Re: Windows Pre-Login Auth
On Windows 7 you can configure pre-login authentication (wireless connection properties - Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that. On Fri, 9 Sep 2011 09:00:32 -0500, Scott Hughes wrote: Hello all, I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login. I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup: 1) Clients: Windows XP 2) Currently running FreeRadius version 2.0.5 3) Currently authenticating users via TLS/PEAP with computer name/username I'm not sure what else (if anything) you might need. I am also looking at changing the FreeRadius setup to authenticate against our Windows 2008r2 Active Directory servers. We have one main location and two remote sites. Currently we have only one FreeRadius server at the main site. If the VPN connection between the main site and either / both of the remote sites goes down, the remote sites can't authenticate. My thought was to have three FreeRadius servers that would authenticate to the local copy of the AD. Having said all of this, I do not want to get to many things going at one time. I much prefer to tackle on issue at a time. Thanks in advance for any insight you may have on either/both of these issues. Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hi, You can add NT / LM pairs to each LDAP user object. You must include the samba.schema into the ldap server schemas. Ex: sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE You can create these passwords using smbencrypt tool (deployed with samba). This way pptp MSCHAP auth will work. Nelson Vale On Monday 05 July 2010 16:59:08 Daniel Gomes wrote: Dear list, I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). First of all, on the pptpd server's side (which I know it's not your jurisdiction, so I'll be fast here), I have the require-mschap-v2 and require-mppe options enabled. As for freeradius itself, a summarized sites-enabled/default reads: authorize { preprocess pap mschap ldap auth_log eap { ok = return } expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } My modules/ldap contains all the necessary information, and my modules/mschap has the options use_mppe, require_encryption and require_strong enabled, like most tutorials state. As for the results, radtest works fine (querying LDAP etc), but through pptd it always fails with this error: rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = dgomes MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 MS-CHAP2-Response = 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6 8cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200 NAS-IP-Address = 193.136.136.40 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [ldap] performing user authorization for dgomes WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes) expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt - ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 rlm_ldap: bind as cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to gold.ipfn.ist.utl.pt:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, with filter (cn=dgomes) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user dgomes authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y %m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 expand: %t - Thu Jul 8 14:08:34 2010 ++[auth_log] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - dgomes attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request -- I know that the error should be enough for me to fix it (since it's quite explanatory), but after trying many different configurations and searching through dozens of old mailing lists posts, I still haven't managed it... So yeah, of you could help me out,
Re: ldap auto header MS-CHAPv2
On Monday 15 March 2010 13:42:11 Alan Buxey wrote: Hi, no i don't have AD. in other word, i cannot use windows xp supplicant EAP-MSCHAPv2 to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right? correct: http://deployingradius.com/documents/protocols/oracles.html PEAPv0/MS-CHAPv2 requires MSCHAPv2 - thats challenge response. the client never supplies the real password - therefore you cannot compare to a password stored in LDAP. what you need to use is an EAP method that uses PAPeg EAP-TTLSv0/PAP You can use EAP-PEAP as long as you store also samba NT/LM hashes in LDAP (sambaLMPassword and sambaNTPassword). If you have these hashes you may use Windows XP built-in supplicant. try using a supplicant on the windows machine that gives you this eg http://open1x.sourceforge.net/ http://www.securew2.com/ ...or grab a Mac OSX machine to do further testing - they have TTLS/PAP support natively. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
Have you defined Auth-Type in users file to mschapv2 (don't do it)? What is the configuration for this user in the users file? On Tuesday 15 December 2009 13:00:07 you wrote: As you can see, it says that it has stripped realm from username but it passes it along with username to ldap. How can I fix this? Never mind. ldap filter did the job. Sorry about that. Actually it's not working yet. rad_recv: Access-Request packet from host 192.168.205.29 port 49154, id=0, length=178 Cleaning up request 15 ID 0 with timestamp +1232 NAS-IP-Address = 192.168.205.29 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = DOMAIN\\sti State = 0x9bb6fc759d93e55343410152d73b1dba EAP-Message = 0x0225005b1900170301005046c5a952e0ad6d2ea7d132dd3c00c1a132df2329a23561c760d 4a45fb4f02e3bd1a848f5d4d3106ae52d4f442971b4c6aa4d0c157805647 9f03c76d350fc041b659e556368c4a63e30e09849d0aae29a Message-Authenticator = 0xf9700c8c22d81ecdb12a8f6731151a38 +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm DOMAIN for User-Name = DOMAIN\sti [ntdomain] Found realm DOMAIN [ntdomain] Adding Stripped-User-Name = sti [ntdomain] Adding Realm = DOMAIN [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e8703367 b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 server { PEAP: Setting User-Name to DOMAIN\sti Sending tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e8703367 b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = DOMAIN\\sti State = 0x7b5d7eb57b7864abf97396c9fbfa8cb4 server { +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm DOMAIN for User-Name = DOMAIN\sti [ntdomain] Found realm DOMAIN [ntdomain] Adding Stripped-User-Name = sti [ntdomain] Adding Realm = DOMAIN [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok [ldap] performing user authorization for sti [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=sti) [ldap] expand: ou=Users,dc=domain,dc=br - ou=Users,dc=domain,dc=br rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=domain,dc=br, with filter (uid=sti) [ldap] checking if remote access for sti is allowed by radiusFilterId [ldap] looking for check items in directory... rlm_ldap: userPassword - User-Password == {SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q= rlm_ldap: sambaNtPassword - NT-Password == 0x444338414235383730324637343230453244304232353743453938394634 rlm_ldap: sambaLmPassword - LM-Password == 0x3245414443463036424438463531344541414433423433354235313430344545 [ldap] looking for reply items in directory... rlm_ldap: radiusFilterId - Filter-Id = Enterasys:version=1:policy=Enterprise User [ldap] user sti authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !! ! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !! ! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [DOMAIN\\sti/via Auth-Type = EAP] (from client tplink port 0 via TLS tunnel) } # server [peap] Got tunneled reply
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius. You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far. I know I'm lacking of knowledge. That's why I'm looking for your guidance. Bear in mind that you must try to ask the right questions to be guided into the correct path ;) I thank you again. 2009/12/11 Alan DeKok al...@deployingradius.com: Fabiano Caixeta Duarte wrote: The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth. Then configure 802.1X. What I got so far? I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius. http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
On Friday 11 December 2009 18:32:02 Fabiano Caixeta Duarte wrote: 2009/12/11 nf-vale nf-v...@critical-links.com: On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius. You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far. Ok. Let's follow that path. The confs I touched: eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = DEFAULT make_cert_command = ${certdir}/bootstrap cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } mschapv2 { } } modules/ldap: ldap { server = sti-teste.domain.br identity = cn=system,dc=domain,dc=br password = secret basedn = ou=Users,dc=domain,dc=br base_filter = (objectclass=radiusprofile) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } access_attr = radiusFilterId dictionary_mapping = ${confdir}/ldap.attrmap authtype = ldap edir_account_policy_check = no } sites-enabled/inner-tunnel: server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } clients.conf: client angelina { ipaddr = 192.168.205.6 secret = testing123 } client tplink { ipaddr = 192.168.205.29 secret = testing123 } # radtest teste secret angelina 1812 testing123 Sending Access-Request of id 48 to 192.168.205.6 port 1812 User-Name = teste User-Password = secret NAS-IP-Address = 192.168.205.6 NAS-Port = 1812 rad_recv: Access-Accept packet from host 192.168.205.6 port 1812, id=48, length=64 Filter-Id = Enterasys:version=1:policy=Enterprise User Ok, but what about a debug from a request made a XP client using PEAP connected to your switch? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN - Freeradius - OpenLDAP - VLANs
On Monday 09 November 2009 12:25:13 José Johnny RANDRIAMAMPIONONA wrote: Freeradius work well with openldap but only with cleartext password (PAP). Best regards! Don't give wrong answers if you're not sure of what you're talking. 2009/11/9 _Stefan_H stefanh...@networld.at First I know my english is not the best, but i hope you will understand it. In the course of a project i have to make an authentification against a freeradius server for the WLAN Users. On the Server(OpenSUSE11.1) is a LDAP Directory and i want that the WLAN Users have to authentificate with their accounts. After the successful authentification they will be put into an other VLAN, that they can use their homedirectories. I would like to know how I should do it, because i inform me about the Authentification Types(EAP-TLS,TTLS,PEAP) and know I am totally confused which i have to configure at the freeradius Server. See http://deployingradius.com/documents/protocols/compatibility.html for compatibilty issues. You can authenticate users using PEAP against LDAP just as long as the user's entries in the LDAP DB have NT / LM password hashes. For instance, if using OpenLDAP, you need to include the samba.schema in the supported schemas list and then add sambaNTPassword and sambaLMPassword to each one of the user's entries in the DB. Ex: dn: uid=xxx,ou=people,dc=local,dc=loc objectClass: inetOrgPerson objectClass: sambaSamAccount uidNumber: 1 uid: xxx userPassword:: e01ENX1mMmhLRytkajNnSSs2aEtmL3ltSnV3PT0= sambaLMPassword: AB849716E6B337C43B639FCD27BDA434 sambaNTPassword: 9574805413661ADC5E8FA7B943026723 ... You can hash the user's password using the smbencrypt utility. I think that PEAP would be the easiest, but I really don't know which can be used whth a dynamic VLAN. http://old.nabble.com/file/p26230857/1.jpeg The AP is an Linksys WRT-54-GS and the Switch is an CISCO-2950 -- View this message in context: http://old.nabble.com/WLANFreeradiusOpenLDAPVLANs-tp26230857p 26230857.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Check your proxy / realms configuration. The reason why it fails is described in the logs: Sun Oct 18 19:20:54 2009 : Info: [pap] No clear-text password in the request. Not performing PAP. Sun Oct 18 19:20:54 2009 : Info: ++[pap] returns noop Sun Oct 18 19:20:54 2009 : Info: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Sun Oct 18 19:20:54 2009 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Sun Oct 18 19:20:54 2009 : Info: WARNING: Use the PAP or CHAP modules instead. Sun Oct 18 19:20:54 2009 : Info: No User-Password or CHAP-Password attribute in the request. Sun Oct 18 19:20:54 2009 : Info: Cannot perform authentication. Sun Oct 18 19:20:54 2009 : Info: Failed to authenticate the user. Sun Oct 18 19:20:54 2009 : Auth: Login incorrect: [user] (from client wlan- alves-private-network port 0 via TLS tunnel) Nelson Vale On Monday 19 October 2009 01:54:39 INACIO ALVES wrote: I'm trying configure the freeRADIUS on my wireless network but i'm having problems. My scnario: Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 clients - ((( AP ))) [freeRADIUS server] When I execute the radiustest I get rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, length=20 and when I execute radclient I get Received response ID 146, code 2, length = 32 But when I try authenticate on my nootebook I get rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 My debug output is on address: http://pastebin.com/f7e47862f. My clients.conf is on: http://pastebin.com/f30e4955d And my users is on: http://pastebin.com/f5d958f63 This is my initial configuration. I want migrate to MySQL or PostgreSQL when the server is ready, I don't need proxy, and i need provide/revoke digital certificates to my clients. Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
On Friday 16 October 2009 13:27:28 John Dennis wrote: On 10/16/2009 08:15 AM, Alan DeKok wrote: What does that mean? That was strange :-) Our two responses were word for word identical and almost at the same time When I was a kid and two people said the same thing at the same time it became a race to see who would say this next: Jinx! You owe me a bottle of Coke. often followed by: No backs. No takes. No refunds. No penny tax. Where I'm from we say different things when that happens, but I heard that same thing from a old loony in the Spielberg's Always movie :D . so ... Jinx! You owe me a bottle of Coke. :-) :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius can't authenticate pptp users from Windows XP to LDAP
You can add NT / LM pairs to each LDAP user object. You must include the samba.schema into the ldap server schemas. Ex: sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE This way pptp MSCHAP auth will work. Nelson Vale On Thursday 08 October 2009 12:53:21 tede wrote: Ivan Kalik wrote: Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter (uid=light) Debug: rlm_ldap: No default NMAS login sequence Debug: rlm_ldap: looking for check items in directory... Debug: rlm_ldap: looking for reply items in directory... Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Hm, try adding mapping for Cleartext-Password as userPassword to ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Ivan, first of all, thanks for answering me :) So, here is the result after adding mapping for Cleartext-Password as userPassword, as we can see in the radius mapping part of the debug : Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct 3 2009 at 19:16:29 Info: Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info: PARTICULAR PURPOSE. Info: You may redistribute copies of FreeRADIUS under the terms of the Info: GNU General Public License. Info: Starting - reading configuration files ... Debug: including configuration file /etc/freeradius/radiusd.conf Debug: including configuration file /etc/freeradius/clients.conf Debug: including configuration file /etc/freeradius/policy.conf Debug: including files in directory /etc/freeradius/sites-enabled/ Debug: including configuration file /etc/freeradius/sites-enabled/default Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel Debug: including dictionary file /etc/freeradius/dictionary Debug: main { Debug:prefix = /usr Debug:localstatedir = /var Debug:logdir = /var/log/freeradius Debug:libdir = /usr/lib/freeradius Debug:radacctdir = /var/log/freeradius/radacct Debug:hostname_lookups = no Debug:max_request_time = 30 Debug:cleanup_delay = 5 Debug:max_requests = 1024 Debug:allow_core_dumps = no Debug:pidfile = /var/run/freeradius/freeradius.pid Debug:user = freerad Debug:group = freerad Debug:checkrad = /usr/sbin/checkrad Debug:debug_level = 0 Debug:proxy_requests = yes Debug: security { Debug:max_attributes = 200 Debug:reject_delay = 1 Debug:status_server = yes Debug: } Debug: } Debug: client localhost { Debug:ipaddr = 127.0.0.1 Debug:require_message_authenticator = no Debug:secret = hometest Debug:nastype = other Debug: } Debug: client 192.168.0.0/24 { Debug:require_message_authenticator = no Debug:secret = hometest Debug:shortname = private-network-1 Debug: } Debug: radiusd: Loading Realms and Home Servers Debug: radiusd: Instantiating modules Debug: instantiate { Debug: (Loaded rlm_exec, checking if it's valid) Debug: Module: Linked to module rlm_exec Debug: Module: Instantiating exec Debug: exec { Debug:wait = yes Debug:input_pairs = request Debug:shell_escape = yes Debug: } Debug: (Loaded rlm_expr, checking if it's valid) Debug: Module: Linked to module rlm_expr Debug: Module: Instantiating expr Debug: (Loaded rlm_expiration, checking if it's valid) Debug: Module: Linked to module rlm_expiration Debug: Module: Instantiating expiration Debug: expiration { Debug:reply-message = Password Has Expired Debug: } Debug: (Loaded rlm_logintime, checking if it's valid) Debug: Module: Linked to module rlm_logintime Debug: Module: Instantiating logintime Debug: logintime { Debug:reply-message = You are calling outside your allowed timespan Debug:minimum-timeout = 60 Debug: } Debug: } Debug: radiusd: Loading Virtual Servers Debug: server inner-tunnel { Debug: modules { Debug: Module: Checking authenticate {...} for more modules to load Debug: (Loaded rlm_pap, checking if it's valid) Debug: Module: Linked to module rlm_pap Debug: Module: Instantiating pap Debug: pap { Debug:encryption_scheme = auto Debug:auto_header = no Debug: } Debug: (Loaded rlm_chap, checking if it's valid) Debug: Module: Linked to module rlm_chap Debug: Module: Instantiating chap Debug: (Loaded rlm_mschap, checking if it's valid) Debug: Module: Linked to module rlm_mschap Debug: Module: Instantiating mschap Debug: mschap { Debug:use_mppe = yes Debug:
Re: Freeradius can't authenticate pptp users from Windows XP to LDAP
On Thursday 08 October 2009 15:05:24 Ivan Kalik wrote: Just had a look at your ldap antries again. This doesn't look right: userPassword:: dGVzdGVy Shouldn't there be just one colon? Two colons means that it's a BASE64 encoded field. Ivan Kalik Kalik Informatika ISP You can add NT / LM pairs to each LDAP user object. You must include the samba.schema into the ldap server schemas. Ex: sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE This way pptp MSCHAP auth will work. Nelson Vale On Thursday 08 October 2009 12:53:21 tede wrote: Ivan Kalik wrote: Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter (uid=light) Debug: rlm_ldap: No default NMAS login sequence Debug: rlm_ldap: looking for check items in directory... Debug: rlm_ldap: looking for reply items in directory... Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Hm, try adding mapping for Cleartext-Password as userPassword to ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Ivan, first of all, thanks for answering me :) So, here is the result after adding mapping for Cleartext-Password as userPassword, as we can see in the radius mapping part of the debug : Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct 3 2009 at 19:16:29 Info: Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info: PARTICULAR PURPOSE. Info: You may redistribute copies of FreeRADIUS under the terms of the Info: GNU General Public License. Info: Starting - reading configuration files ... Debug: including configuration file /etc/freeradius/radiusd.conf Debug: including configuration file /etc/freeradius/clients.conf Debug: including configuration file /etc/freeradius/policy.conf Debug: including files in directory /etc/freeradius/sites-enabled/ Debug: including configuration file /etc/freeradius/sites-enabled/default Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel Debug: including dictionary file /etc/freeradius/dictionary Debug: main { Debug: prefix = /usr Debug: localstatedir = /var Debug: logdir = /var/log/freeradius Debug: libdir = /usr/lib/freeradius Debug: radacctdir = /var/log/freeradius/radacct Debug: hostname_lookups = no Debug: max_request_time = 30 Debug: cleanup_delay = 5 Debug: max_requests = 1024 Debug: allow_core_dumps = no Debug: pidfile = /var/run/freeradius/freeradius.pid Debug: user = freerad Debug: group = freerad Debug: checkrad = /usr/sbin/checkrad Debug: debug_level = 0 Debug: proxy_requests = yes Debug: security { Debug: max_attributes = 200 Debug: reject_delay = 1 Debug: status_server = yes Debug: } Debug: } Debug: client localhost { Debug: ipaddr = 127.0.0.1 Debug: require_message_authenticator = no Debug: secret = hometest Debug: nastype = other Debug: } Debug: client 192.168.0.0/24 { Debug: require_message_authenticator = no Debug: secret = hometest Debug: shortname = private-network-1 Debug: } Debug: radiusd: Loading Realms and Home Servers Debug: radiusd: Instantiating modules Debug: instantiate { Debug: (Loaded rlm_exec, checking if it's valid) Debug: Module: Linked to module rlm_exec Debug: Module: Instantiating exec Debug: exec { Debug: wait = yes Debug: input_pairs = request Debug: shell_escape = yes Debug: } Debug: (Loaded rlm_expr, checking if it's valid) Debug: Module: Linked to module rlm_expr Debug: Module: Instantiating expr Debug: (Loaded rlm_expiration, checking if it's valid) Debug: Module: Linked to module rlm_expiration Debug: Module: Instantiating expiration Debug: expiration { Debug: reply-message = Password Has Expired Debug: } Debug: (Loaded rlm_logintime, checking if it's valid) Debug: Module: Linked to module rlm_logintime Debug: Module: Instantiating logintime Debug: logintime { Debug: reply-message = You are calling outside your allowed timespan Debug: minimum-timeout = 60 Debug: } Debug: } Debug: radiusd: Loading Virtual Servers Debug: server inner-tunnel { Debug: modules { Debug: Module: Checking authenticate {...} for more modules to load Debug: (Loaded rlm_pap, checking if it's valid) Debug: Module: Linked to module rlm_pap Debug: Module: Instantiating pap Debug: pap { Debug: encryption_scheme = auto Debug: auto_header = no Debug: } Debug: (Loaded rlm_chap,
Re: freeradius + monit
On Tuesday 08 September 2009 11:00:35 Sokvantha Youk wrote: Dear All, I am new to Freeradius server. I wish to get it restart automatically when its process is hang by using monit. I have no idea how to get monit restart freeradius server automatically. Please kindly advice me. --- Best Regards, sokvantha Install monit, create a file in /etc/monit.d/ directory like /etc/monit.d/freeradius and add something like the following to that file: check process freeradius with pidfile /var/run/freeradius/radiusd.pid start = /etc/init.d/freeradius start stop = /etc/init.d/freeradius stop if failed host 192.168.1.1 port 1812 type UDP then restart if cpu usage is greater than 60 percent for 2 cycles then alert if cpu usage 90% for 5 cycles then restart if totalmem usage 40% for 5 cycles then restart if 3 restarts within 4 cycles then timeout and restart monit. Unfortunately monit does not yet support RADIUS protocol checks. ___ ___ Get more done like never before with Yahoo!7 Mail. Learn more: http://au.overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
On Wednesday 02 September 2009 09:46:01 Alan DeKok wrote: It's been a while since 2.1.6, and it's getting close to time for 2.1.7. In order to ensure the stability of the software, we need your help. Please download the pre release of 2.1.7 from: http://git.freeradius.org/pre/ Build it, install it, and see if there are issues. The directory also includes Debian packages for Ubuntu 8.0.4. If there are no issues, we can release 2.1.7 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tested in Ubuntu 9.04 from sources and no problems found so far. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
On Saturday 16 May 2009 07:30:49 you wrote: nf-vale wrote: sudo radiusd -V radiusd: error while loading shared libraries: libfreeradius-radius-2.1.6.so: cannot open shared object file: No such file or directory It looks like you don't have /usr/local/lib in your dynamic linker path. There isn't much we can do to fix that. I've configure it with: ./configure --with-raddbdir=/etc/raddb216 --with-logdir=/var/log/radius --with-radacctdir=/var/log/radius/radacct --enable-strict-dependencies --without-rlm_counter --without-rlm_dbm --without-rlm_ippool --without-rlm_perl --without-rlm_krb5 --with-openssl --without-rlm_python --without-rlm_sql --with-rlm_eap --with-rlm_eap2 --without-rlm_eap_ikev2 --without-rlm_eap_tnc Why is it searching in /usr/lib/i486-linux-gnu/ as opposed to just /usr/lib? Which OS is this? Ubuntu Hardy (kernel 2.6.24-24) I've configured previous versions up to 2.1.3 like that and it all went fine and never had this problem before. Still, I think it's a fairly esoteric problem. If your linker is *only* looking in those paths, then you should either fix the linker to look in the directory you configured for FreeRADIUS, *or* configure FreeRADIUS to put libraries inthe directory your linker users. The solutio for this is obviously simple, but I reported it anyway because it didn't happened with the previous versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
On Saturday 16 May 2009 11:01:00 Ivan Kalik wrote: nf-vale wrote: sudo radiusd -V radiusd: error while loading shared libraries: libfreeradius-radius-2.1.6.so: cannot open shared object file: No such file or directory It looks like you don't have /usr/local/lib in your dynamic linker path. There isn't much we can do to fix that. I've configure it with: ./configure --with-raddbdir=/etc/raddb216 --with-logdir=/var/log/radius --with-radacctdir=/var/log/radius/radacct --enable-strict-dependencies --without-rlm_counter --without-rlm_dbm --without-rlm_ippool --without-rlm_perl --without-rlm_krb5 --with-openssl --without-rlm_python --without-rlm_sql --with-rlm_eap --with-rlm_eap2 --without-rlm_eap_ikev2 --without-rlm_eap_tnc Why is it searching in /usr/lib/i486-linux-gnu/ as opposed to just /usr/lib? Which OS is this? I've configured previous versions up to 2.1.3 like that and it all went fine and never had this problem before. Still, I think it's a fairly esoteric problem. If your linker is *only* looking in those paths, then you should either fix the linker to look in the directory you configured for FreeRADIUS, *or* configure FreeRADIUS to put libraries inthe directory your linker users. Alan DeKok. Put /usr/local/lib in /etc/ld.so.conf. Run ldconfig after install. I've already have that dir in the path: $cat /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf and in /etc/ld.so.conf.d/libc.conf I have: $cat /etc/ld.so.conf.d/libc.conf # libc default configuration /usr/local/lib It works with for other versions. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
On Friday 15 May 2009 15:59:30 Alan DeKok wrote: http://git.freeradius.org/pre/ Unless there are issues, it will become 2.1.6 on Monday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Just downloaded and compiled from source in Ubuntu Hardy. When I tried to start radiusd it complained about: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
Sorry, my shortcuts are tricky bastards :) On Friday 15 May 2009 19:52:56 nf-vale wrote: On Friday 15 May 2009 15:59:30 Alan DeKok wrote: http://git.freeradius.org/pre/ Unless there are issues, it will become 2.1.6 on Monday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Just downloaded and compiled from source in Ubuntu Hardy. When I tried to start radiusd it complained about: sudo radiusd -V radiusd: error while loading shared libraries: libfreeradius-radius-2.1.6.so: cannot open shared object file: No such file or directory using strace I see that it is searching for libs in /usr/lib/i486-linux-gnu but lib was installed in /usr/local/lib (it didnot looked for libs there): sudo strace radiusd -V execve(/usr/local/sbin/radiusd, [radiusd, -V], [/* 16 vars */]) = 0 brk(0) = 0x8084000 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7eea000 access(/etc/ld.so.preload, R_OK) ... ... ... stat64(/usr/lib/i486-linux-gnu/sse2, 0xbfb4b360) = -1 ENOENT (No such file or directory) open(/usr/lib/i486-linux-gnu/cmov/libfreeradius-radius-2.1.6.so, O_RDONLY) = -1 ENOENT (No such file or directory) stat64(/usr/lib/i486-linux-gnu/cmov, 0xbfb4b360) = -1 ENOENT (No such file or directory) open(/usr/lib/i486-linux-gnu/libfreeradius-radius-2.1.6.so, O_RDONLY) = -1 ENOENT (No such file or directory) stat64(/usr/lib/i486-linux-gnu, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 writev(2, [{radiusd, 7}, {: , 2}, {error while loading shared libra..., 36}, {: , 2}, {libfreeradius-radius-2.1.6.so, 29}, {: , 2}, {cannot open shared object file, 30}, {: , 2}, {No such file or directory, 25}, {\n, 1}], 10radiusd: error while loading shared libraries: libfreeradius-radius-2.1.6.so: cannot open shared object file: No such file or directory I've configure it with: ./configure --with-raddbdir=/etc/raddb216 --with-logdir=/var/log/radius --with-radacctdir=/var/log/radius/radacct --enable-strict-dependencies --without-rlm_counter --without-rlm_dbm --without-rlm_ippool --without-rlm_perl --without-rlm_krb5 --with-openssl --without-rlm_python --without-rlm_sql --with-rlm_eap --with-rlm_eap2 --without-rlm_eap_ikev2 --without-rlm_eap_tnc I've configured previous versions up to 2.1.3 like that and it all went fine and never had this problem before. Meanwhile I linked this directory with correct directory and now it starts fine. Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vista Issue
Sex, 2008-08-01 às 13:30 +0200, Alan DeKok escreveu: nf-vale wrote: Do you have any news on the Vista EAP issue? I have done nothing. I don't have a Vista machine. Good for you. You aren't missing anything :) For anyone having troubles with Vista there's this supplicant that works and its free: http://wire.cs.nthu.edu.tw/wire1x/ How many people use it? Not many. The SecureW2 one is used a lot, and it's also GPL'd. It was my first choice but I couldn't get it to work (version 1.0.6). I'm waiting for the next version to see if it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vista Issue
Sex, 2008-08-01 às 17:12 +0100, [EMAIL PROTECTED] escreveu: Hi, Do you have any news on the Vista EAP issue? ? we use Vista against 1.1.7 - 2.0.5 without issue. before 1.1.4 we had problems due to a new PEAP issue (padding of the SSL) but 1.1.4 fixed that. what version of OpenSSL do you have on your system? OpenSSL 0.9.7m Using the WIRE1X supplicant we've no problem authenticating. The problem is with the Vista native supplicant (and also with the secureW2). Today we were able to authenticate with one of our Vista laptops which differ from the rest in to aspects: 1) Vista (Business) is English version the remaining are (Business) Portuguese. 2) This working Vista is an IBM Laptop and uses an IBM supplicant wrapper instead of the normal Vista supplicant. Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vista Issue
I forgot to mention that we're trying both with 2.0.2 and 2.0.5 ... Sex, 2008-08-01 às 18:46 +0100, nf-vale escreveu: Sex, 2008-08-01 às 17:12 +0100, [EMAIL PROTECTED] escreveu: Hi, Do you have any news on the Vista EAP issue? ? we use Vista against 1.1.7 - 2.0.5 without issue. before 1.1.4 we had problems due to a new PEAP issue (padding of the SSL) but 1.1.4 fixed that. what version of OpenSSL do you have on your system? OpenSSL 0.9.7m Using the WIRE1X supplicant we've no problem authenticating. The problem is with the Vista native supplicant (and also with the secureW2). Today we were able to authenticate with one of our Vista laptops which differ from the rest in to aspects: 1) Vista (Business) is English version the remaining are (Business) Portuguese. 2) This working Vista is an IBM Laptop and uses an IBM supplicant wrapper instead of the normal Vista supplicant. Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vista Issue
Alan, Do you have any news on the Vista EAP issue? For anyone having troubles with Vista there's this supplicant that works and its free: http://wire.cs.nthu.edu.tw/wire1x/ Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid EAP Type with Catalyst 2960G IOS 12.2
Hi all, I'm having a little trouble configuring a Cisco Switch - Catalyst 2960G IOS 12.2 to work properly with EAP-PEAP clients. I've tested the same radius configuration (freeradius 2.0.2) with an HP Procurve 2626 Swicth and all worked just fine. Windows XP clients can authenticate with PEAP successfully. The same clients connected to the Cisco Swicth that it's authenticating in the same freeradius server can not authenticate because freeradius is trying EAP-TLS instead of EAP-PEAP: Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1 port 1645, id=1, length=129 User-Name = al5 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1E-BD-62-B9-81 Calling-Station-Id = 00-1B-38-92-39-A0 EAP-Message = 0x0206000c01616c3030303035 Message-Authenticator = 0xb8fb13899c9df58f7770efaeeeb9eb1a NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-IP-Address = 192.168.2.1 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = al5, skipping NULL due to config. ++[suffix] returns noop rlm_realm: No '\' in User-Name = al5, skipping NULL due to config. ++[ntdomain] returns noop rlm_eap: EAP packet type response id 6 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[mschap] returns noop expand: %{Stripped-User-Name} - expand: %{User-Name} - al5 expand: %{%{User-Name}:-none} - al5 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} - al5 rlm_sql (sql): sql_set_user escaped user -- 'al5' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'al5' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): User found in radcheck table expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'al5' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='al5' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'Alunos' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 rlm_sql (sql): User found in group Alunos expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'Alunos' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[files] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 1645 Tunnel-Private-Group-Id:0 := 2 EAP-Message = 0x010700061920 Message-Authenticator = 0x State = 0x12f8640712ff7d8ac69a15b3712e899e Finished request 3. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 3 ID 1 with timestamp +501 Ready to process requests. Does anybody have a clue on how to solve this problem? Is it a IOS (version 12.2) problem? Thx, Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid EAP Type with Catalyst 2960G IOS 12.2
The comments you refer are these ones? ... # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. mschapv2 { } ... But I also tried with TTLS using secureW2 supplicant and the log was similar. ... rad_recv: Access-Request packet from host 192.168.2.1 port 1645, id=24, length=155 User-Name = al1 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1E-BD-62-B9-81 Calling-Station-Id = 00-1B-38-92-39-A0 EAP-Message = 0x0203000c01616c3030303031 Message-Authenticator = 0xe63d66c15b1b53a1fe27f788de329cc3 NAS-Port-Type = Ethernet Cisco-NAS-Port = GigabitEthernet0/1 NAS-Port = 50001 NAS-IP-Address = 192.168.2.1 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = al1, skipping NULL due to config. ++[suffix] returns noop rlm_realm: No '\' in User-Name = al1, skipping NULL due to config. ++[ntdomain] returns noop ++[mschap] returns noop expand: %{Stripped-User-Name} - expand: %{User-Name} - al1 expand: %{%{User-Name}:-none} - al1 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} - al1 rlm_sql (sql): sql_set_user escaped user -- 'al1' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'al1' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): User found in radcheck table expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'al1' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='al1' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'Alunos' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 rlm_sql (sql): User found in group Alunos expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'Alunos' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[files] returns noop rlm_eap: EAP packet type response id 3 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.2.1 port 1645 Tunnel-Private-Group-Id:0 := 2 EAP-Message = 0x010400061520 Message-Authenticator = 0x State = 0x8bd2c0948bd6d5c8bc5a33e2381bcef4 Finished request 1. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 1 ID 24 with timestamp +77 Ready to process requests. ... What eap configuration should I use to allow this Cisco equipment authenticate in freeradius (if any)? Is this a Cisco configuration issue? Thx, Nelson Vale Seg, 2008-07-28 às 20:20 +0200, Alan DeKok escreveu: nf-vale wrote: The same clients connected to the Cisco Swicth that it's authenticating in the same freeradius server can not authenticate because freeradius is trying EAP-TLS instead of EAP-PEAP: RADIUS doesn't work that way. FreeRADIUS *offers* an EAP type when the client starts connecting. The client *chooses* a different one, if it doesn't like the offer. Saying it doesn't work because of TLS versus PEAP is equivalent to saying the EAP supplicant does not support PEAP. The problem you're running into looks a lot like the problem described in the comments in eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe
Re: Invalid EAP Type with Catalyst 2960G IOS 12.2
As always you were absolutely right :) The freeradius server was not properly communicating with the Cisco switch. Now both PEAP and TTLS work alright. Seg, 2008-07-28 às 21:25 +0200, Alan DeKok escreveu: nf-vale wrote: The comments you refer are these ones? No. See the comments on access-challenge. Honestly... eap.conf isn't that big. Reading all of it shouldn't be that hard. But I also tried with TTLS using secureW2 supplicant and the log was similar. If that's the case, my guess is that the NAS simply isn't seeing the response from the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: PEAP or TTLS and Microsoft Vista. Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: installing ca.der and putting user pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get AD Profile
Ok I finally realise what I was doing wrong. To retrieve one Active Directory user's group it's not necessary to use de replyItem in ldap.attrmap. It's only necessary to configure correctly the ldap module. So I resolved this using the following configuration: Sáb, 2008-07-12 às 21:58 +0100, Nelson Vale escreveu: Hi all, I have my freeradius deploy (2.0.2) configured to authenticate users against Active Directory and that is working fine. But I want to retrieve user's profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to Access-Accept reply. I really don't know how to do this and I could find a clear solution, either in documentation (rlm_ldap) ot by googling. So I would appreciate if someone could give me a hand on this. What I've done so far is to add this entry to ldap.attrmap file: replyItem radiusProfileDn memberOf. The profile I want to retrieve is the CN in this object like cn=PROFILE,dc=domain,dc=com, but in radius debug I'm getting this error: ++[ntdomain] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for figo expand: %{Stripped-User-Name} - figo expand: (sAMAccountName= %{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) - (sAMAccountName=figo) expand: dc=ldaptest,dc=pt - dc=ldaptest,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ldaptest,dc=com, with filter (sAMAccountName=figo) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Failed to create the pair: Invalid octet string CN=grupo1,DC=ldaptest,DC=com for attribute name radiusProfileDn WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user figo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[mschap] returns noop expand: %{Stripped-User-Name} - figo expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} - figo ++[files] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP] (from client portatil port 0 cli 02-00-00-00-00-01) Sending Access-Accept of id 17 to 192.168.10.200 port 33000 User-Name = figo MS-MPPE-Recv-Key = 0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5 MS-MPPE-Send-Key = 0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d EAP-Message = 0x03080004 Message-Authenticator = 0x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get AD Profile
Sorry, my last message was sent before time :). I was betrayed by a very sensitive touchpad... Now the complete message: Ok I finally realise what I was doing wrong. To retrieve one Active Directory user's group it's not necessary to use de replyItem in ldap.attrmap. It's only necessary to configure correctly the ldap module. So I resolved this by using the following configuration: In radius.conf: ldap { server = 192.168.100.173:389 basedn = dc=ldaptest,dc=com password = identity = cn=manager,cn=users,dc=ldaptest,dc=com filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_attribute = memberOf groupmembership_filter = (|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) timeout = 4 timelimit = 3 net_timeout = 1 } NOTE: The %{Ldap-UserDn} attribute was replaced by %{check:LDAP-UserDn} since 2.0 ( I lost a lot of time here because I was using %{Ldap-UserDn} as stated in documentation) In users file: (one entry to each group) DEFAULT Ldap-Group == CN=groupX,DC=ldaptest,DC=com Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-Id = 3 Now the reply is like: rad_recv: Access-Request packet from host 192.168.10.200 port 33073, id=17, length=217 User-Name = LDAPTEST.COM\\figo NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02080050190017030100205178b4a5223790b6da72bc08db63ad2293c28106a590b25833bd4a70ba08f8d91703010020ff2d3faaec5ab346aaebb253b110da880ba6c5c55a27deaad76e9ddeb9016be6 State = 0x7491a0427399b9e1f10398e7556e31d5 Message-Authenticator = 0x342892f124c4b5b005c0d5810e0b5ba9 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = LDAPTEST.COM\figo, skipping NULL due to config. ++[suffix] returns noop rlm_realm: Looking up realm LDAPTEST.COM for User-Name = LDAPTEST.COM\figo rlm_realm: Found realm LDAPTEST.COM rlm_realm: Adding Stripped-User-Name = figo rlm_realm: Proxying request from user figo to realm LDAPTEST.COM rlm_realm: Adding Realm = LDAPTEST.COM rlm_realm: Authentication realm is LOCAL. ++[ntdomain] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for figo expand: %{Stripped-User-Name} - figo expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) - (sAMAccountName=figo) expand: dc=ldaptest,dc=com - dc=ldaptest,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ldaptest,dc=com, with filter (sAMAccountName=figo) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user figo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[mschap] returns noop rlm_ldap: Entering ldap_groupcmp() expand: dc=ldaptest,dc=com - dc=ldaptest,dc=com expand: (|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) - (|((objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=grupo1,DC=ldaptest,DC=com, with filter (|((objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))) rlm_ldap::ldap_groupcmp: User found in group CN=grupo1,DC=ldaptest,DC=pt rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 8 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP]
Re: virtual server and clients from sql
Should it be SELECT id, nasname, shortname, type, secret, virtual_server FROM nas or SELECT id, nasname, shortname, type, secret, server FROM nas Seg, 2008-07-07 às 20:54 +0200, Norbert Wegener escreveu: [EMAIL PROTECTED] schrieb: Hi, With the actual git/cvs I wanted to setup client based virtual Servers, where the clients are stored in a mysql database. I added a column server to the nas table and set it to the name of a virtual server. the logic is in rlm_sql.c alrady, all you need to do is update your nas_query so that it looks like eg SELECT id,nasname,shortname,type,secret,virtual_server FROM nas then it'll pull in the details from the DB Thanks, will this be in 2.0.6 by default? Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Get clients virtual_server info from SQL nas table
Hi all, In my deploy, freeradius is retrieving clients info from sql nas table, but this table does not have a virtual _server column, and need to use virtual servers. Is it possible to get virtual_server info from sql nas table, instead of clients.conf file. If yes, what do I need to do? Thx, Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get clients virtual_server info from SQL nas table
Hi Alan, Thanks for your quick answer. In the freeradius-server-2.0.3/raddb/sql/postgresql/nas.sql file the sql table structure did not show any server column: /* * Table structure for table 'nas' */ CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, typeVARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), description VARCHAR(200) ); create index nas_nasname on nas (nasname); Where can I get the most updated SQL schema for postgres? 2.0.5 sources? Is it also possible for radiusd to retrieve realms and proxy information from SQL instead of files? Thx again, Nelson Vale Sáb, 2008-07-05 às 16:09 +0200, Alan DeKok escreveu: nf-vale wrote: In my deploy, freeradius is retrieving clients info from sql nas table, but this table does not have a virtual _server column, and need to use virtual servers. Is it possible to get virtual_server info from sql nas table, instead of clients.conf file. If yes, what do I need to do? Update the SQL table to include the server column, as given in the sample nas.sql files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Hardware requirements
Hi all, Please help me if you can. I need some data about Freeradius hardware requirements. This is for a project I'm working on and I need to establish a minimum hardware requirements for a radius server (Freeradius 2.0.5) that will serve about 3000 users, and will be used as authentication and authorization server for some wireless AP's and 802.1x switches. It's expected that users will massively login (400 or more) at certain time and after that re-authentication will happen every 6 or 10 mn, for 802.1x clients. Also I have some doubts about were to store user info, sql DB (postgres maybe) or LDAP. What would it be the better solution, in terms of performance. The OS is a debian alike (2.6.19 kernel). Can anybody provide me some info on this? Thanks in advance Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html