Re: dialup_admin php notice errors
Todd, I did a setup with FR 2.1.9, Apache 2.2.15, MySQL 5.1 on OpenSUSE (11.2 or 11.3) recently. Can't recall the specific PHP 5 version offhand. It did take a bit of tweaking, but in the end it all worked (or at least the parts that I was interested in which had more to do with administering user accounts than Radius servers). My notes aren't very good or detailed, so I'd need to take a look at the installation to try and document the list of configuration changes that I made. If you're still trying to get this to work then I can try and get access to that server this weekend. -- View this message in context: http://freeradius.1045715.n5.nabble.com/dialup-admin-php-notice-errors-tp3327906p3341747.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Yep, that's the file I meant. You're welcome. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3296126.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, I'm doing PEAP here, and I'm assuming that your clients are also? Maybe post the output from a client connection attempt from radiusd -X. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3296090.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, In your eap.conf set "use_tunneled_reply = yes". Assuming that it's currently set to "no". Working here now after that change. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3295956.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Hi Rob, Nope, no EAP with a Captive Portal. But I just configured a VNS with EAP, so I see what you're talking about. But I think that the problem is that the Filter-ID isn't being sent in the Access-Accept, and I'm pretty sure that that's where it should be. I didn't play with my radius configuration yet, but I suspect that you (we?) need to modify your config so that the Filter-ID attribute is sent with the Access-Accept. All of the packets that you see between the first Access-Request and the Access-Accept have to do with setting up the tunnels, certificate validation, etc. So yep, I see what you're seeing, but I think it's simply a small config change on the Freeradius side to get it working correctly. I just don't know off-hand what needs to be changed, hopefully get a chance to poke around tomorrow. Rob Yamry wrote: > > Hey Mikkal- > Im not sure if my last few emails went through the list... I got a msg > stating they were pending approval since they were too long. I kept > digging > into this and I came across the eapol_test utility: > http://deployingradius.com/scripts/eapol_test/ I tried running that to > take > the client and NAS out of the process. As far as I can tell, it all looks > like fine. Even with a default install of 2.1.10 (and another test using > new certs with the required OIDs for XP clients: > http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5), > I still get those 9 requests. Are you using EAP? > > Is anybody else following this that can/test verify that they get the > same > responses as I do. > > Thanks- > Rob > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3295358.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Also, check your radius server configuration on the controller. Check the timeout and retry settings (might even try changing the retry value to 1). I'm set to retries = 3, timeout = 5 for this server. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289974.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
"Yes, I have done a packet trace. The Filter-Id attribute is sent on the 2nd packet of the authentication attempt, during the first access-challenge. After that, Filter-Id isnt mentioned again until after the Access-Accept packet on the Accounting-Request. However, on the Accounting-Request packet its shown as Students, not Faculty. The whole authentication process is 20 packets, excluding the accounting packets. The only thing I noticed that may be out of the ordinary is that there are 10 access-request packets, with 9 of them being duplicates to the first request. The Filter-Id attribute is only sent on the first challenge response. Im not sure if this is normal or not as I dont have anything to compare to. Do you see something similar with your configuration?" Nope, one Access-Request, one Access-Accept. I just turned off accounting to keep it as clean and simple as possible, so just a request and an accept. Sounds like this may be the heart of the issue, it sounds as though you would be fine if you just had 1 Request/Accept since that first Accept contains the Filter-Id. It seems as though that is being lost/overwritten when the second, etc. Accept is received. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289961.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, You shouldn't need to check the "restrict policy" option. My setup is actually using a Captive Portal for the users to enter credentials. So I start them off with a non-auth policy that uses a "Routed" topology and then once authenticated uses a "Bridge at AP" topology. So the controller is serving up the CP page, and then I'm using freeradius with a MySQL backend. Did you capture a trace from the controller interface just to ensure that the attribute/value pair is appearing at the controller interface correctly? Wireless Controller->Utilities->Wireless Controller TCP Dump Management. So my VNS setup looks like: VNS Name: SMFC WLAN Service: SMFC Non-Auth policy: SMFC NonAuth Auth Policy: SMFC Auth (support is correct, this will be overwritten if the radius-accept contains a Filter-Id value that matches a configured policy) Restrict policy set unchecked Enable checked Under VNS Configuration->Policies I have a policy: named Policy Name:NewmanN. I throw a row in my MySQL radreply table to use a Filter-Id value of NewmanN for a particular user (test.user11 in this case) and I'm off and running. If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. then I get the default policy applied to test.user11. The same behavior that you're seeing. "ktest Cleartext-Password := "password" Filter-Id = "Faculty" When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd?" -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, You need to ensure that the value of Filter-Id maps exactly to the value of the policy that you're trying to apply. So you need to have a policy defined on the controller named "Faculty", not "faculty" or "facultY", but "Faculty". For instance, if I have a policy named "NewmanN" and I pass a Filter-Id="NewmanN" then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52549] has been successfully authenticated. Policy [NewmanN] is applied. The desired policy is applied. If I pass a Filter-Id="Newmann" then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52201] has been successfully authenticated. Policy [SMFC Auth] is applied. The default policy for that VNS is applied because there was no policy matching "Newmann". -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289720.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin and HTTP Authentication
OK, so to get this working I modified the Dialup Admin functions.php3 file to use $_SERVER instead of $HTTP_SERVER_VARS and to use "REMOTE_USER" instead of "PHP_AUTH_USER". PHP_AUTH_USER wasn't being populated, but REMOTE_USER was so I just used that. Not sure if that's good, bad or indifferent, but it does work. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Dialup-Admin-and-HTTP-Authentication-tp3285681p3286362.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin and HTTP Authentication
Hi, I'm trying to setup Dialup Admin to use HTTP authentication credentials to connect to a mysql database. The HTTP authentication works, but the PHP_AUTH_USER and PHP_AUTH_PW don't seem to be getting set, when trying to connect to the DB I get "DEBUG(SQL,MYSQL DRIVER): Connect: User=,Password= Could not connect to SQL database" (with SQL Debug enabled for Dialup Admin and after setting "sql_use_http_credentials = yes" in my admin.conf). This is with Apache2 2.2 and mod_php5 5.33. The mysql/functions.php3 file is using the $HTTP_SERVER_VARS array, is that going to work with php5? Or is there something else that I need to configure? Thanks in advance! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Dialup-Admin-and-HTTP-Authentication-tp3285681p3285681.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Automatically Generating "Expiration" - Freeradius 2.1.9 / mysql 5.1 / dialup admin
What I'm trying to do is enable a non-technical person to create temporary, "guest like" accounts using the dialup admin interface. The accounts will be created as needed, they need to expire within a predetermined time frame(s) and I'm trying to avoid asking the person creating the accounts to be entering "Expiration". So how would I approach having the "Expiration" field auto populated based on the account creation date/time and a predetermined account lifetime? For instance, creation date/time + 12-hours, or date + 1-day. Thanks in advance for any guidance. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Automatically-Generating-Expiration-Freeradius-2-1-9-mysql-5-1-dialup-admin-tp3277961p3277961.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does Dlink DWL-900+ work directly with FreeRadius?
Quoting Guy Fraser <[EMAIL PROTECTED]>: > Go look a the specs at : > > http://www.dlink.com/products/?model=DWL-900AP%2b > > There is no indication that that AP supports authentication. > Since Late 2002, the firmware for the DWL-900AP+ does support 802.1x auth, good luck getting it to work correcty, though. If you look on D-Link's support webpage, you will see an firmware emulator on the DWL-900AP+ page. In this emulator it does show that the AP will do 802.1x. Hope this helps. Michael Brown <--> mikro network solutions *http://mikro-net.com/ pgp0.pgp Description: PGP Digital Signature