Re: Fwd: Realms and Accounting
So for Session-Type and for Post-Auth-Type, they should all go into acct_users as well? What is Session-Type? Do you mean Service-Type? No, things relevant to authenticating and authorizing users go into users file. Users file will be used when processing Access-Request packets. Things relevant to accounting go into acct_users. That file is used when processing Accounting-Request packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd server does not respond to radtest from another host
Thanks for the response. My original email was very lengthy, but at the bottom you can see a wireshark capture showing the packet arrival. (My understanding is wireshark is a pretty GUI based on tcpdump) Yes, it arrived but can't get through the firewall. You say you are using default freeradius configuration, so you haven't done anything strange to listen section to cause this - it has to be tha firewall. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radiusd server does not respond to radtest from another host
Something may be wacky with the network configuration on the 10.10.10.10 machine. The packet capture shows that the NAS-IP-Address attribute is set to 127.0.0.2 but it should be 10.10.10.10. I second that. Who knows what's going on with .11 as well. Since 127.0.0.2 is not in clients.conf, the request will be ignored. Try running radtest with the following options radtest pencil richard6 10.10.10.11 0 testing123 1 10.10.10.10 Freeradius is smarter than that. You can't spoof it that easily. It will look up packet source IP and check that against clients.conf. You can change NAS-IP-Address to whatever you like it will still check for the client as address from which packet was sent. This is a security feature. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to distinguish good or bad user using unlang and passwd module?
I am using a passwd module to authorize users.
No, you are using passwd module to store passwords.
First passwd module
checks
It doesn't check anything - it returns the password stored for that user.
cisco_users file (format = *User-Name:Cleartext-Password) and
then passwd module must check cisco_groups file (format =
~Cisco-Group:*,User-Name). However when passwd module checks the
cisco_user file, it returns status ok even when user password (in
request packet) doesnt match with cisco_user file.
As it should. As I mentioned before: it doesn't check passwords.
So i am able to
distinguish users only by their User-Name, but i need to check their
passwords as well.
Why? pap module does that.
I cannot figure out how to write that in my authorize
section.
Perhaps because that is not authorization but authentication.
Later, if username and password matches an entry in my
cisco_user file i will call cisco_group file and find to which group
that user belongs to assign the right services.
Well, freeradius does that before. You can actually reject the user
during authoriyation and not go for authentication at all.
currently my code looks like this:
passwd cisco_user_module {
#filename = /etc/group
filename = /usr/local/etc/raddb/cisco_users
#format = =Etc-Group-Name:::*,User-Name
format = *User-Name:Cleartext-Password
hashsize = 100
ignorenislike = yes
allowmultiplekeys = yes
delimiter = :
}
authorize {
cisco_user_module
if(notfound){
update control{
Auth-Type := Reject
}
update reply{
Reply-Message := Access denied, sorry!
}
}
elseif(ok){
cisco_group_module
}
}
Make that just:
authorize {
cisco_user_module
cisco_group_module
pap
}
and than in post-auth
Post-Auth-Type REJECT {
update reply {
Reply-Message := Access denied, sorry!
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius proxy senario
Condition: 1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql. 2. My own user's username in mysql radcheck table is store in usern...@xyz.com format 3. A person want me to proxy his prefix ABC/his-customer-usern...@myrealm to his radius server, i.e: ABC/his-customer-usern...@xyz.com That is wrong. His customers should use ABC/his-customer-username only, not have @xyz.com as well. 4. The proxy has strip both prefix and suffix, which means when ABC/his-customer-usern...@xyz.com auth request come in, i have to forward only his-customer-username to his radius. If you don't have to deal with @xyz.com at the end it works by default. Change instructions for his users. They shouldn't append your domain as well. Only his prefix. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
Ok! Then I have one a question about moving Accounting packets through my network: When I login to cisco on log server(radius server) I racieve a: tcpdump port 1813 15:48:00.281073 IP 192.168.255.10.radacct carlogg.radacct: RADIUS, Accounting Request (4), id: 0x67 length: 93 15:48:00.281727 IP carlogg.radacct 192.168.255.10.radacct: RADIUS, Accounting Response (5), id: 0x67 length: 20 Then mean the ttrouble in my radius setting, but I don't resolve where! So, port 1813 is OK. How about the port on which the packets are recieved. Zou can see that port on radius debug Sending Accounting-Reasopnse to IP:port. Check if firewall is closed for that IP:port. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Realms and Accounting
Regarding realms handled in the local server (mysql) and accounting...
I have defined realms in the users file such as:
DEFAULT Realm == example.com, Autz-Type := SQL_EXAMPLE
and in radiusd.conf I add in authorize { }
Autz-Type SQL_EXAMPLE {
sql_example
}
and as expected authentication works just fine by looking up in the current
database.
To enable accounting for both realms I have done the same thing in
radiusd.conf
for the accounting { } module:
Acct-Type SQL_EXAMPLE {
sql_example
}
Although this is defined no accounting records are saved in the database.
I am wondering if I'm missing something else like adding the Acct-Type to
the users file too, such as:
DEFAULT Realm == example.com, Autz-Type := SQL_EXAMPLE, Acct-Type :=
SQL_HOTELNOVA
Put Acct-Type in acct_users.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
Now I present fully situation on a trouble process I don't see a problem. 1) User connect to the cisco 1.1) radiusd -X Authentication works, accounting Start works. 2.) User run some command 2.1) radiusd -X (nothing) Of course. Radius doesn't do command accounting. That's TACACS. 3) User logoff from cisco 3.1) radiusd -X Accounting Stop works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
but cisco log about accounting evrytime send message like this Mar 6 08:57:48 192.168.255.10 210: 000207: Mar 6 08:57:48 MSK: %RADIUS-3-NOACCOUNTINGRESPONS Stop for session 0074 failed to receive Accounting Response. You are wondering about accounting on your radius server - but you have posted the log from your NAS. How about the debug from the radius server? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables' content as a reply
Now, this is still not working:
having it as User-Name := '%{reply:User-Name}' still gives me an
Access-Accept with text instead of variable value.
Also, using double quotes yields the exact same result.
Sending Access-Accept of id 127 to xx.xx.xx.xx port 32785
User-Name = %{reply:User-Name}
University-LDAP-organizationUnit = cc
University-LDAP-affiliation = staff
University-LDAP-departmentNumber = 20.5.2.4.0.0.0
MS-MPPE-Recv-Key =
0xecf20a153c749b7fa673b83360456fc9d5eb3080eaacdce7034dc6a69fe3ec3a
MS-MPPE-Send-Key =
0x19632e43f61546fc38a26e0e71ef134ecd45dae99873af6040606bc2772bbd75
EAP-Message = 0x03190004
Message-Authenticator = 0x
Sorry, it's %{reply:User-Name}. From man unlang about strings:
Double-quoted strings are expanded by inserting the value of any
variables (see VARIABLES, below) before being evaluated. If the result
is a number it is evaluated in a numerical context.
..
Single-quoted strings are evaluated as-is. Their values are not expanded
as with double-quoted strings above, and they are not interpreted as
attribute references.
Ivan Kalik
Kalik Informatika ISP
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Is there any way to do what I want without upgrading? You can try users file: DEFAULT Ldap-Group == staff some reply DEFAULT Ldap-Group == student some other reply DEFAULT Auth-Type := Reject That should be at the end of the users file (ie. anything below this will never match) and you need to fall through if there are other user file entries. These can't have Fall-Through. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
++[detail] returns ok rlm_counter: We only run on Accounting-Stop packets. ++[daily] returns noop ++[unix] returns fail Finished request 5. unix module is failing. If you are not using it comment it out from the accounting section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
OK, I comment all unix section in site-enable/default, but result is the same! In pucture below I thurned on debug on cisco about accounting, therefore cisco work correctly, but radius server not recieve Accounting-Request? Why? 001534: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): Port='tty2' list='' service=EXEC 001535: Mar 6 22:38:57: AAA/AUTHOR/EXEC: tty2 (3942780195) user='userA' 001536: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV service=shell 001537: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV cmd* 001538: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): found list default 001539: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): Method=radius (radius) 001540: Mar 6 22:38:57: AAA/AUTHOR (3942780195): Post authorization status = PASS_ADD 001541: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV service=shell 001542: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV cmd* 001543: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV priv-lvl=1 001544: Mar 7 01:39:17 MSK: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00FB failed to receive Accounting Response. 001545: Mar 6 22:39:34: AAA/ACCT/CMD: User userA, Port tty2, Priv 1: ping 192.168.101.147 cr 001546: Mar 6 22:39:34: AAA/ACCT/CMD: Found list default 001547: Mar 6 22:39:34: AAA/ACCT: user userA, acct type 3 (2924816630): Method=radius (radius) - Stop posting cisco debugs. Post the one from radius. On last log radius server recieved the accounting request but failed to process it. Let's see what is going on now. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
If you mean when I type a some command on cisco shell, in the cisco console already I show you (much more), else you mean a radius server then I must disappoint you there is a silent, nothing to do! If you consider for important all debug information on radius when user login-run some command-log Yes, radius debug is important. It shows that radius server is sending Accounting-Response now: rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813, id=92, length=93 NAS-IP-Address = 192.168.255.10 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = userA Calling-Station-Id = 192.168.255.116 Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = NAS-Prompt-User Acct-Session-Id = 0108 Acct-Delay-Time = 0 .. Sending Accounting-Response of id 92 to 192.168.255.10 port 1813 Finished request 1. .. rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813, id=93, length=105 NAS-IP-Address = 192.168.255.10 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = userA Calling-Station-Id = 192.168.255.116 Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = NAS-Prompt-User Acct-Session-Id = 0108 Acct-Terminate-Cause = User-Request Acct-Session-Time = 14 Acct-Delay-Time = 0 .. Sending Accounting-Response of id 93 to 192.168.255.10 port 1813 Finished request 2. Time to check firewall and routing and find out why is it not getting back to the NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No MySQL queries with freeradius 2.x from Lenny
i tried to get coopa chilli running, but i have problems with radius and mysql. Radius works with users from files, but not with mysql. I can only see on startup some mysql messages (connect) but no queries at all. .. Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Wed Mar 4 20:00:03 2009 : Debug: expand: - Wed Mar 4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query; rejecting user Queries are in raddb/sql/mysql/dialup.conf. Have you made changes to that file? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No MySQL queries with freeradius 2.x from Lenny
3. Send all of the debug output from the radius server. The useful information is missing from this section of the debug output: Wed Mar 4 20:00:03 2009 : Debug: ++[unix] returns notfound Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Wed Mar 4 20:00:03 2009 : Debug: expand: - Wed Mar 4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query; rejecting user Yes, send the complete debug (include server startup - queries are listed there). I don't think information was removed from debug. I think that queries in dialup.conf are missing. Or he has done something to sql.conf and not included dialup.conf at all. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
Thanks Phil, I have tried that but regrettably it does not work. According to my logs eap returns updated every round when doing authorize. (During the authenticate stage eap returns handled except the last round where it returns ok) The comment preceeding eap in the default config says: # As of 2.0, the EAP module returns ok in the authorize stage # for TTLS and PEAP. In 1.x, it never returned ok here, so so there is no promise about any improvement when doing EAP-TLS . You can try adding updated = return to eap section in authorize. Not sure if that breaks anything. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
I have tested updated = return and it behaves as expected. That is authorize always returns without reading the database so the attributes are never set. Remeber that eap returns updated every round including the last one where the database should be consulted. I need a test that returns true when doing authorize in the same round as authenticate will return ok. Try running authorize:sql in post-auth. Or was it sql:authorize? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No known good password for NIS users
I am running FreeRADIUS 2.1.3 on a machine that is also a NIS client. Using radtest, I find that local user accounts are accepted, but NIS accounts are rejected. Well, yes. How is freeradius suposed to talk to NIS? Perhaps PAM? Or is there some ntlm_auth type script? I have not changed anything from the default configuration other than adding client info and setting DEFAULT Auth-Type = System in the users file. You don't need that in 2.x. And it will get in the way if you need to set Auth-Type PAM. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewrite attribute with perl module
any hint please ?!! , can i modify the value of reply attributes ? Are you using server version that is years out of date? This works in current version. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables' content as a reply
I've been trying unsuccessfully to get this setup to work, but unfortunately
haven't been able so far.
My need is to return the contents of three LDAP fields as replies on the
Access-Accept package.
The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM
Cookbook -- DJ 5.1.5,3).
My config is as follows:
on ldap.attrmap:
checkItem cLDAPdepartmentNumber departmentNumber
replyItem rLDAPdepartmentNumber departmentNumber
checkItem cLDAPaffiliationeduPersonPrimaryAffiliation
replyItem rLDAPaffiliationeduPersonPrimaryAffiliation
checkItem cLDAPou ou
replyItem rLDAPou ou
Where does the cookbook say that you should put that in ldap.attrmap?
Where are those radius attributes defined? Some additional dictionary?
on dictionary.university:
VENDOR Unicamp 12345
BEGIN-VENDOR Unicamp
ATTRIBUTE University-LDAP-departmentNumber 1 string
ATTRIBUTE University-LDAP-affiliation 2 string
ATTRIBUTE University-LDAP-organizationUnit 3 string
END-VENDOR University
Why don't you map those in ldap.attrmap.
(the attributes, at least, are recognized correctly on the reply).
on the inner-tunnel configuration file::
post-auth {
reply_log
Post-Auth-Type REJECT {
reply_log
}
redundant {
sql-server1
sql-server2
}
update outer.reply {
User-Name := %{reply:User-Name}
University-LDAP-departmentNumber :=
%{rLDAPdepartmentNumber}
}
That should be:
User-Name := '%{reply:User-Name}'
University-LDAP-departmentNumber :=
'%{rLDAPdepartmentNumber}'
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with CoA
There's cisco debug: And this is freeradius list. Feel free to send this to your friendly Cisco support people. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: SV: No known good password
Hmm, that gives me a policy problem, my company *does not* use Linux. And they are in Internet business? Not for long. Is there any Windows ports out there? freeradius.net (this is support for versions from freeradius.org). Not a real port but it works. It has support for mysql, but not for much else. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: No known good password
Oh, this is Windows. Uninstall the whole thing. You can download that version in default configuration from freeradius.net. Do fresh install. Just edit clients.conf and users file. Windows version supports mysql but not much more. You are far better of with current (Linux) version. Ivan Kalik Kalik Informatika ISP Dana 4/3/2009, Ove Fagerheim ove.fagerh...@helgelandskraft.no piše: Thank you Ivan, I figured that out after actually *reading* your post, unfortunately I'm a little bit stressed at the moment. After uncommenting the entry, FreeRadius does not start. Errors: E:\FreeRADIUS.net\binradiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Errors reading /freeradius/etc/raddb: No such file or directory Errors reading radiusd.conf (what a clever way to get rid of errors) The application is installed in the E:\freeradius.net folder. Still a whole bunch of files in the bin and lib directories defines a prefix to prefix=/freeradius. Is there a bug in the installation script or has someone actually changed the name of the installation folder? Anyway, I changed all files in tn the bin directory to read prefix=/freeradius.net, and restarted the service. That didn't help. I even tried to reboot the server without any luck. So I guess it's the .la-files in the lib directory that is the problem. I am reluctant to manually change these entries sinse the usage of these files are not obvious to me (yet). And yes, I'm reading the documentation as best as I can ;-) Ove -Opprinnelig melding- Fra: freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org [mailto:freeradius-users-bounces+ove.fagerheim=helgelandskraft@lists.freeradius.org] Pĺ vegne av t...@kalik.net Sendt: 3. mars 2009 15:10 Til: FreeRadius users mailing list Emne: Re: SV: SV: No known good password Ooops, I took over for a 3. party consultant who gave up. Luckily, I still have the original clients.conf. I'll try that one. It's in radiusd.conf in 1.1.7. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejections
This kind of handling of rejected users should be handled by your NAS. Radius server is suposed to reject users with bad passwords. You can make policy on your NAS to place them in a restricted VLAN instead of dropping the connection. Ivan Kalik Kalik Informatika ISP Dana 4/3/2009, Jack D. Martin Jr. jack.d.mar...@magicwisp.com piše: What about using a fall through? Could it be that the last option to auth, even if the password is incorrect - they get assigned to a particular group? Jack Martin Magic Wireless Internet Service Providers LLC P.O. Box 278 104 W. Main Oilton, OK 74052 www.magicwisp.com Jack D. Martin Jr. wrote: I am using freeradius 2.1.3 using MySQL for my IP pool and user auth tables in my small ISP. What I need to do is have customers that get rejected with a bad password assigned to a particular IP pool. I am sure this is possible, but can't find it. I assume I am just looking for the wrong keywords - LOL. Can somebody point me in the right direction? Thanks in advance. The server can't turn a reject into an accept. Doing so will require source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No known good password
Are there room for a newbee question here? This is my first Radius server. I get the message No known good password when trying to authenticate users The users are coming from one of two possible VPN tunnels. I assume clients.conf is correctly configured. Any help is highly appreciated. Best regards Ove Fagerheim From Users.conf: snip user1 Service-Type == Framed-User, User-Password == password, # Adresses from 10.194.0.1 to 10.194.63.254 # Auth-Type = System, Framed-IP-Address = 10.194.0.1, Framed-IP-Netmask = 255.255.192.0, Fall-Through = Yes DEFAULT Service-Type == Framed-User, Huntgroup-Name == Huntgroup-1, Framed-Protocol = GPRS-PDP-Context, NAS-Identifier = STCGGSN3, Called-Station_id = My-Station-Id-String, Reply-Message = %u is granted access user1 Service-Type == Framed-User, User-Password == password, # Adresser fra 10.192.64.1 til 10.192.127.254 # Auth-Type = System, Framed-IP-Address = 10.192.64.1, Framed-IP-Netmask = 255.255.192.0, Fall-Through = Yes DEFAULT Service-Type == Framed-User, Huntgroup-Name == Huntgroup-2, , Framed-Protocol = GPRS-PDP-Context, NAS-Identifier = FBUGGSN3, Called-Station_id = My-Station-Id-String, Reply-Message = %u is granted access snip From Huntgroups: snip Huntgroup-1 NAS-IP-Address == 172.x.x.0 Huntgroup-1 NAS-IP-Address == 172.x.x.1 .. .. .. Huntgroup-1 NAS-IP-Address == 172.x.x.14 # # Huntgroup-2 NAS-IP-Address == 172.y.y.240 Huntgroup-2 NAS-IP-Address == 172.y.y.241 .. .. .. Huntgroup-2 NAS-IP-Address == 172.y.y.254 snip logfile log\radius\radacct\NAS-IPAddress\auth-detail-20090303.log: (username is client telephone number) snip Packet-Type = Access-Request Tue Mar 3 08:37:36 2009 NAS-IP-Address = 172.x.x.2 NAS-Identifier = STCGGSN3 Called-Station-Id = My-Station-Id-String Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 16861232 User-Name = user1 User-Password = password Calling-Station-Id = user1 Client-IP-Address = 172.x.x.2 Huntgroup-Name = Huntgroup-1 snip logfile log\radius\radius.log snip Mon Feb 16 12:00:54 2009 : Info: Ready to process requests. Mon Feb 16 12:01:49 2009 : Auth: Login incorrect: [user1/password] (from client TelenorTVK1 port 35970456 cli 4790622859) Mon Feb 16 12:02:04 2009 : Auth: Login incorrect: [user1/password] (from client TelenorTVK1 port 33168936 cli 4790622859) Mon Feb 16 12:02:17 2009 : Auth: Login incorrect: [user1/password] (from client TelenorTVK1 port 30960664 cli 4790622859) Mon Feb 16 12:03:57 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Feb 16 12:03:57 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Feb 16 12:03:57 2009 : Info: rlm_eap_tls: Loading the certificate file as a chain Mon Feb 16 12:03:57 2009 : Info: WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! Mon Feb 16 12:03:57 2009 : Info: Ready to process requests. snip If the abow errors is unrelated to my issue, I still would very much appreciante any hints on how to fix them. What freeradius version is this? You probably shouldn't be using User-Password but Cleartext-Password. Post the output of radiusd -X from request processing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: No known good password
The version is 1.1.7-r0.0.2. I assume -X means debug mode (I really *am* a newbee) Being a newby, what prompted you to remove files from authorize? You are storing the password in users file, yet you have removed files from the configuration??? I'll try Cleartext-Password instead of User-Password Also use the correct operator (:=). Examples are right there - in the users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: No known good password
Ooops, I took over for a 3. party consultant who gave up. Luckily, I still have the original clients.conf. I'll try that one. It's in radiusd.conf in 1.1.7. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls configuration not running...
I've got a problem with my eap-tls configuration : the server is accepting the device ( rad_check_password: Auth-Type = Accept, accepting the user), but it doesn't connect to the to access-point (HP Procurve). You broke EAP trying to force Auth-Type Accept. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls configuration not running...
Thanks for you response, what should I set as Auth-Type, as 'Auth-Type := eap' is not recommended (cf. coment in eap.conf) ? You don't set anything. Server will set what it needs. It just works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pls help: virtual server specific EAP-TTLS/PEAP inner tunnel setting
We got 2 problems when setting up a virtual server (testing.mydomain) to handle requests for realm @testing.mydomain: 1. we defined a new ldap server in modules/ldap and want to use it for authorization/authentication of realm @testing.mydomain, but have no idea how to use it since the ldap server defined in sites-enabled/inner-tunnel is always used. Can we define another inner-tunnel for this new virtual server? That new server should have a name. Replace ldap entry in inner-tunnel with name of theis new ldap instance. 2. seems authentication requests go through authorize section in sites-enabled/default before proxying to virtual server testing.mydomain. Can we skip this step or tell radiusd to go through authorize section other than the default one? Probably not. What if the user is not from that realm? If all users from certain NAS are going to be from that realm you can use listen section to divert traffic to a certain virtual server. Read raddb/sites-available/README. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing 'Invalid before' feature
I am working with FR some years ago, and I have implemented a prepaid card system. I want to get an account which are not valid until some date. I am looking for some freeradius attribute which means 'account invalid until 15th march 2009'. No ready-made attribute. You can define your own. Make date type attribute Reject-Before in raddb/dictionary. Then create a prel script that rejects the user if value of that attribute is before request timestamp. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing Filter-Id's with MySQL
I am running a Freeradius server which queries a MySQL database (Vexim) for authentication of dial-up users. I would like to create two classes of dial-up users, Internet users and email-only users. The Intetrnet users have full Internet access while the email-only users can only access SMTP, POP and DNS services. I am using a Livingstone Portmaster 3 NAS, and will create a filter, emailonly.in to manipulate the IP traffic. My question is, how do I configure Freeradius/MySQL to add the Filter-Id attribute to email-only users and thus deny them full Internet access. Create sql group email and put that attribute in radgroupreply for it. Add email users to that group. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC auth_type
I take it that means EAP-PEAP (as well ass EAP-TTLS) provides protected tunnel already, and as such when used in PEAP-GTC, it may be used to provide support for cleartext password. Is my interpretation correct? Yes. But you (ie. server) don't have a password (clear or encrypted) for matching. (2) What is the difference (security-wise) between setting auth-type PAP and LDAP within PEAP-GTC, since both have clear-text passwords inside the GTC tunnel? None. (3) Why is the authorize/authentication combo beahvior between main radiusd.conf and inner-tunnel different with regards to LDAP bind as user? Is it : a. Design choice (e.g programmers choice, or to comply with RFP or other standards), or b. A bug It's not. You have to tell GTC what authentication method to use. That is than set in the configuration file and can't be changed during request processing. If you leave the server to set the auth method ... If you would force DEFAULT Auth-Type := System in users file, ldap bind as user wouldn't work. If you put LDAP, system passwords won't work. That is in essence what GTC does. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC auth_type
So in short if I want to do bind as user in PEAP-GTC, I can't combine it with other authentication methods (like pam)? Too bad. Why is it too bad. Just don't use bind as user. You should avoid using methods where Auth-Type is forced. They are very difficult to combine with other methods. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two factor authentication to both LDAP directory and SecurID
So I think what will happen is this: - username/tokencode-password is passed from the Cisco ASA device - this data is passed in cleartext to the script - script splits the username/tokencode and username/password - script proxies the u/tc via RADIUS to SecurID - script uses PAP to pass the u/p to out directory - script does these checks in sequence or concurrently - once both sets of credentials are accepted, an accept is passed back to the Cisco ASA device Does this sound right? Mostly. You will have to get the password from ldap rather then send it to it. And the check it in pre-proxy (save yourself a proxy if user/pass don't match). This should work with pap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: WARNING: Unresponsive child for request inmodule sqlcomponent accounting
Executing this script during last 24h (with nohup), from the radius machine, I got always latencies below 1 second Below 1 second or below 1/100th of a second? Near 1 second for such a simple query is *very* slow. Have in mind that insert into radacct is going to take some 100 times longer then a select. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP, Called-Station-Id and users file
I have this entry in my users file DEFAULT Called-Station-Id =~ .*MMP Auth-Type := Reject Should be: DEFAULT Called-Station-Id =~ .*MMP, Auth-Type := Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC auth_type
The LDAP server I'm authenticating against is Lotus Domino, which stores user password in a Lotus-specific encryption. The only way to use freeradius to authenticate against it is with bind as user. Talk about painting yourself into a corner. The thing that I don't get yet is why on normal radius packet (without PEAP-GTC) I don't have to set Auth-Type explicitly, yet the ldap module can use either user password stored in LDAP or bind as user. With gtc on the other hand, I have to FORCE gtc to use Auth-Type LDAP. RFC: The EAP GTC method is intended for use with the Token Cards supporting challenge/response authentication and MUST NOT be used to provide support for cleartext passwords in the absence of a protected tunnel with server authentication. I was hoping that with gtc set to pap the inner-tunnel can use multiple modules to authenticate, including bind as user when using LDAP. EAP TTLS/PAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
I finally figured out how to compile the module. Its actually quite simple once you figure out the new structure. The problem I still have is how to incorporate that into the new conf file. There used to be authorize and accounting sections that listed the modules. I can't find where that has been placed in the new structure. - Read the comments near the end of the radiusd.conf file (where those sections used to be). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC auth_type
Great! It works perfectly. Other than enabling ldap in authorize and authenticate in inner-tunnel, I also had to change eap.conf's gtc section to auth_type = LDAP. This works, but it brings up another problem. Setting auth_type to PAP, Local, or commented out on gtc section does not work for LDAP. On the other hand, If I set auth_type = LDAP, PEAP-GTC with system user (which works if I set auth_type = PAP on gtc section) does not work. Is there a way I can authenticate with BOTH system user and LDAP using PEAP-GTC? the main radiusd.conf can have multiple authorize methods available, right? Why does gct have to explicitly set auth_type? Leave gtc as pap. Change set_auth_type to no in ldap module configuration. Module will then just collect the password and pass it to pap module for authentication. It will not do bind as user ldap authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 46, Issue 102 Why is groupname fieldblank in radacct
I have MySQL 5.0.67 and PostgreSQL 8.3.6 and freeRADIUS 2.17 installed on
GNU/Linux Fedora 10 distribution. I have identical radius databases on both
MySQL and PostgreSQL. When I use the PostgreSQL, the groupname field in the
radacct table gets filled in but when I change the database to MySQL, the
groupname filled is blank. I checked the queries in mysql/diaup.conf and
postgresql/dialup.conf and found out that they are the same. Why is it
working with PostgreSQL and not working with MySQL? The groupnames are
defined in radusergroup table.
Default queries that come with the source don't write to groupname
field. MySQL or PostgreSQL. You can place Class in radgroupreply and
give it the value of the group name. Then put %{Class} into groupname
field in accounting queries.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLCounter configuration
Can you show some examples please? I try to do like this:
noresetBytecounter
if (reject) {
update reply {
Reply-Message := Traffic limit exceeded.
}
}
but if noresetBytecounter return reject freeradius immediatly return
reject
to user and do not process 'if' clause
You need to put this in the post-auth section, Reject subsection.
See the example configuration files.
/etc/freeradius/sites-enabled/default[412]: SQL Counter modules aren't
allowed in 'post-auth' sections -- they have no such method.
Don't put the counter there but the counter attribute:
if(control:Counter-Attribute 0) { ...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAPclientsusinganexternalprogram-A different case
Thanks for your reply. I have got some questions to ask. We have different types of clients (Or, connections) in our system; Dial-Up, ADSL, VoIP, CHAP, MS-CHAP, MS-CHAPv2 and ... . Each of these clients need different authorization method. Now, where should our authorization code reside? Shall we create an authorization external program as an instance of the rlm_exec module and call it in the Authorization section of radiusd.conf? Yes. Shall we create our customized module and form our code as the authorization function? Yes. What about authentication, I completely understood the idea of post-auth, but how it should be implemented? Do we need another instance of the rlm_module placed in the post-auth section of radiusd.conf or we should implement post-auth functionalities as post-auth function in our customized module? You would place the second module in post-auth. In general, what should be our strategy, developing a customized module and implementing our logic as it's functions, or using multiple instances of rlm_exec module and placing them in the appropriate sections of the radiusd.conf? Create the authorization script (for authorization section) that will do all the checks on access request attributes (plus counters, login time, expiration etc. if you are not using default modules) that you fill should be done. Then pass the password to the server for authentication with default server modules. Once authenticated add anythig that user needs (IP, VLAN, fixed bandwidth or time restrictions etc.) in post-auth script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAPclientsusinganexternalprogram-Adifferent case
Thanks for your reply. Sorry if my question is elementary, but this is the last one. What is the difference between creating a customized module to do Authorization/Post-Authentication and using external programs as instances of rlm_exec module to the so-called functionalities? Module is much more complex. It should be capable of handling and properly responding to all kinds of inputs. You can safely ignore most of it if you are writing a script as rlm_exec (or rlm_perl or whatever) will handle that for you. And you have to write the module in C while scripts can be written in variety of languages. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLCounter configuration
Sorry, i read mans and comments in config and try to do like you say but
it's not work as i need. I have sqlcounter:
sqlcounter noresetBytecounter {
counter-name = Total-Max-Octets
check-name = Max-Octets
reply-name = ChilliSpot-Max-Total-Octets
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT (SUM(AcctInputOctets)+SUM(AcctOutputOctets)) FROM
radacct WHERE UserName='%{%k}'
}
post-auth section in sites-enabled/default:
Post-Auth-Type REJECT {
attr_filter.access_reject
if (control:Max-Octets 0) {
update reply {
Reply-Message := Traffic limit exceeded.
}
}
}
Looking at that it should probably be:
control:Max-Octets (check value) control:Total-Max-Octets (counter
value). I don't think that negative value vill go into (reply:)
ChilliSpot-Max-Total-Octets. If it doesn't work, you can check if reply
value is zero.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-Accounting
is it possible to call only a simple Stored Procedure (SP) on the MySQL-Server to do the Accounting Job, like the sql-log module (rlm_sql_log(5)), but do not log in file, instead of this, call the SP: I can't find more Information for such configuration. unlang supports only SELECT statements. Call your procedure from a perl script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLCounter configuration
I can do like this:
if (!reply:ChilliSpot-Max-Total-Octets) {
update reply {
Reply-Message := Traffic limit exceeded.
}
}
but if user enter wrong password Traffic limit exceeded. error message
will be displayed.
I had a look at the code and sqlcounter module sets the Reply-Message:
Your maximum %s usage time has been reached when user is rejected.
Check for that reply message and alter it.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLCounter configuration
Thank you. I see this solution in the internet, but i need configurable Reply-Message, becouse i want to limit not only traffic, but session time too. Actually, I can recall that sqlcounter had configurable Reply-Message in early days (I had 1.0.5 where it was configurable). Download 1.0.5 and have a look how was it done. Perhaps you can create a patch for the current version without too much trouble. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-Accounting
1) can I access to all accounting releated information from the perl module like in the sql-module? You said that you want to call a stored procedure. Yes, your database does have access to all the information stored in it. Are any examples out there? $query = CALL your_procedure; If you need a tutorial about using MySQL with perl - ask your frien Google. 2) If I user the perl module, so I must log on the database each time the module is invoked? Yes. You can't borrow persistant sql handles from rlm_sql. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: auth: Failed to validate the user - NEED SOME HELP !
rad_recv: Access-Request packet from host 127.0.0.1:54057, id=172, length=59 User-Name = monitor User-Password = NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = monitor, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry monitor at line 216 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System You are using an ancient version of the server. Upgrade. If you insist on using outdated, buggy and unsecure version then comment out the DEFAULT entry setting Auth-Type System in users file. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 46, Issue 94
Tnx for the quick answer. In the meantime I figured out my problem.
In 'users' file I commented out:
-
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULTAuth-Type = System
# Fall-Through = 1
-
Which 'tells' Radius to authenticate with /etc/passwd.
Now localcheck works fine.
I have another problem. I enter a client with a secret in clients.conf file:
Client 192.168.10.10 {
secret =
shortname = Test
}
But while testing from Client 192.168.10.10 - I got:
---
rad_recv: Access-Request packet from host: 192.168.10.10:45931, id=56,
length=53
Ignoring request from unknown client 192.168.10.10:45931
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
Any hint??
You have multiple installations and clients.conf that you edited doesn't
belong to radiusd.conf you are running. Post the debug of server startup.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1x auth - Getting the IP address of the authed machine
I have a wired 802.1x auth setup on cisco gear. I would like to record the IP address of machines that connect and are authorized. Is this possible? I currently see NAS-IP-Address and Client-IP-Address as the IP of the switch. The Calling-Station-Id is the correct mac address of the authorized machine. The machines that are connecting to be authed are allocated their address using dhcp. You will need to get accounting packets for that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Welcome to the Freeradius-Users mailing list
I am facing strange issue while running radtest from remote IP and radiusd running on other IP but on the same network. My Radius server is not listening to any other client except localhost. I've added all clients entries in clients.conf file. What could be the issue? clients.conf file doesn't belong to radiusd.conf file you are running. Or you haven't restarted the server since making changes to clients.conf. Post the debug of server startup. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why is groupname field blank in radacct
I installed freeradius and have noticed that all while other fields are filled in on the radacct table some are not. Of particular importance to me is the groupname field. I need this field because I need to know which group the customer is from so that I charge them accordingly. A person may belong to more than one group and we need a particular group the person used to log into the system. How can we cause the groupname to be written to the radacct table? Nothing is written to that field by default. Edit the accounting queries in dialup.conf to fill that field. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: does peap/mschap-v2 must use with ldap?
I configured my freeradius 1.1.7 + oracle + cisco 3750 switch to do 802.1x authentication for wired client. I configured it with EAP/MD5 method and it works well. Now I want to use peap/mschap-v2 method,but I didn't configure LDAP in radiusd.conf,and when the server start it report some error.Below are the details: .. Does it because I'm not configure LDAP? Does PEAP/MSCHAP-V2 must use with LDAP? No. In my database I have already add the testuser User-Password := test123 in radcheck table but it doesn't work. That's because 1.1.7 shouldn't use User-Password but Cleartext-Password attribute. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with configuring freeradius for WPA with LDAP havingMD5 paswords
I went through a document in the Internet that says EAP does not support MD5 hashes, only EAP-GTC and PAP does. Can someone suggest a solution for getting users authenticated through AP whith their passwords stored in MD5?? You can't use PEAP. Install SecureW2 on all the clients and use EAP TTLS/PAP. Or change all the users passwords to clear text or nt hash. Whatever you think is easier. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC auth_type
but using LDAP user with auth_type = PAP in gtc section does not work
#==
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password My LDAP password here
That's not your LDAP password. That's the password from the
User-Password field in the request.
[pap] No password configured for the user. Cannot do authentication
++[pap] returns fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [My LDAP user here] (from client My client name
here port 0 via TLS tunnel)
#==
And where is the part of the debug that shows what ldap did?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1x auth - Getting the IP address of the authed machine
I have accounting turned on, but I don't see the authed machines IP on that of the NAS. Post the debug of accounting packet. Start might not but stop should have it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC auth_type
Here's a complete debug log from radius startup tested with wifi client, same user and password, same config files. Somehow in this config LDAP never got to bind as my user. http://pastebin.com/f37aaf2b2 Ah, bind as user works only for pap requests not eap. This is documented in ldap module configuration file. Enable ldap in authorize in inner-tunnel virtual server in order to have password available. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: WARNING: Unresponsive child for request in module sqlcomponent accounting
I facing this problem with my Freeradius 2.1.3, and I don't know how to solve it :( My NAS is sending only accounting registers to my freeradius server. My freeradius server, is configured to store these registers into a MySQL server. I have configured max_request_time = 120, in the case of MySQL slow performance, but the problem perssits. No, you don't have a problem with radius server but with sql one. Perhaps you should look into the server that does have a problem (sql) and not the one that doesn't (radius). There is nothing radius server can tell you about why are sql queries running slow. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 46, Issue 98 : Why is groupnamefield blank in radacct
I tried editing the dialup.conf and added groupname with a value of
'%{SQL-Group}' but still it writes nothing for the groupname in the radacct
table. Can you help me as to how exactly I have to edit the dialup.conf ?
That is fine, only the attribute is wrong. ASFAIK Class is the only
attribute that you can custom set during authentication that NAS will
have to send back in accounting packet.
http://freeradius.org/rfc/rfc2865.html#Class
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: WARNING: Unresponsive child for request in modulesqlcomponent accounting
and do you know if the accouting registers is lost? or another child retries the insert into the database? They usually are - there are no handles to write to the database as the whole server gets blocked. I haven't seen tha case where single handle would dia and the rest of them would continue working. This is usually terminal state of radius-sql server connection problem. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sqlcounter log problem
I have a little problem with freeradius. And i can't find any solution for it..
We have logged failed login attempt following statement: (Its taken
from Freeradius Wiki)
Post-Auth-Type REJECT {
# Login failed: log to SQL database.
sql
}
However when we use rlm_sqlcounter this modle can't handled with above
statement.
So how its possible to log users that Rejected by rlm_sqlcounter module?
man unlang. Test for module return code and then run, for example, perl
script that will log to the database. You can't do sql inserts and
updates directly from unlang without source code changes.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two factor authentication to both LDAP directory and SecurID
Scenario: To pilot the SecurID product, we selected VPN access to a part of our network, protected by a Cisco ASA5500 series device. We are in the process of moving away from the MS IAS RADIUS solution to FreeRADIUS. We know that MS IAS cannot do what we want to do. What we want to do: When a user attempts to access the VPN, have them provide their username/password as well as (their same) username and tokencode from their SecurID fob. It is OK if they provide the password and tokencode separately or together. (I spoke to the folks at Radiator, and they have a programming ability in their RADIUS server to chop up the password field before it's authenticated, i.e. have the tokencode and password provided in the same field at the client, then take the first eight characters of the 'password' field, send that string plus the username to SecurID via RADIUS, and the rest of the characters from the 'password' field and the username to our LDAP directory.) Ideally we would prompt them for username, password and tokencode at the same time. Can FreeRADIUS do this (it seems that Access-Challenge is exactly what we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to solve our requirement? Yes. There is no problem in composing Cleartext-Password on the fly from users password and the token.It shouldn't be too difficult to create a perl script that does that. You can have problems only id you insist that stored passwords should be encrypted. That can be sorted in reverse: you would split th User-Password from the request and create custom authentication script that would check both parts. But that will work only for pap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking an user into a specific OU using ldap module
Mon Feb 23 19:54:36 2009 : Info: [files] expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
Try %{control:Ldap-UserDn} in the filter.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients using an externalprogram- A different case
The result is the same, with both attributes the CHAP module throws the same error. Any ideas? Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with configuring freeradius for WPA
I've been trying to autheticate a Wireless Acess Point through a Radius Server for last 1 month, but things doesn't seem to be working for me. The Radius Server is authenticating when I test it with the radtest command. It also worked for a Cisco 2950 switch. But no luck when I use the Access Point. I have tried 3 different accesspoints, including Linksys, D-Link and the Firepro, but none of them worked. I do not get any error when I check the radius in debug mode. It says Sending Access-Challange to , but the client doesn't get authenticated. I seriously need help on this. 1. Do I really need certificates for authentication? Yes. That conversation is EAP-TLS. *You* have selected that authentication method when you were creating the connection. Is there a way to achieve WPA with UserName and Password, without installing certificates? Yes. You can do PEAP with usernames and passwords. You might need to install CA certificate if you are signing your own. 2. Should the AP send User-Password attribute to the Radius Server? No. Or should the Radius Server send an Access-Challange to the AP, and AP does matching and all. AP does nothing. It jast passes the challenge to the users machine. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients using anexternalprogram- A different case
By the way, the authorization external program sets my customized Auth-Type so that in the authentication section, I can use it to authenticate clients using my authentication external program which is another instance of the rlm_exec module (the second one). Why? The main problem is the way that authentication should take place for CHAP, MS-CHAP and MS-CHAPv2 clients in the authentication external program. Exactly. Why bother when you have first class modules included with the server. Don't set Auth-Type. Let server do it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls not authenticating
Whats happening here? It's like the radius tries to send a request back to the supplicant, but gives up... No. Client gives up - it didn't send client certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients usinganexternalprogram- A different case
Thanks for your reply. You are right and I do know that this is not the right way to get things done, but what we have got here is a sophisticated and feature-balloted AAA system which is totally based on external programs. So what would be the problem in sorting out your features in authorization script and leaving authentication to the server? As a mid-term solution we should try to respond to our numerous clients who are using CHAP, MS-CHAP and MS-CHAPv2 connections. Please please, let me know if there exists any solution to implement these features in an external authentication program. Freeradius is open source. Look up the code in rlm_chap and rlm_mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: trigger an Access Challenge
Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge. So what is client going to do with the challenge when it gets it? That is why I tried to create the challenge with the help of the perl module Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!? Post the debug. Maybe server *did* send the challenge but client doesn't know what to do with it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: trigger an Access Challenge
But the server doesn't send the reply to the client (Timeout at clientside) rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 User-Name = radius NAS-IP-Address = 10.0.1.131 CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = radius, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry radius at line 52 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0xb809a5f0 asigned new request. Handled so far: 1 found interpetator at address 0xb809a5f0 rlm_perl: Added pair User-Password = pass rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb809a5f0 modcall[authorize]: module perl returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type Perl Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 perl_pool: item 0xb8181050 asigned new request. Handled so far: 1 found interpetator at address 0xb8181050 rlm_perl: RAD_REQUEST: Client-IP-Address = 10.0.1.131 rlm_perl: RAD_REQUEST: CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 rlm_perl: RAD_REQUEST: CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a rlm_perl: RAD_REQUEST: User-Name = radius rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.131 rlm_perl: RAD_REPLY: Reply-Message = challenge: rlm_perl: RAD_REPLY: User-Password = pass rlm_perl: RAD_REPLY: State = challenge rlm_perl: Added pair Reply-Message = challenge: rlm_perl: Added pair User-Password = pass rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb8181050 modcall[authenticate]: module perl returns handled for request 0 modcall: leaving group Perl (returns handled) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... That's an outdated server version. Upgrade. It works in the current version. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clientsusinganexternalprogram- A different case
Thanks for your reply. The problem is time. We should find an immediate solution. Anyway, thanks again. Immediate solution is *not* trying to invent a new kind of hole on the flower pot. Don't use custom authentication script - use existing server modules. Whatever additional checks you think you need can be moved to the authorization script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth type as check item in users file
I'm trying to figure out how to check to see if the auth type is mschap in the users file. I can find tons of help on setting the Auth-Type, but not a lot on how to compare it. Additional background info: I'm running 802.1x with two auth types, certificate based and mschap. It's EAP-Type not Auth-Type you want. Auth-Type will be EAP for both. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clientsusinganexternalprogram-A different case
Thanks for your attention. Yes, you are right, we should organize our system regarding the structure of freeradius. I have lots of questions to ask. I am going to coherently form them; would you please trace this thread? I do hang around. This is what you should plan for: - checks that need to be made before you decide if the user should be accepted should be run in authorize - let freeradius sort out password validity (authentication) - anything that needs to be added/changed after you decided to accept/reject user should be run in post-auth If you follow that structure there will be few problems in sorting out your scripts. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two factor authentication to both LDAP directory and SecurID
Yes. There is no problem in composing Cleartext-Password on the fly from users password and the token.It shouldn't be too difficult to create a perl script that does that. Excellent! So the username and tokencode/password is passed from the NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to extract the tokencode and password from the password field on the FreeRADIUS server, right? Yes. But you say later that you won't be using clear text passwords. So, forget that. Instead script will be spliting the value passed in the User-Password field in the request. This script would then present both sets of credentials back to the FreeRADIUS server and they would then be authenticated to their respective sources? I take it that we cannot do this natively in FreeRADIUS without writing such a script? No. You can have problems only id you insist that stored passwords should be encrypted. That can be sorted in reverse: you would split th User-Password from the request and create custom authentication script that would check both parts. But that will work only for pap requests. I guess that we would prefer that the password is encrypted, we wouldn't want the passwords to be able to be viewed by someone who had access to the FreeRADIUS server. That would limit you to using pap authentication. Can you elaborate on 'custom auth script', does this mean that such a script would have to talk directly to our LDAP directory as well as the SecurID server? No. I was hoping to have only the FreeRADIUS server talking to our LDAP and SecurID servers. Yes, server can get those values and make them available to the auth script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure FreeRADIUS LDAP
Does freeradius support SHA hashed passwords (on ldap backend)? Yes. This is documented in doc/rlm_ldap included with the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Oracle
Well I am new to this, I found a package in Ubuntu for it so the installation was ok but there is one thing I went to the site I want a normal configuration. I am trying to test that the radius is working after the installation. Then I want to add a perl script that will handle my Authblock I tried searching in the wiki but I guess I am not putting the right words. It wold be nice if I can get the link for the module Doc and the the text doc. So what is the document that is matched when you type perl in wiki search box? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Id and Calling-Station-Id matching
I presume this expression would do the magic for me. But if for SQL authentication how do I enforce that from the SQL tables? Put Calling-Station-Id, expression and =~ as operator for that user in radcheck. But regex is not working well in 2.1.3. Better wait a few days for 2.1.4. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Oracle
Did you bother reading that perl article? Ivan Kalik Kalik Informatika ISP Dana 23/2/2009, kenshin eternalbl...@gmail.com piše: Well it gives me this at first Search results You searched for perl There is no page titled perl. You can create this page. Then I see A Perl Article and then Page text matches. tnt-4 wrote: Well I am new to this, I found a package in Ubuntu for it so the installation was ok but there is one thing I went to the site I want a normal configuration. I am trying to test that the radius is working after the installation. Then I want to add a perl script that will handle my Authblock I tried searching in the wiki but I guess I am not putting the right words. It wold be nice if I can get the link for the module Doc and the the text doc. So what is the document that is matched when you type perl in wiki search box? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-with-Oracle-tp22072944p22165016.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trigger an Access Challenge
I want to test a radius client with the freeradius server. Access Requests and Replies works fine, but although I searched this mailing list and several websites I still have no idea how to trigger an Access Challenge. It would be very nice, if somebody could tell me how I have to configure freeradius, so that it sends an access challenge to my client. Send a request for an authentication protocol that requires multiple server-client exchanges (like EAP). If server needs more information from the client it will respond with the challenge. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Oracle
yes i did but didnt get it, but I will do it again. I will try to understand it as much as I can. Hm, so you have trouble following simple instructions with ready-made examples. Yet you are planning a perl application accessing data via stored procedures in Oracle. Well, good luck with that. Ivan Kalik Kalik Infomatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authenticating CHAP clients using an external program- A different case
I am using freeradius-1.1.7. In order to authenticate users using an external program, I have created an instance of the rlm_exec module which contains the properties of the external program. In the radiusd.conf, I have called the instance in the authentication section. Now, as I want to authenticate CHAP clients, I need to pass their clear text passwords to the rlm_chap module. The passwords are stored in the database (MySQL) and are fetched in the external program. In the external program, I have simply output User-Password = ### as the user's clear text password, but the rlm_chap module says: Could not find clear text password for user What is wrong? Any ideas? Attribute for clear text password is - Cleartext-Password. And operator should be :=. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
So there is no way at all to get the client to pick up the cert chain without directly installing the intermediate cert on it? No. Is this actually a client issue of it refusing to use chains for this then, rather than a FreeRADIUS issue of it not passing the chain? Yes. Thanks very much for all your help. This only came up because Verisign have stopped issuing directly root-signed certs, as have the other major cert authorities, it would seem. Our previous cert was directly root signed, and thus worked fine. I (possibly foolishly) assumed that if all the major CAs were shifting to chained certs for everything that the majority of clients using ssl supported them as well. Have a look at RapidSSL/Geo Trust. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure FreeRADIUS LDAP
# Can freeradius talk to the ldap box using TLS/SSL (ldaps) Yes. See tls section in ldap module. # Can freeradius read hashed credentials from the LDAP store and then actually use them??? Yes. You will have to enable auto-headers in pap module if you are storing them with headers in userPassword. # There may be a requirement to use certificates for auth, can the ldap/freeradius module handle certs??? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradius editing theusersfile
i didn't force any authentication, I left the users file by default, when i
tried to login i got this:
..
++[files] returns noop
OK. Files are empty now. But ...
expand: %{User-Name} - juanpal
rlm_sql (sql): sql_set_user escaped user -- 'juanpal'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'juanpal' ORDER BY id
rlm_sql (sql): User found in radcheck table
.. this should be the password. And ...
..
++[sql] returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
.. no pap module. Why did you remove the pap from authorize? Put it back.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradius editingtheusersfile
rlm_pap: Normalizing MD5-Password from hex encoding ++[pap] returns updated Try with Cleartext-Password first. And use := not == as operator. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: are multivalued LDAP-attibutes in authorization for replyItemspossible?
Is this normal or can I configure the radiusd to return all values from the multivalued LDAP attribute? += http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradiuseditingtheusersfile
I change the password user from md5 to User-Password and can login. I don't know if that was the suggestion, but thanks a lot Try with Cleartext-Password first. And use := not == as operator. No. I ment what I wrote. User-Password shouldn't be used. Use Cleartext-Password. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and Active Directory
I believe I did all I had to enable my freeradius server to chat to
windows AD
I did changes to my FreeRADIUS configuration according
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I have news for you - you haven't done any of this:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_radiusd.conf
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
* with_ntdomain_hack = no*
}
Also no ntlm_auth configured in mschap module (raddb/modules/mschap). So:
[mschapv2] +- entering group MS-CHAP {...}
[mschap] NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
Server asks about the hack.
[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
And it isn't using ntlm_auth.
You have an updated manual (relevant to freeradius 2.x) at:
http://deployingradius.com/documents/configuration/active_directory.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: upgraded from freeradius 1.1.3 to 2.0.4
I didn't change anything in the config file which we used on the 1.1.3 version of freeradius. I guess something goes wrong with the empty expand message in debug mode. While searching for this error I found something about the groupchecktable which we never used. In the config this option is marked out: #groupcheck_table = radgroupcheck And in the database is no table called radgroupcheck because I never used it. So because of that there's no query at the Authorization Queries section related to the groupcheck (authorize_group_reply_query) How can I get my freeradius working again and simply don't let it do a thing with the groupcheck (which I guess is the problem of the empty expand which I see in debug mode) Read a few more lines in sql.conf and you will find out how not to use groups. read_groups = no Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and Active Directory
My question now is, how do I login to AD using a new user that has never
logged on to the box before? I'm getting an error saying domain AD
unavailable, but if I use username that I used to login before 802.1x
enforcement all is looking good...
I am not sure what the problem is from your description. If it's
complaining about the domain try using alternative for username -
%{mschap:User-Name}. That is documented above the ntlm_auth line in
mschap module. Try and see if that helps.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which does not require a client certificate. My understanding however is that for passing of the server certificate to validate our server to the clients the options with the tls subsection of the eap.conf file are still used. For that you need to export just the intermediate certificate used to sign the server certificate onto the clients. They should have the root one already. Import intermediate certificate (.der or .crt version) onto a client. Copy server.crt onto the client desktop and see if Windows recongnized the chain. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different ldap with different accept and reject
Now I use 3-4 different LDAP. I want run scripts depend on access or reject, not every time. how can i configure it. Unlang in post-auth / Post-Auth-Type REJECT sections. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and Active Directory
My problem is that my windows box has no way of communicating with AD server to verify user credentials for initial login screen (reason for that is because switch port state is uncontrolled and no other but EAPOL traffic can pass through) Is there any way setting my windows box so that user gets authenticated against radius and then AD using single sign on without doing any hacks to MS GINA or stuff like that? What does Windows box have to do with this? Enable port based authentication (802.1x) on the switch. Set it to use freeradius integrated with AD. Switch will pass credentials to freeradius and it will pass them to AD. From what you are saying (only EAPOL can pass through the port) it is more-or-less set that way. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
Googling suggested that simply catting the 2 certs (server and intermediate) into a single file (server at top, intermediate at bottom) and listing that in the config as the certificate_file should work No, that's not going to work. Client machine will still look for the intermediate CA in it's store and not in that bundle. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradius editing the usersfile
Freeradius don't authenticate with mysql, so it uses another ways like EAP, PAP an others. I had been edited the users file in the attribute auth-type with various values: Local, EAP, PAP, System... Why? All the freeradius documentation says that you *shouldn't* force the Auth-Type. As you see, the user juanpal authenticate with mysql but the next step stop him My user file has this: DEFAULT Auth-Type := Local, Crypt-password = User-Password Fall-Through = yes Delete that. Follow the sql howto from the wiki. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-type LDAP, Auth-Type MSCHAP possible ? (for vlan assignment)
My goal is to assign vlans from some Organizational Units in AD. So do it. You don't need to force any Auth or Autz types. Set up the group membership filter in ldap module. It will give you Ldap-Group which you can use to assign vlans: DEFAULT Ldap-Group == something some tunnel attributes DEFAULT Ldap-Group == something_else some other tunnel attributes Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
I am trying to configure free radius to work with our 28 NASs. These NASs are split into two groups, at different locations (equal split 14-14). ll NASs report NAS-IP-Address correctly (ie uniquely) Any device requesting authentication randomly connects to any one of the 28 NASs. All devices are unique, and Calling-Station-ID is used to uniquely identify every device. There is no possible chance of multiple instances connecting Some devices *may* require require PAP/CHAP -- the default being ignore User-Name etc. This is configured on a device by device basis. Devices may require an alternative configuration using Called-Station-ID Furthermore, I wish to use MySQL, so that I can add new provisioned devices auto-magically, without needing to tell the radius server. I've a freshly compiled version 2.1.3, running on CentOS 5.3 -- That was by far the easiest bit! Many thanks for that. *Now the problem* Each set of NASs requires a different Framed-IP-Address pool eg 10.0.0.0/24 for site1, and 10.8.0.0/24 for site2 with Called-Station-Id = domain.com, and 192.168.110.0/26 for site1, and 192.168.110.128/26 for site2 with Called-Station-Id = domain.co.uk I'm using sqlippool to supply the IP. I assume you have site1 and site2 NAS-IP-Address huntgroups. Users file: DEFAULT Huntgroup-Name == site1, Called-Station-Id == domain.com, Pool-Name := 10.0_pool DEFAULT Huntgroup-Name == site2, Called-Station-Id == domain.com, Pool-Name := 10.8_pool DEFAULT Huntgroup-Name == site1, Called-Station-Id == domain.co.uk, Pool-Name := 110.0_pool DEFAULT Huntgroup-Name == site2, Called-Station-Id == domain.co.uk, Pool-Name := 110.128_pool I have some doubts that your NAS will send such Called-Station-Id. It's probably Realm. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
