Re: Windows Pre-Login Auth
On Windows 7 you can configure pre-login authentication (wireless connection properties - Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that. On Fri, 9 Sep 2011 09:00:32 -0500, Scott Hughes wrote: Hello all, I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login. I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup: 1) Clients: Windows XP 2) Currently running FreeRadius version 2.0.5 3) Currently authenticating users via TLS/PEAP with computer name/username I'm not sure what else (if anything) you might need. I am also looking at changing the FreeRadius setup to authenticate against our Windows 2008r2 Active Directory servers. We have one main location and two remote sites. Currently we have only one FreeRadius server at the main site. If the VPN connection between the main site and either / both of the remote sites goes down, the remote sites can't authenticate. My thought was to have three FreeRadius servers that would authenticate to the local copy of the AD. Having said all of this, I do not want to get to many things going at one time. I much prefer to tackle on issue at a time. Thanks in advance for any insight you may have on either/both of these issues. Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hi,
You can add NT / LM pairs to each LDAP user object. You must include the
samba.schema into the ldap server schemas.
Ex:
sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE
You can create these passwords using smbencrypt tool (deployed with samba).
This way pptp MSCHAP auth will work.
Nelson Vale
On Monday 05 July 2010 16:59:08 Daniel Gomes wrote:
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6
8cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out,
Re: ldap auto header MS-CHAPv2
On Monday 15 March 2010 13:42:11 Alan Buxey wrote: Hi, no i don't have AD. in other word, i cannot use windows xp supplicant EAP-MSCHAPv2 to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right? correct: http://deployingradius.com/documents/protocols/oracles.html PEAPv0/MS-CHAPv2 requires MSCHAPv2 - thats challenge response. the client never supplies the real password - therefore you cannot compare to a password stored in LDAP. what you need to use is an EAP method that uses PAPeg EAP-TTLSv0/PAP You can use EAP-PEAP as long as you store also samba NT/LM hashes in LDAP (sambaLMPassword and sambaNTPassword). If you have these hashes you may use Windows XP built-in supplicant. try using a supplicant on the windows machine that gives you this eg http://open1x.sourceforge.net/ http://www.securew2.com/ ...or grab a Mac OSX machine to do further testing - they have TTLS/PAP support natively. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
Have you defined Auth-Type in users file to mschapv2 (don't do it)? What is the
configuration for this user in the users file?
On Tuesday 15 December 2009 13:00:07 you wrote:
As you can see, it says that it has stripped realm from username but
it passes it along with username to ldap. How can I fix this?
Never mind. ldap filter did the job. Sorry about that.
Actually it's not working yet.
rad_recv: Access-Request packet from host 192.168.205.29 port 49154,
id=0, length=178
Cleaning up request 15 ID 0 with timestamp +1232
NAS-IP-Address = 192.168.205.29
NAS-Port-Type = Ethernet
NAS-Port = 2
User-Name = DOMAIN\\sti
State = 0x9bb6fc759d93e55343410152d73b1dba
EAP-Message =
0x0225005b1900170301005046c5a952e0ad6d2ea7d132dd3c00c1a132df2329a23561c760d
4a45fb4f02e3bd1a848f5d4d3106ae52d4f442971b4c6aa4d0c157805647
9f03c76d350fc041b659e556368c4a63e30e09849d0aae29a
Message-Authenticator = 0xf9700c8c22d81ecdb12a8f6731151a38
+- entering group authorize {...}
++[preprocess] returns ok
[ntdomain] Looking up realm DOMAIN for User-Name = DOMAIN\sti
[ntdomain] Found realm DOMAIN
[ntdomain] Adding Stripped-User-Name = sti
[ntdomain] Adding Realm = DOMAIN
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 37 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x022500441a0225003f31a156d1579957b003643781fff8636e8703367
b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469
server {
PEAP: Setting User-Name to DOMAIN\sti
Sending tunneled request
EAP-Message =
0x022500441a0225003f31a156d1579957b003643781fff8636e8703367
b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = DOMAIN\\sti
State = 0x7b5d7eb57b7864abf97396c9fbfa8cb4
server {
+- entering group authorize {...}
++[preprocess] returns ok
[ntdomain] Looking up realm DOMAIN for User-Name = DOMAIN\sti
[ntdomain] Found realm DOMAIN
[ntdomain] Adding Stripped-User-Name = sti
[ntdomain] Adding Realm = DOMAIN
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 37 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 204
++[files] returns ok
[ldap] performing user authorization for sti
[ldap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=sti)
[ldap] expand: ou=Users,dc=domain,dc=br - ou=Users,dc=domain,dc=br
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=domain,dc=br, with filter
(uid=sti) [ldap] checking if remote access for sti is allowed by
radiusFilterId [ldap] looking for check items in directory...
rlm_ldap: userPassword - User-Password ==
{SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q= rlm_ldap: sambaNtPassword -
NT-Password ==
0x444338414235383730324637343230453244304232353743453938394634
rlm_ldap: sambaLmPassword - LM-Password ==
0x3245414443463036424438463531344541414433423433354235313430344545
[ldap] looking for reply items in directory...
rlm_ldap: radiusFilterId - Filter-Id =
Enterasys:version=1:policy=Enterprise User
[ldap] user sti authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!
! !!! Please update your configuration so that the known good
!!! !!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!
! +- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot
perform requested action.
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [DOMAIN\\sti/via Auth-Type = EAP] (from client
tplink port 0 via TLS tunnel)
} # server
[peap] Got tunneled reply
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius. You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far. I know I'm lacking of knowledge. That's why I'm looking for your guidance. Bear in mind that you must try to ask the right questions to be guided into the correct path ;) I thank you again. 2009/12/11 Alan DeKok al...@deployingradius.com: Fabiano Caixeta Duarte wrote: The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth. Then configure 802.1X. What I got so far? I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius. http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
On Friday 11 December 2009 18:32:02 Fabiano Caixeta Duarte wrote:
2009/12/11 nf-vale nf-v...@critical-links.com:
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
Maybe I didn't make myself clear.
I don't have AD and don't wanna. I did set clients to use 802.1x
Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it
would depend on what you'd answer about my first question.
Set XP clients to use 802.1x PEAP and don't forget to add your nas client
(switch) to the clients.conf file in radius.
You should provide some more info about your current configuration
(freeradius version, files modified by you, etc) and at least some debug
(radiusd -X) from a client authentication request for people to
understand were have you get so far.
Ok. Let's follow that path.
The confs I touched:
eap.conf:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = DEFAULT
make_cert_command = ${certdir}/bootstrap
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
mschapv2 {
}
}
modules/ldap:
ldap {
server = sti-teste.domain.br
identity = cn=system,dc=domain,dc=br
password = secret
basedn = ou=Users,dc=domain,dc=br
base_filter = (objectclass=radiusprofile)
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
access_attr = radiusFilterId
dictionary_mapping = ${confdir}/ldap.attrmap
authtype = ldap
edir_account_policy_check = no
}
sites-enabled/inner-tunnel:
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
clients.conf:
client angelina {
ipaddr = 192.168.205.6
secret = testing123
}
client tplink {
ipaddr = 192.168.205.29
secret = testing123
}
# radtest teste secret angelina 1812 testing123
Sending Access-Request of id 48 to 192.168.205.6 port 1812
User-Name = teste
User-Password = secret
NAS-IP-Address = 192.168.205.6
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.205.6 port 1812,
id=48, length=64
Filter-Id = Enterasys:version=1:policy=Enterprise User
Ok, but what about a debug from a request made a XP client using PEAP
connected to your switch?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN - Freeradius - OpenLDAP - VLANs
On Monday 09 November 2009 12:25:13 José Johnny RANDRIAMAMPIONONA wrote: Freeradius work well with openldap but only with cleartext password (PAP). Best regards! Don't give wrong answers if you're not sure of what you're talking. 2009/11/9 _Stefan_H stefanh...@networld.at First I know my english is not the best, but i hope you will understand it. In the course of a project i have to make an authentification against a freeradius server for the WLAN Users. On the Server(OpenSUSE11.1) is a LDAP Directory and i want that the WLAN Users have to authentificate with their accounts. After the successful authentification they will be put into an other VLAN, that they can use their homedirectories. I would like to know how I should do it, because i inform me about the Authentification Types(EAP-TLS,TTLS,PEAP) and know I am totally confused which i have to configure at the freeradius Server. See http://deployingradius.com/documents/protocols/compatibility.html for compatibilty issues. You can authenticate users using PEAP against LDAP just as long as the user's entries in the LDAP DB have NT / LM password hashes. For instance, if using OpenLDAP, you need to include the samba.schema in the supported schemas list and then add sambaNTPassword and sambaLMPassword to each one of the user's entries in the DB. Ex: dn: uid=xxx,ou=people,dc=local,dc=loc objectClass: inetOrgPerson objectClass: sambaSamAccount uidNumber: 1 uid: xxx userPassword:: e01ENX1mMmhLRytkajNnSSs2aEtmL3ltSnV3PT0= sambaLMPassword: AB849716E6B337C43B639FCD27BDA434 sambaNTPassword: 9574805413661ADC5E8FA7B943026723 ... You can hash the user's password using the smbencrypt utility. I think that PEAP would be the easiest, but I really don't know which can be used whth a dynamic VLAN. http://old.nabble.com/file/p26230857/1.jpeg The AP is an Linksys WRT-54-GS and the Switch is an CISCO-2950 -- View this message in context: http://old.nabble.com/WLANFreeradiusOpenLDAPVLANs-tp26230857p 26230857.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Check your proxy / realms configuration. The reason why it fails is described in the logs: Sun Oct 18 19:20:54 2009 : Info: [pap] No clear-text password in the request. Not performing PAP. Sun Oct 18 19:20:54 2009 : Info: ++[pap] returns noop Sun Oct 18 19:20:54 2009 : Info: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Sun Oct 18 19:20:54 2009 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Sun Oct 18 19:20:54 2009 : Info: WARNING: Use the PAP or CHAP modules instead. Sun Oct 18 19:20:54 2009 : Info: No User-Password or CHAP-Password attribute in the request. Sun Oct 18 19:20:54 2009 : Info: Cannot perform authentication. Sun Oct 18 19:20:54 2009 : Info: Failed to authenticate the user. Sun Oct 18 19:20:54 2009 : Auth: Login incorrect: [user] (from client wlan- alves-private-network port 0 via TLS tunnel) Nelson Vale On Monday 19 October 2009 01:54:39 INACIO ALVES wrote: I'm trying configure the freeRADIUS on my wireless network but i'm having problems. My scnario: Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 clients - ((( AP ))) [freeRADIUS server] When I execute the radiustest I get rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, length=20 and when I execute radclient I get Received response ID 146, code 2, length = 32 But when I try authenticate on my nootebook I get rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 My debug output is on address: http://pastebin.com/f7e47862f. My clients.conf is on: http://pastebin.com/f30e4955d And my users is on: http://pastebin.com/f5d958f63 This is my initial configuration. I want migrate to MySQL or PostgreSQL when the server is ready, I don't need proxy, and i need provide/revoke digital certificates to my clients. Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
On Friday 16 October 2009 13:27:28 John Dennis wrote: On 10/16/2009 08:15 AM, Alan DeKok wrote: What does that mean? That was strange :-) Our two responses were word for word identical and almost at the same time When I was a kid and two people said the same thing at the same time it became a race to see who would say this next: Jinx! You owe me a bottle of Coke. often followed by: No backs. No takes. No refunds. No penny tax. Where I'm from we say different things when that happens, but I heard that same thing from a old loony in the Spielberg's Always movie :D . so ... Jinx! You owe me a bottle of Coke. :-) :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius can't authenticate pptp users from Windows XP to LDAP
You can add NT / LM pairs to each LDAP user object. You must include the
samba.schema into the ldap server schemas.
Ex:
sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE
This way pptp MSCHAP auth will work.
Nelson Vale
On Thursday 08 October 2009 12:53:21 tede wrote:
Ivan Kalik wrote:
Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter
(uid=light)
Debug: rlm_ldap: No default NMAS login sequence
Debug: rlm_ldap: looking for check items in directory...
Debug: rlm_ldap: looking for reply items in directory...
Debug: WARNING: No known good password was found in LDAP. Are you
sure that the user is configured correctly?
Hm, try adding mapping for Cleartext-Password as userPassword to
ldap.attrmap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Hi Ivan, first of all, thanks for answering me :)
So, here is the result after adding mapping for Cleartext-Password as
userPassword,
as we can see in the radius mapping part of the debug :
Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct 3
2009 at 19:16:29
Info: Copyright (C) 1999-2008 The FreeRADIUS server project and
contributors.
Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info: PARTICULAR PURPOSE.
Info: You may redistribute copies of FreeRADIUS under the terms of the
Info: GNU General Public License.
Info: Starting - reading configuration files ...
Debug: including configuration file /etc/freeradius/radiusd.conf
Debug: including configuration file /etc/freeradius/clients.conf
Debug: including configuration file /etc/freeradius/policy.conf
Debug: including files in directory /etc/freeradius/sites-enabled/
Debug: including configuration file /etc/freeradius/sites-enabled/default
Debug: including configuration file
/etc/freeradius/sites-enabled/inner-tunnel
Debug: including dictionary file /etc/freeradius/dictionary
Debug: main {
Debug:prefix = /usr
Debug:localstatedir = /var
Debug:logdir = /var/log/freeradius
Debug:libdir = /usr/lib/freeradius
Debug:radacctdir = /var/log/freeradius/radacct
Debug:hostname_lookups = no
Debug:max_request_time = 30
Debug:cleanup_delay = 5
Debug:max_requests = 1024
Debug:allow_core_dumps = no
Debug:pidfile = /var/run/freeradius/freeradius.pid
Debug:user = freerad
Debug:group = freerad
Debug:checkrad = /usr/sbin/checkrad
Debug:debug_level = 0
Debug:proxy_requests = yes
Debug: security {
Debug:max_attributes = 200
Debug:reject_delay = 1
Debug:status_server = yes
Debug: }
Debug: }
Debug: client localhost {
Debug:ipaddr = 127.0.0.1
Debug:require_message_authenticator = no
Debug:secret = hometest
Debug:nastype = other
Debug: }
Debug: client 192.168.0.0/24 {
Debug:require_message_authenticator = no
Debug:secret = hometest
Debug:shortname = private-network-1
Debug: }
Debug: radiusd: Loading Realms and Home Servers
Debug: radiusd: Instantiating modules
Debug: instantiate {
Debug: (Loaded rlm_exec, checking if it's valid)
Debug: Module: Linked to module rlm_exec
Debug: Module: Instantiating exec
Debug: exec {
Debug:wait = yes
Debug:input_pairs = request
Debug:shell_escape = yes
Debug: }
Debug: (Loaded rlm_expr, checking if it's valid)
Debug: Module: Linked to module rlm_expr
Debug: Module: Instantiating expr
Debug: (Loaded rlm_expiration, checking if it's valid)
Debug: Module: Linked to module rlm_expiration
Debug: Module: Instantiating expiration
Debug: expiration {
Debug:reply-message = Password Has Expired
Debug: }
Debug: (Loaded rlm_logintime, checking if it's valid)
Debug: Module: Linked to module rlm_logintime
Debug: Module: Instantiating logintime
Debug: logintime {
Debug:reply-message = You are calling outside your allowed timespan
Debug:minimum-timeout = 60
Debug: }
Debug: }
Debug: radiusd: Loading Virtual Servers
Debug: server inner-tunnel {
Debug: modules {
Debug: Module: Checking authenticate {...} for more modules to load
Debug: (Loaded rlm_pap, checking if it's valid)
Debug: Module: Linked to module rlm_pap
Debug: Module: Instantiating pap
Debug: pap {
Debug:encryption_scheme = auto
Debug:auto_header = no
Debug: }
Debug: (Loaded rlm_chap, checking if it's valid)
Debug: Module: Linked to module rlm_chap
Debug: Module: Instantiating chap
Debug: (Loaded rlm_mschap, checking if it's valid)
Debug: Module: Linked to module rlm_mschap
Debug: Module: Instantiating mschap
Debug: mschap {
Debug:use_mppe = yes
Debug:
Re: Freeradius can't authenticate pptp users from Windows XP to LDAP
On Thursday 08 October 2009 15:05:24 Ivan Kalik wrote:
Just had a look at your ldap antries again. This doesn't look right:
userPassword:: dGVzdGVy
Shouldn't there be just one colon?
Two colons means that it's a BASE64 encoded field.
Ivan Kalik
Kalik Informatika ISP
You can add NT / LM pairs to each LDAP user object. You must include the
samba.schema into the ldap server schemas.
Ex:
sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE
This way pptp MSCHAP auth will work.
Nelson Vale
On Thursday 08 October 2009 12:53:21 tede wrote:
Ivan Kalik wrote:
Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter
(uid=light)
Debug: rlm_ldap: No default NMAS login sequence
Debug: rlm_ldap: looking for check items in directory...
Debug: rlm_ldap: looking for reply items in directory...
Debug: WARNING: No known good password was found in LDAP. Are you
sure that the user is configured correctly?
Hm, try adding mapping for Cleartext-Password as userPassword to
ldap.attrmap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Hi Ivan, first of all, thanks for answering me :)
So, here is the result after adding mapping for Cleartext-Password as
userPassword,
as we can see in the radius mapping part of the debug :
Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct
3
2009 at 19:16:29
Info: Copyright (C) 1999-2008 The FreeRADIUS server project and
contributors.
Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR
A
Info: PARTICULAR PURPOSE.
Info: You may redistribute copies of FreeRADIUS under the terms of the
Info: GNU General Public License.
Info: Starting - reading configuration files ...
Debug: including configuration file /etc/freeradius/radiusd.conf
Debug: including configuration file /etc/freeradius/clients.conf
Debug: including configuration file /etc/freeradius/policy.conf
Debug: including files in directory /etc/freeradius/sites-enabled/
Debug: including configuration file
/etc/freeradius/sites-enabled/default
Debug: including configuration file
/etc/freeradius/sites-enabled/inner-tunnel
Debug: including dictionary file /etc/freeradius/dictionary
Debug: main {
Debug: prefix = /usr
Debug: localstatedir = /var
Debug: logdir = /var/log/freeradius
Debug: libdir = /usr/lib/freeradius
Debug: radacctdir = /var/log/freeradius/radacct
Debug: hostname_lookups = no
Debug: max_request_time = 30
Debug: cleanup_delay = 5
Debug: max_requests = 1024
Debug: allow_core_dumps = no
Debug: pidfile = /var/run/freeradius/freeradius.pid
Debug: user = freerad
Debug: group = freerad
Debug: checkrad = /usr/sbin/checkrad
Debug: debug_level = 0
Debug: proxy_requests = yes
Debug: security {
Debug: max_attributes = 200
Debug: reject_delay = 1
Debug: status_server = yes
Debug: }
Debug: }
Debug: client localhost {
Debug: ipaddr = 127.0.0.1
Debug: require_message_authenticator = no
Debug: secret = hometest
Debug: nastype = other
Debug: }
Debug: client 192.168.0.0/24 {
Debug: require_message_authenticator = no
Debug: secret = hometest
Debug: shortname = private-network-1
Debug: }
Debug: radiusd: Loading Realms and Home Servers
Debug: radiusd: Instantiating modules
Debug: instantiate {
Debug: (Loaded rlm_exec, checking if it's valid)
Debug: Module: Linked to module rlm_exec
Debug: Module: Instantiating exec
Debug: exec {
Debug: wait = yes
Debug: input_pairs = request
Debug: shell_escape = yes
Debug: }
Debug: (Loaded rlm_expr, checking if it's valid)
Debug: Module: Linked to module rlm_expr
Debug: Module: Instantiating expr
Debug: (Loaded rlm_expiration, checking if it's valid)
Debug: Module: Linked to module rlm_expiration
Debug: Module: Instantiating expiration
Debug: expiration {
Debug: reply-message = Password Has Expired
Debug: }
Debug: (Loaded rlm_logintime, checking if it's valid)
Debug: Module: Linked to module rlm_logintime
Debug: Module: Instantiating logintime
Debug: logintime {
Debug: reply-message = You are calling outside your allowed timespan
Debug: minimum-timeout = 60
Debug: }
Debug: }
Debug: radiusd: Loading Virtual Servers
Debug: server inner-tunnel {
Debug: modules {
Debug: Module: Checking authenticate {...} for more modules to load
Debug: (Loaded rlm_pap, checking if it's valid)
Debug: Module: Linked to module rlm_pap
Debug: Module: Instantiating pap
Debug: pap {
Debug: encryption_scheme = auto
Debug: auto_header = no
Debug: }
Debug: (Loaded rlm_chap,
Re: freeradius + monit
On Tuesday 08 September 2009 11:00:35 Sokvantha Youk wrote: Dear All, I am new to Freeradius server. I wish to get it restart automatically when its process is hang by using monit. I have no idea how to get monit restart freeradius server automatically. Please kindly advice me. --- Best Regards, sokvantha Install monit, create a file in /etc/monit.d/ directory like /etc/monit.d/freeradius and add something like the following to that file: check process freeradius with pidfile /var/run/freeradius/radiusd.pid start = /etc/init.d/freeradius start stop = /etc/init.d/freeradius stop if failed host 192.168.1.1 port 1812 type UDP then restart if cpu usage is greater than 60 percent for 2 cycles then alert if cpu usage 90% for 5 cycles then restart if totalmem usage 40% for 5 cycles then restart if 3 restarts within 4 cycles then timeout and restart monit. Unfortunately monit does not yet support RADIUS protocol checks. ___ ___ Get more done like never before with Yahoo!7 Mail. Learn more: http://au.overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
On Wednesday 02 September 2009 09:46:01 Alan DeKok wrote: It's been a while since 2.1.6, and it's getting close to time for 2.1.7. In order to ensure the stability of the software, we need your help. Please download the pre release of 2.1.7 from: http://git.freeradius.org/pre/ Build it, install it, and see if there are issues. The directory also includes Debian packages for Ubuntu 8.0.4. If there are no issues, we can release 2.1.7 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tested in Ubuntu 9.04 from sources and no problems found so far. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
On Saturday 16 May 2009 07:30:49 you wrote: nf-vale wrote: sudo radiusd -V radiusd: error while loading shared libraries: libfreeradius-radius-2.1.6.so: cannot open shared object file: No such file or directory It looks like you don't have /usr/local/lib in your dynamic linker path. There isn't much we can do to fix that. I've configure it with: ./configure --with-raddbdir=/etc/raddb216 --with-logdir=/var/log/radius --with-radacctdir=/var/log/radius/radacct --enable-strict-dependencies --without-rlm_counter --without-rlm_dbm --without-rlm_ippool --without-rlm_perl --without-rlm_krb5 --with-openssl --without-rlm_python --without-rlm_sql --with-rlm_eap --with-rlm_eap2 --without-rlm_eap_ikev2 --without-rlm_eap_tnc Why is it searching in /usr/lib/i486-linux-gnu/ as opposed to just /usr/lib? Which OS is this? Ubuntu Hardy (kernel 2.6.24-24) I've configured previous versions up to 2.1.3 like that and it all went fine and never had this problem before. Still, I think it's a fairly esoteric problem. If your linker is *only* looking in those paths, then you should either fix the linker to look in the directory you configured for FreeRADIUS, *or* configure FreeRADIUS to put libraries inthe directory your linker users. The solutio for this is obviously simple, but I reported it anyway because it didn't happened with the previous versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
On Saturday 16 May 2009 11:01:00 Ivan Kalik wrote: nf-vale wrote: sudo radiusd -V radiusd: error while loading shared libraries: libfreeradius-radius-2.1.6.so: cannot open shared object file: No such file or directory It looks like you don't have /usr/local/lib in your dynamic linker path. There isn't much we can do to fix that. I've configure it with: ./configure --with-raddbdir=/etc/raddb216 --with-logdir=/var/log/radius --with-radacctdir=/var/log/radius/radacct --enable-strict-dependencies --without-rlm_counter --without-rlm_dbm --without-rlm_ippool --without-rlm_perl --without-rlm_krb5 --with-openssl --without-rlm_python --without-rlm_sql --with-rlm_eap --with-rlm_eap2 --without-rlm_eap_ikev2 --without-rlm_eap_tnc Why is it searching in /usr/lib/i486-linux-gnu/ as opposed to just /usr/lib? Which OS is this? I've configured previous versions up to 2.1.3 like that and it all went fine and never had this problem before. Still, I think it's a fairly esoteric problem. If your linker is *only* looking in those paths, then you should either fix the linker to look in the directory you configured for FreeRADIUS, *or* configure FreeRADIUS to put libraries inthe directory your linker users. Alan DeKok. Put /usr/local/lib in /etc/ld.so.conf. Run ldconfig after install. I've already have that dir in the path: $cat /etc/ld.so.conf include /etc/ld.so.conf.d/*.conf and in /etc/ld.so.conf.d/libc.conf I have: $cat /etc/ld.so.conf.d/libc.conf # libc default configuration /usr/local/lib It works with for other versions. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
On Friday 15 May 2009 15:59:30 Alan DeKok wrote: http://git.freeradius.org/pre/ Unless there are issues, it will become 2.1.6 on Monday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Just downloaded and compiled from source in Ubuntu Hardy. When I tried to start radiusd it complained about: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last chance to check the pre release of 2.1.6
Sorry, my shortcuts are tricky bastards :)
On Friday 15 May 2009 19:52:56 nf-vale wrote:
On Friday 15 May 2009 15:59:30 Alan DeKok wrote:
http://git.freeradius.org/pre/
Unless there are issues, it will become 2.1.6 on Monday.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Just downloaded and compiled from source in Ubuntu Hardy.
When I tried to start radiusd it complained about:
sudo radiusd -V
radiusd: error while loading shared libraries: libfreeradius-radius-2.1.6.so:
cannot open shared object file: No such file or directory
using strace I see that it is searching for libs in /usr/lib/i486-linux-gnu
but lib was installed in /usr/local/lib (it didnot looked for libs there):
sudo strace radiusd -V
execve(/usr/local/sbin/radiusd, [radiusd, -V], [/* 16 vars */]) = 0
brk(0) = 0x8084000
access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or
directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7eea000
access(/etc/ld.so.preload, R_OK)
...
...
...
stat64(/usr/lib/i486-linux-gnu/sse2, 0xbfb4b360) = -1 ENOENT (No such file
or directory)
open(/usr/lib/i486-linux-gnu/cmov/libfreeradius-radius-2.1.6.so, O_RDONLY)
= -1 ENOENT (No such file or directory)
stat64(/usr/lib/i486-linux-gnu/cmov, 0xbfb4b360) = -1 ENOENT (No such file
or directory)
open(/usr/lib/i486-linux-gnu/libfreeradius-radius-2.1.6.so, O_RDONLY) = -1
ENOENT (No such file or directory)
stat64(/usr/lib/i486-linux-gnu, {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
0
writev(2, [{radiusd, 7}, {: , 2}, {error while loading shared libra...,
36}, {: , 2}, {libfreeradius-radius-2.1.6.so, 29}, {: , 2}, {cannot
open shared object file, 30}, {: , 2}, {No such file or directory, 25},
{\n, 1}], 10radiusd: error while loading shared libraries:
libfreeradius-radius-2.1.6.so: cannot open shared object file: No such file
or directory
I've configure it with:
./configure --with-raddbdir=/etc/raddb216 --with-logdir=/var/log/radius
--with-radacctdir=/var/log/radius/radacct --enable-strict-dependencies
--without-rlm_counter --without-rlm_dbm --without-rlm_ippool --without-rlm_perl
--without-rlm_krb5 --with-openssl --without-rlm_python --without-rlm_sql
--with-rlm_eap --with-rlm_eap2 --without-rlm_eap_ikev2 --without-rlm_eap_tnc
I've configured previous versions up to 2.1.3 like that and it all went fine
and never had this problem before.
Meanwhile I linked this directory with correct directory and now it starts
fine.
Nelson Vale
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vista Issue
Sex, 2008-08-01 às 13:30 +0200, Alan DeKok escreveu: nf-vale wrote: Do you have any news on the Vista EAP issue? I have done nothing. I don't have a Vista machine. Good for you. You aren't missing anything :) For anyone having troubles with Vista there's this supplicant that works and its free: http://wire.cs.nthu.edu.tw/wire1x/ How many people use it? Not many. The SecureW2 one is used a lot, and it's also GPL'd. It was my first choice but I couldn't get it to work (version 1.0.6). I'm waiting for the next version to see if it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vista Issue
Sex, 2008-08-01 às 17:12 +0100, [EMAIL PROTECTED] escreveu: Hi, Do you have any news on the Vista EAP issue? ? we use Vista against 1.1.7 - 2.0.5 without issue. before 1.1.4 we had problems due to a new PEAP issue (padding of the SSL) but 1.1.4 fixed that. what version of OpenSSL do you have on your system? OpenSSL 0.9.7m Using the WIRE1X supplicant we've no problem authenticating. The problem is with the Vista native supplicant (and also with the secureW2). Today we were able to authenticate with one of our Vista laptops which differ from the rest in to aspects: 1) Vista (Business) is English version the remaining are (Business) Portuguese. 2) This working Vista is an IBM Laptop and uses an IBM supplicant wrapper instead of the normal Vista supplicant. Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vista Issue
I forgot to mention that we're trying both with 2.0.2 and 2.0.5 ... Sex, 2008-08-01 às 18:46 +0100, nf-vale escreveu: Sex, 2008-08-01 às 17:12 +0100, [EMAIL PROTECTED] escreveu: Hi, Do you have any news on the Vista EAP issue? ? we use Vista against 1.1.7 - 2.0.5 without issue. before 1.1.4 we had problems due to a new PEAP issue (padding of the SSL) but 1.1.4 fixed that. what version of OpenSSL do you have on your system? OpenSSL 0.9.7m Using the WIRE1X supplicant we've no problem authenticating. The problem is with the Vista native supplicant (and also with the secureW2). Today we were able to authenticate with one of our Vista laptops which differ from the rest in to aspects: 1) Vista (Business) is English version the remaining are (Business) Portuguese. 2) This working Vista is an IBM Laptop and uses an IBM supplicant wrapper instead of the normal Vista supplicant. Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vista Issue
Alan, Do you have any news on the Vista EAP issue? For anyone having troubles with Vista there's this supplicant that works and its free: http://wire.cs.nthu.edu.tw/wire1x/ Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid EAP Type with Catalyst 2960G IOS 12.2
Hi all,
I'm having a little trouble configuring a Cisco Switch - Catalyst 2960G
IOS 12.2 to work properly with EAP-PEAP clients.
I've tested the same radius configuration (freeradius 2.0.2) with an HP
Procurve 2626 Swicth and all worked just fine. Windows XP clients can
authenticate with PEAP successfully.
The same clients connected to the Cisco Swicth that it's authenticating
in the same freeradius server can not authenticate because freeradius is
trying EAP-TLS instead of EAP-PEAP:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.1 port 1645, id=1,
length=129
User-Name = al5
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-1E-BD-62-B9-81
Calling-Station-Id = 00-1B-38-92-39-A0
EAP-Message = 0x0206000c01616c3030303035
Message-Authenticator = 0xb8fb13899c9df58f7770efaeeeb9eb1a
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-IP-Address = 192.168.2.1
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = al5, skipping NULL due to
config.
++[suffix] returns noop
rlm_realm: No '\' in User-Name = al5, skipping NULL due to
config.
++[ntdomain] returns noop
rlm_eap: EAP packet type response id 6 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[mschap] returns noop
expand: %{Stripped-User-Name} -
expand: %{User-Name} - al5
expand: %{%{User-Name}:-none} - al5
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -
al5
rlm_sql (sql): sql_set_user escaped user -- 'al5'
rlm_sql (sql): Reserving sql socket id: 0
expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'al5' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): User found in radcheck table
expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radreply WHERE Username =
'al5' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='al5' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT
id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE
GroupName = 'Alunos' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql (sql): User found in group Alunos
expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT
id, GroupName, Attribute, Value, op FROM radgroupreply WHERE
GroupName = 'Alunos' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[files] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.2.1 port 1645
Tunnel-Private-Group-Id:0 := 2
EAP-Message = 0x010700061920
Message-Authenticator = 0x
State = 0x12f8640712ff7d8ac69a15b3712e899e
Finished request 3.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 3 ID 1 with timestamp +501
Ready to process requests.
Does anybody have a clue on how to solve this problem? Is it a IOS
(version 12.2) problem?
Thx,
Nelson Vale
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid EAP Type with Catalyst 2960G IOS 12.2
The comments you refer are these ones?
...
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
mschapv2 {
}
...
But I also tried with TTLS using secureW2 supplicant and the log was
similar.
...
rad_recv: Access-Request packet from host 192.168.2.1 port 1645, id=24,
length=155
User-Name = al1
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-1E-BD-62-B9-81
Calling-Station-Id = 00-1B-38-92-39-A0
EAP-Message = 0x0203000c01616c3030303031
Message-Authenticator = 0xe63d66c15b1b53a1fe27f788de329cc3
NAS-Port-Type = Ethernet
Cisco-NAS-Port = GigabitEthernet0/1
NAS-Port = 50001
NAS-IP-Address = 192.168.2.1
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = al1, skipping NULL due to
config.
++[suffix] returns noop
rlm_realm: No '\' in User-Name = al1, skipping NULL due to
config.
++[ntdomain] returns noop
++[mschap] returns noop
expand: %{Stripped-User-Name} -
expand: %{User-Name} - al1
expand: %{%{User-Name}:-none} - al1
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -
al1
rlm_sql (sql): sql_set_user escaped user -- 'al1'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'al1' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): User found in radcheck table
expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radreply WHERE Username =
'al1' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='al1' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT
id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE
GroupName = 'Alunos' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql (sql): User found in group Alunos
expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT
id, GroupName, Attribute, Value, op FROM radgroupreply WHERE
GroupName = 'Alunos' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[files] returns noop
rlm_eap: EAP packet type response id 3 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.2.1 port 1645
Tunnel-Private-Group-Id:0 := 2
EAP-Message = 0x010400061520
Message-Authenticator = 0x
State = 0x8bd2c0948bd6d5c8bc5a33e2381bcef4
Finished request 1.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 1 ID 24 with timestamp +77
Ready to process requests.
...
What eap configuration should I use to allow this Cisco equipment
authenticate in freeradius (if any)? Is this a Cisco configuration
issue?
Thx,
Nelson Vale
Seg, 2008-07-28 às 20:20 +0200, Alan DeKok escreveu:
nf-vale wrote:
The same clients connected to the Cisco Swicth that it's authenticating
in the same freeradius server can not authenticate because freeradius is
trying EAP-TLS instead of EAP-PEAP:
RADIUS doesn't work that way.
FreeRADIUS *offers* an EAP type when the client starts connecting.
The client *chooses* a different one, if it doesn't like the offer.
Saying it doesn't work because of TLS versus PEAP is equivalent to
saying the EAP supplicant does not support PEAP.
The problem you're running into looks a lot like the problem described
in the comments in eap.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe
Re: Invalid EAP Type with Catalyst 2960G IOS 12.2
As always you were absolutely right :) The freeradius server was not properly communicating with the Cisco switch. Now both PEAP and TTLS work alright. Seg, 2008-07-28 às 21:25 +0200, Alan DeKok escreveu: nf-vale wrote: The comments you refer are these ones? No. See the comments on access-challenge. Honestly... eap.conf isn't that big. Reading all of it shouldn't be that hard. But I also tried with TTLS using secureW2 supplicant and the log was similar. If that's the case, my guess is that the NAS simply isn't seeing the response from the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: PEAP or TTLS and Microsoft Vista. Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: installing ca.der and putting user pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get AD Profile
Ok I finally realise what I was doing wrong. To retrieve one Active
Directory user's group it's not necessary to use de replyItem in
ldap.attrmap. It's only necessary to configure correctly the ldap
module. So I resolved this using the following configuration:
Sáb, 2008-07-12 às 21:58 +0100, Nelson Vale escreveu:
Hi all,
I have my freeradius deploy (2.0.2) configured to authenticate users
against Active Directory and that is working fine. But I want to
retrieve user's profile from Active Directory, to add VLAN ID
(Tunel-Private-Group-ID) to Access-Accept reply.
I really don't know how to do this and I could find a clear solution,
either in documentation (rlm_ldap) ot by googling. So I would
appreciate if someone could give me a hand on this.
What I've done so far is to add this entry to ldap.attrmap file:
replyItem radiusProfileDn memberOf. The profile I want to retrieve
is the CN in this object like cn=PROFILE,dc=domain,dc=com, but in
radius debug I'm getting this error:
++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
expand: %{Stripped-User-Name} - figo
expand: (sAMAccountName=
%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -
(sAMAccountName=figo)
expand: dc=ldaptest,dc=pt - dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
(sAMAccountName=figo)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Failed to create the pair: Invalid octet string
CN=grupo1,DC=ldaptest,DC=com for attribute name radiusProfileDn
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
expand: %{Stripped-User-Name} - figo
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -
figo
++[files] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
Using saved attributes from the original Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP] (from client
portatil port 0 cli 02-00-00-00-00-01)
Sending Access-Accept of id 17 to 192.168.10.200 port 33000
User-Name = figo
MS-MPPE-Recv-Key =
0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5
MS-MPPE-Send-Key =
0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d
EAP-Message = 0x03080004
Message-Authenticator = 0x
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get AD Profile
Sorry, my last message was sent before time :). I was betrayed by a very
sensitive touchpad...
Now the complete message:
Ok I finally realise what I was doing wrong. To retrieve one Active
Directory user's group it's not necessary to use de replyItem in
ldap.attrmap. It's only necessary to configure correctly the ldap
module. So I resolved this by using the following configuration:
In radius.conf:
ldap {
server = 192.168.100.173:389
basedn = dc=ldaptest,dc=com
password =
identity = cn=manager,cn=users,dc=ldaptest,dc=com
filter =
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_attribute = memberOf
groupmembership_filter =
(|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
timeout = 4
timelimit = 3
net_timeout = 1
}
NOTE: The %{Ldap-UserDn} attribute was replaced by %{check:LDAP-UserDn} since
2.0 ( I lost a lot of time here because I was using %{Ldap-UserDn} as stated in
documentation)
In users file:
(one entry to each group)
DEFAULT Ldap-Group == CN=groupX,DC=ldaptest,DC=com
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = 3
Now the reply is like:
rad_recv: Access-Request packet from host 192.168.10.200 port 33073, id=17,
length=217
User-Name = LDAPTEST.COM\\figo
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x02080050190017030100205178b4a5223790b6da72bc08db63ad2293c28106a590b25833bd4a70ba08f8d91703010020ff2d3faaec5ab346aaebb253b110da880ba6c5c55a27deaad76e9ddeb9016be6
State = 0x7491a0427399b9e1f10398e7556e31d5
Message-Authenticator = 0x342892f124c4b5b005c0d5810e0b5ba9
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = LDAPTEST.COM\figo, skipping NULL due to
config.
++[suffix] returns noop
rlm_realm: Looking up realm LDAPTEST.COM for User-Name =
LDAPTEST.COM\figo
rlm_realm: Found realm LDAPTEST.COM
rlm_realm: Adding Stripped-User-Name = figo
rlm_realm: Proxying request from user figo to realm LDAPTEST.COM
rlm_realm: Adding Realm = LDAPTEST.COM
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
expand: %{Stripped-User-Name} - figo
expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -
(sAMAccountName=figo)
expand: dc=ldaptest,dc=com - dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
(sAMAccountName=figo)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
rlm_ldap: Entering ldap_groupcmp()
expand: dc=ldaptest,dc=com - dc=ldaptest,dc=com
expand:
(|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
-
(|((objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=grupo1,DC=ldaptest,DC=com, with filter
(|((objectClass=group)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dfigo\2cCN\3dUsers\2cDC\3dldaptest\2cDC\3dcom)))
rlm_ldap::ldap_groupcmp: User found in group CN=grupo1,DC=ldaptest,DC=pt
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 8
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
Using saved attributes from the original Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP]
Re: virtual server and clients from sql
Should it be SELECT id, nasname, shortname, type, secret, virtual_server FROM nas or SELECT id, nasname, shortname, type, secret, server FROM nas Seg, 2008-07-07 às 20:54 +0200, Norbert Wegener escreveu: [EMAIL PROTECTED] schrieb: Hi, With the actual git/cvs I wanted to setup client based virtual Servers, where the clients are stored in a mysql database. I added a column server to the nas table and set it to the name of a virtual server. the logic is in rlm_sql.c alrady, all you need to do is update your nas_query so that it looks like eg SELECT id,nasname,shortname,type,secret,virtual_server FROM nas then it'll pull in the details from the DB Thanks, will this be in 2.0.6 by default? Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Get clients virtual_server info from SQL nas table
Hi all, In my deploy, freeradius is retrieving clients info from sql nas table, but this table does not have a virtual _server column, and need to use virtual servers. Is it possible to get virtual_server info from sql nas table, instead of clients.conf file. If yes, what do I need to do? Thx, Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get clients virtual_server info from SQL nas table
Hi Alan, Thanks for your quick answer. In the freeradius-server-2.0.3/raddb/sql/postgresql/nas.sql file the sql table structure did not show any server column: /* * Table structure for table 'nas' */ CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, typeVARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), description VARCHAR(200) ); create index nas_nasname on nas (nasname); Where can I get the most updated SQL schema for postgres? 2.0.5 sources? Is it also possible for radiusd to retrieve realms and proxy information from SQL instead of files? Thx again, Nelson Vale Sáb, 2008-07-05 às 16:09 +0200, Alan DeKok escreveu: nf-vale wrote: In my deploy, freeradius is retrieving clients info from sql nas table, but this table does not have a virtual _server column, and need to use virtual servers. Is it possible to get virtual_server info from sql nas table, instead of clients.conf file. If yes, what do I need to do? Update the SQL table to include the server column, as given in the sample nas.sql files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Hardware requirements
Hi all, Please help me if you can. I need some data about Freeradius hardware requirements. This is for a project I'm working on and I need to establish a minimum hardware requirements for a radius server (Freeradius 2.0.5) that will serve about 3000 users, and will be used as authentication and authorization server for some wireless AP's and 802.1x switches. It's expected that users will massively login (400 or more) at certain time and after that re-authentication will happen every 6 or 10 mn, for 802.1x clients. Also I have some doubts about were to store user info, sql DB (postgres maybe) or LDAP. What would it be the better solution, in terms of performance. The OS is a debian alike (2.6.19 kernel). Can anybody provide me some info on this? Thanks in advance Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
