2. test post to list, please ignore (Matthew Schumacher)
3. Re: Won't run on Solais 8 (Cameron Gregg)
4. Re: ldap sha1 mschap peap pap (Damjan)
5. Authenticating to different LDAP servers (Michael Check)
6. unknown client (Timothy Tan)
7. Re: rlm_sqlcounter Max-Daily-Session?? (nsinit)
8. radius log (apellido jr., wilfredo p.)
--__--__--
Message: 1
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Setting up a proxy radius server
Date: Mon, 14 Jun 2004 15:44:56 -0400
Reply-To: [EMAIL PROTECTED]
Stephen Petersen [EMAIL PROTECTED] wrote:
By the docs its setup to do proxy.
In plain language what conf files need to be edited.
clients.conf proxy.conf
I've edit client.conf and proxy.conf and can't get any proxying
happening.
Try running it debug mode, as suggested in the FAQ, README, and
INSTALL.
Alan DeKok.
--__--__--
Message: 2
To: list [EMAIL PROTECTED]
From: Matthew Schumacher [EMAIL PROTECTED]
Subject: test post to list, please ignore
Date: Mon, 14 Jun 2004 23:59:34 +0200
Reply-To: [EMAIL PROTECTED]
this is a test
--__--__--
Message: 3
Date: Tue, 15 Jun 2004 09:36:05 +1000
From: Cameron Gregg [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Won't run on Solais 8
Reply-To: [EMAIL PROTECTED]
Ken Connell wrote:
FreeRadius 0.9.3
It's been great on Redhat, but on a Solaris 8 box I get the
following: fatal: libradius-0.9.3.so: open failed: No such file
or directory
What directory is your libradius-0.9.3.so in? Also where is radiusd?
Could be a library path issuewhat is the output of crle?
Cam
--__--__--
Message: 4
Date: Tue, 15 Jun 2004 01:34:10 +0200
From: Damjan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: ldap sha1 mschap peap pap
Reply-To: [EMAIL PROTECTED]
TTLS uses different tunneled authentication methods. Check
those to
see what's possible.
TTLS + PAP should work doesnt it.
--=20
damjan | =D0=B4=D0=B0=D0=BC=D1=98=D0=B0=D0=BD
This is my jabber ID -- [EMAIL PROTECTED] -- not my mail
address!!!
--__--__--
Message: 5
Date: Mon, 14 Jun 2004 20:14:28 -0500
Subject: Authenticating to different LDAP servers
From: Michael Check [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Hello all,
We are using freeRADIUS version 0.9.3 on a MacOSX box running 10.2.6
We have a Patton dial-in access server that is using freeRADIUS to
AAA off
Active Directory running on a W2K box (192.168.2.5) with domain
marshall.com
We have now set up a W2003 server (10.0.1.5) running active
directory for a
domain msi.com
The domains are on separate LANs but completely routable between.
The Patton is on the marshall.com side of the network and uses
LDAP through
freeRADIUS and works great.
Our desire is to configure freeRADIUS to authenticate specific
users off the
msi.com domain also using LDAP.
I configured radiusd.conf to authorize off the new server and it
does, but
when authentication comes around, it tries to authenticate off the
firstLDAP server it finds which is 192.168.2.5
I have tracked the issue to the fact that the radiusd.conf file
specificallystates that authentication does not cascade (fall
through?) but
authorization does.
Here are the conf file areas:
modules {
# snip
ldap ldap1 {
server = 192.168.2.5
identity = cn=ldapuser,cn=users,dc=marshall,dc=com
password = foo
basedn = cn=users,dc=marshall,dc=com
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-
Name}})access_attr=msNPAllowDialin
password_attribute=userPassword
# snip
}
ldap ldap2 {
server = 10.0.1.5
identity = cn=radiusserver,cn=users,dc=msi,dc=com
password = foo
basedn = ou=merchandisers,dc=msi,dc=com
filter = (sAMAccountName
Re: Freeradius-Users digest, Vol 1 #3362 - 15 msgs
I ran crle as you mentioned, and /usr/local/lib is there in the path... Not sure if I'm going to spend too much more time on this one. Thinking of using a RedHat box and be done with it. Thanks for the help. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, June 15, 2004 10:39 am Subject: Freeradius-Users digest, Vol 1 #3362 - 15 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) (Cameron Gregg) 2. Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la' (Michael Schwartzkopff) 3. Re: copying accounting (Alexander Serkin) 4. Re: copying accounting (Robert Haskins) 5. Re: copying accounting (Alan DeKok) 6. Re: radius log (Alan DeKok) 7. Re: Accounting question for EAP-TTLS for Pre 2 (Alan DeKok) 8. Re: copying accounting (Alexander Serkin) 9. Re: copying accounting (Alan DeKok) 10. Re: Accounting question for EAP-TTLS for Pre 2 (Gary McKinney) 11. Re: configuring freeradius on freebsd 4.10 (Paul Hampson) 12. Re: rlm_expr question (Alan DeKok) 13. Freeradius and OpenLdap (Jawhar TAZI) 14. Re: Freeradius and OpenLdap (Michael Schwartzkopff) 15. Re: Modify packet proxied to a specific realm (Alan DeKok) --__--__-- Message: 1 Date: Wed, 16 Jun 2004 00:35:47 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) Reply-To: [EMAIL PROTECTED] Ken Connell wrote: PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: Radiusd is in /usr/local/sbin libradius-0.9.3.so is in /usr/local/lib/ What is crle ? (I'm a bit of a Linux/Unix newbie). Ken Connell crle (on solaris), it sets/shows the library paths. A bit like ldconfig on linux i think. run crle and see what the output is. Mine looks like this: $ crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib $ You need to make sure /usr/local/lib is in your default library path. If is isn't, you will need to do something like: $crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib I'm a bit sketchy on all this myself, I'm just passing on what has worked for me. Of course you should be able to do a 'man crle' to get all the nitty-gritty info. If /usr/local/lib is already there (in your default path) then I'm not sure why your library can't be foundmaybe something to do with the way freeradius was compiled. I find solaris very frustrating at times, especially using GNU tools mixed with sun tools. Hope this helps. Cam PS you can also use ldd program name to see what libraries it needs and if it can find them. Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 -- __--__-- Message: 3 Date: Tue, 15 Jun 2004 09:36:05 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Won't run on Solais 8 Reply-To: [EMAIL PROTECTED] Ken Connell wrote: FreeRadius 0.9.3 It's been great on Redhat, but on a Solaris 8 box I get the following: fatal: libradius-0.9.3.so: open failed: No such file or directory What directory is your libradius-0.9.3.so in? Also where is radiusd? Could be a library path issuewhat is the output of crle? Cam --__--__-- Message: 2 From: Michael Schwartzkopff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la'Date: Tue, 15 Jun 2004 15:11:32 +0200 Reply-To: [EMAIL PROTECTED] =2DBEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I am triying to compile the latest snapshot: 20040615, but make results in = an=20 error: /root/freeradius-snapshot-20040615/libtool --mode=3Dlink gcc - release 1.1.0= =2Dpre0=20 \ =2D -module -export-dynamic -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS==20 =2D -DOPENSSL_NO_KRB5 -I../../../../include -I../..- I../rlm_eap_tls=20=2D -DOPENSSL_NO_KRB5 -I./../../libeap \ =2D -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo=20
Re: Freeradius-Users digest, Vol 1 #3362 - 15 msgs
With a bit more digging (thanks to Cam), I found that I had to add /usr/local/lib to the trudted path using crle. crle -u -s:/usr/local/lib It's up an running now. Thanks for the help. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, June 15, 2004 10:39 am Subject: Freeradius-Users digest, Vol 1 #3362 - 15 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) (Cameron Gregg) 2. Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la' (Michael Schwartzkopff) 3. Re: copying accounting (Alexander Serkin) 4. Re: copying accounting (Robert Haskins) 5. Re: copying accounting (Alan DeKok) 6. Re: radius log (Alan DeKok) 7. Re: Accounting question for EAP-TTLS for Pre 2 (Alan DeKok) 8. Re: copying accounting (Alexander Serkin) 9. Re: copying accounting (Alan DeKok) 10. Re: Accounting question for EAP-TTLS for Pre 2 (Gary McKinney) 11. Re: configuring freeradius on freebsd 4.10 (Paul Hampson) 12. Re: rlm_expr question (Alan DeKok) 13. Freeradius and OpenLdap (Jawhar TAZI) 14. Re: Freeradius and OpenLdap (Michael Schwartzkopff) 15. Re: Modify packet proxied to a specific realm (Alan DeKok) --__--__-- Message: 1 Date: Wed, 16 Jun 2004 00:35:47 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8) Reply-To: [EMAIL PROTECTED] Ken Connell wrote: PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: Radiusd is in /usr/local/sbin libradius-0.9.3.so is in /usr/local/lib/ What is crle ? (I'm a bit of a Linux/Unix newbie). Ken Connell crle (on solaris), it sets/shows the library paths. A bit like ldconfig on linux i think. run crle and see what the output is. Mine looks like this: $ crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib $ You need to make sure /usr/local/lib is in your default library path. If is isn't, you will need to do something like: $crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib I'm a bit sketchy on all this myself, I'm just passing on what has worked for me. Of course you should be able to do a 'man crle' to get all the nitty-gritty info. If /usr/local/lib is already there (in your default path) then I'm not sure why your library can't be foundmaybe something to do with the way freeradius was compiled. I find solaris very frustrating at times, especially using GNU tools mixed with sun tools. Hope this helps. Cam PS you can also use ldd program name to see what libraries it needs and if it can find them. Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 -- __--__-- Message: 3 Date: Tue, 15 Jun 2004 09:36:05 +1000 From: Cameron Gregg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Won't run on Solais 8 Reply-To: [EMAIL PROTECTED] Ken Connell wrote: FreeRadius 0.9.3 It's been great on Redhat, but on a Solaris 8 box I get the following: fatal: libradius-0.9.3.so: open failed: No such file or directory What directory is your libradius-0.9.3.so in? Also where is radiusd? Could be a library path issuewhat is the output of crle? Cam --__--__-- Message: 2 From: Michael Schwartzkopff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la'Date: Tue, 15 Jun 2004 15:11:32 +0200 Reply-To: [EMAIL PROTECTED] =2DBEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I am triying to compile the latest snapshot: 20040615, but make results in = an=20 error: /root/freeradius-snapshot-20040615/libtool --mode=3Dlink gcc - release 1.1.0= =2Dpre0=20 \ =2D -module -export-dynamic -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS==20 =2D -DOPENSSL_NO_KRB5 -I../../../../include -I../..- I../rlm_eap_tls=20=2D -DOPENSSL_NO_KRB5 -I./../../libeap \ =2D -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo=20 peap.lo ../../../../lib
Re: I need exact instructions please
Hi Linda, A good way of getting started with FreeRadius is to get a copy the O'Reilly RADIUS book. Its a good starting point. All the best, Ken - Original Message - From: Mike Ockenga [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 23, 2004 3:36 PM Subject: RE: I need exact instructions please -Original Message- From: Linda Pagillo [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: I need exact instructions please Hello everyone: Would someone be so kind as to send me exact directions on how to configure and use freeradius version 0.9.3? FreeRADIUS does a lot of things. When you post questions, you'll have to specify what you want to do, or no one can help you. where to start or what to do. I searched all over the freeradius website and i did not see any instructions regarding how to configure or use it. Any and all help would be very much appreciated. Thank you in advance. The server and the site have plenty of documentation. Read that and then post specific questions, please. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.665 / Virus Database: 428 - Release Date: 4/21/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Monitor script.
Hi, Does anybody out there have a quck radius monitor script they'd be willing to share? I have radius/AAA servers behind a CSS. I would like to monitor AAA services and conditionally-act on a failure. I am using radclient to successfully test the service. Thanks a bunch, Ken. == Ken Gage, Qualcomm Inc. 858.651.2737 Happiness is that state of consciousness which proceeds from the achievement of one's values Ayn Rand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication question
I would use LDAP to authorize and Kerberos to authenticate and slave Kerberos servers for failover. I would also use PAM with Kerberos modules. FWIW I would use LDAP authentication if something doesn't do Kerberos. On Tue, 2004-01-27 at 09:55, Craven, James wrote: I am trying to set up FreeRADIUS to authenticate to a Kerberos server first and then failover to an LDAP server if Kerberos is unavailable. Can this be done and how? or would PAM be a better option? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't authenticate EAP-TLS with Intel Adapter
Intel adapters can be a little tricky. Try switching off the power management settings for the adapters. This can usually be found in the device driver properties for the card. Also use the latest Intel driver for the adapter. Good luck, I hope this helps, Ken - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 03, 2004 7:01 PM Subject: Can't authenticate EAP-TLS with Intel Adapter Hello, I have a Freeradius 0.9.3 installation running on a Redhat 9 machine. It works GREAT for my home laptop. Thanks so much for this excellent software. I'm running a DLink 900+ AP and my home laptop has a matching DLink 650+ PCMCIA wireless card. I'm using EAP-TLS on Windows XP and it is working great for that machine. I recently got a new Dell Latitude D600 laptop for work and I cannot seem to get this silly machine to correctly connect to the wireless network using EAP-TLS. I first tried the same certificate I created (using OpenSSL) and have been using on my personal laptop. It gets to Attempting Authentication and just stays there. I also tried creating a new certificate for this machine, but got the same results. I don't see anything obvious in the log file for FreeRadius, but I'm attaching the relevant information in hopes that someone can offer an idea of what might be wrong. The new machine has a built-in Intel(R) PRO/Wireless LAN 2100 3A Mini PCI Adapter. It is running Windows XP + SP1 and patches. I guess I'm unsure why a different wireless card would have trouble, as it seems to talk to the AP just fine. Thanks for any help you can give. Craig Ready to process requests rad_recv: Access-Request packet from host 192.168.0.50:1248, id=106, length=135 User-Name = csetera NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = 00-40-05-CA-6D-42 Calling-Station-Id = 00-04-23-53-0D-63 NAS-Identifier = DWL-900AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c0163736574657261 Message-Authenticator = 0xe5b9e009b38dac2fb879dd1a06885026 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type notification id 1 length 12 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 users: Matched csetera at 91 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 1 length 12 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Challenge of id 106 to 192.168.0.50:1248 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x0f1812cd9e34e3291e6614767b2ef0cf2608f73fa740ded30adc1d88ff5b012f9f5b4915 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1248, id=107, length=135 User-Name = csetera NAS-IP-Address = 192.168.0.50 NAS-Port = 0 Called-Station-Id = 00-40-05-CA-6D-42 Calling-Station-Id = 00-04-23-53-0D-63 NAS-Identifier = DWL-900AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203000c0163736574657261 Message-Authenticator = 0xb189b0090592766341676a4d888e29ea modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_eap: EAP packet type notification id 3 length 12 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 1 users: Matched csetera at 91 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 1 rlm_eap: EAP packet type notification id 3 length 12 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns ok for request 1 modcall: group authenticate returns ok for request 1 Sending Access-Challenge of id 107 to 192.168.0.50:1248 EAP-Message = 0x010400060d20 Message-Authenticator = 0x State = 0xc813bc0205103cd2019947a069e31de32908f73fac424fb83bd323f40336a2002c26867d Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 106 with timestamp 3ff70826 Waking up in 3
