Re: Need help: login incorrect with FR 2.2.1
On Fri, May 17, 2013 at 2:09 AM, Wang, Yu ywan...@fsu.edu wrote: Hello, I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of our wireless users cannot authenticate after the upgrade. The backend authentication server is Active Directory and we use ntlm_auth from winbind to pass MSCHAPv2 response from FR to AD. rlm_perl: Added pair NT-Password = 0x33343133344331374133364243314244413638324232323239443431 [pap] Normalizing NT-Password from hex encoding Just curious. Does ALL the failed user have NT-Password attribute added by rlm_perl? IIRC the reason for using ntlm_auth is that AD would NOT give out NT-Passowrd when running in LDAP mode. Or to put it another way, if you had access to NT-Password (e.g. stored in another database, whatever), then you won't need ntlm_auth at all. If fo DO use ntlm_auth (which I don't see from the debug log), try removing NT-Password from the list of attributes added by rlm_perl. My guess is whatever your rlm_perl data source is out of sync with your AD. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
It appears that the created RPM doesn't include the TLV update that were
made to the 2.x.x branch last week. Why wouldn't this be inlcuded in the
RPM even though I am building the RPM with the current 2.x.x. source?
Thanks.
On Wed, May 8, 2013 at 5:42 PM, Divyesh Raithatha
divyesh.raitha...@gmail.com wrote:
Thanks everyone. Finally got the RPM build to work by doing the following:
Version: 2.2.0 in the top of the freeradius.spec file to 2.2.1, and
renaming source
bz2 file to freeradius-server-2.2.1.tar.**bz2
Along with commenting out patches 2 and 5
#Patch2: freeradius-radtest.patch
#Patch5: freeradius-radeapclient-ipv6.patch
Changing the README line to README.rst
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL README.rst; do
cp $f $RPM_BUILD_ROOT/%{docdir}
diff freeradius.spec ~/freeradius-server-2.2.1/redhat/freeradius.spec
3c3
Version: 2.2.0
---
Version: 2.2.1
15c15
Patch2: freeradius-radtest.patch
---
#Patch2: freeradius-radtest.patch
18c18
Patch5: freeradius-radeapclient-ipv6.patch
---
#Patch5: freeradius-radeapclient-ipv6.patch
152c152
%patch2 -p1 -b .radtest
---
#%patch2 -p1 -b .radtest
155c155
%patch5 -p1 -b .radeapclient-ipv6
---
#%patch5 -p1 -b .radeapclient-ipv6
239c239
for f in COPYRIGHT CREDITS INSTALL README; do
---
for f in COPYRIGHT CREDITS INSTALL README.rst; do
By commenting out patch 2 and patch 5 what am I missing, if anything?
On Wed, May 8, 2013 at 8:20 AM, John Dennis jden...@redhat.com wrote:
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file
not found errors. They do exist, however, it looks like the build is
looking for version 2.2.0 of the library files yet they are listed as
2.2.1.
error: File not found: /home/test/rpmbuild/BUILDROOT/**
freeradius-2.2.0-1.el6.x86_64/**etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.**bz2.
The version macro in the spec file, the version embedded in tar file
name, and the contents of tar file all *MUST* match. You have to be precise
with what version you're building.
I assumed that was obvious as opposed to being tricky ;-)
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_**acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_**acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a
one-liner
%{_libdir}/freeradius/rlm_*.**so*
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/10/2013 12:05 PM, Divyesh Raithatha wrote: It appears that the created RPM doesn't include the TLV update that were made to the 2.x.x branch last week. Why wouldn't this be inlcuded in the RPM even though I am building the RPM with the current 2.x.x. source? Use the source Luke :-) I assume you built from git, therefore you've got every piece of information you need to figure this out. git log will give you exact information. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks, I got past the README but now I am getting the following file not found errors. They do exist, however, it looks like the build is looking for version 2.2.0 of the library files yet they are listed as 2.2.1. error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_acct_unique-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_acctlog-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_always-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_attr_filter-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_attr_rewrite-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_cache-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_chap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_checkval-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_copy_packet-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_counter-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_dbm-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_detail-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_digest-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_dynamic_clients-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_gtc-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_leap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_md5-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_mschapv2-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_peap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_sim-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_tls-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_eap_ttls-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_exec-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_expiration-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_expr-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_fastusers-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_files-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_ippool-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_linelog-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_logintime-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_mschap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_otp-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_pam-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_pap-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_passwd-2.2.0.so error: File not found: /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/usr/lib64/freeradius/rlm_policy-2.2.0.so
Re: Need help with making RPM from v2.x.x branch
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file not
found errors. They do exist, however, it looks like the build is looking for
version 2.2.0 of the library files yet they are listed as 2.2.1.
error: File not found:
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.bz2.
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a one-liner
%{_libdir}/freeradius/rlm_*.so*
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/08/2013 08:19 AM, Fajar A. Nugraha wrote:
%{_libdir}/freeradius/rlm_acct_unique-*.so
FWIW this is the approach we usually take when packaging things; it
seems pointless to me to embed version numbers into %files macros. I'm
aware this is probably frowned on by some packaging guidelines, but it
works well for us ;o)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file not found
errors. They do exist, however, it looks like the build is looking for version
2.2.0 of the library files yet they are listed as 2.2.1.
error: File not found:
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.bz2.
The version macro in the spec file, the version embedded in tar file
name, and the contents of tar file all *MUST* match. You have to be
precise with what version you're building.
I assumed that was obvious as opposed to being tricky ;-)
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a one-liner
%{_libdir}/freeradius/rlm_*.so*
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks everyone. Finally got the RPM build to work by doing the following:
Version: 2.2.0 in the top of the freeradius.spec file to 2.2.1, and
renaming source
bz2 file to freeradius-server-2.2.1.tar.**bz2
Along with commenting out patches 2 and 5
#Patch2: freeradius-radtest.patch
#Patch5: freeradius-radeapclient-ipv6.patch
Changing the README line to README.rst
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL README.rst; do
cp $f $RPM_BUILD_ROOT/%{docdir}
diff freeradius.spec ~/freeradius-server-2.2.1/redhat/freeradius.spec
3c3
Version: 2.2.0
---
Version: 2.2.1
15c15
Patch2: freeradius-radtest.patch
---
#Patch2: freeradius-radtest.patch
18c18
Patch5: freeradius-radeapclient-ipv6.patch
---
#Patch5: freeradius-radeapclient-ipv6.patch
152c152
%patch2 -p1 -b .radtest
---
#%patch2 -p1 -b .radtest
155c155
%patch5 -p1 -b .radeapclient-ipv6
---
#%patch5 -p1 -b .radeapclient-ipv6
239c239
for f in COPYRIGHT CREDITS INSTALL README; do
---
for f in COPYRIGHT CREDITS INSTALL README.rst; do
By commenting out patch 2 and patch 5 what am I missing, if anything?
On Wed, May 8, 2013 at 8:20 AM, John Dennis jden...@redhat.com wrote:
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file
not found errors. They do exist, however, it looks like the build is
looking for version 2.2.0 of the library files yet they are listed as 2.2.1.
error: File not found: /home/test/rpmbuild/BUILDROOT/**
freeradius-2.2.0-1.el6.x86_64/**etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.**bz2.
The version macro in the spec file, the version embedded in tar file name,
and the contents of tar file all *MUST* match. You have to be precise with
what version you're building.
I assumed that was obvious as opposed to being tricky ;-)
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_**acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_**acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a one-liner
%{_libdir}/freeradius/rlm_*.**so*
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On Tue, May 7, 2013 at 3:35 AM, Divyesh Raithatha divyesh.raitha...@gmail.com wrote: to get past the patch error messages but I get another error below: + cp README /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 Look at the spec file, change cp README /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 to cp README.rst /home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0 ... and look near %files, change README to README.rst there as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On Tue, May 7, 2013 at 4:28 AM, John Dennis jden...@redhat.com wrote: These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. You've pretty much covered it. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). IMHO some of it (e.g. changelog, patches for cert config) is/was necessary. My use case was that I wanted the build to be as much drop-in as possible, so I can (for example) upgrade to 2.2.1 as soon as possible when it comes out, but switch to Red Hat's official RPM when it's available, without having to change my config. Without some of the patches, I'd need to modify my config file as well. Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( Yeah. Before 2.2.0 was out, I made sure that I can build RPMs for RHEL5 and 6 (because that's what I use), and submit the necessary changes upstream. It seems to be enough (i.e. those two versions made up for most who need to build a Red Hat RPM), because IIRC there hasn't been a mail to the list about I need to build FR 2.2.0 RPM for X flavor or Red Hat but the included spec file doesn't work. 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. Thanks for the effort. If no one else does this first, I'd probably submit patches to make FR debs and RPMs build cleanly before 2.2.1 is out (need to dig out my lxc templates first). That way at least people can build packages for released version. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
John Dennis wrote: Why does FreeRADIUS maintain build configurations for Red Hat and Debian? Part historical reasons. RPMs were difficult to find, and it was easier to include RPM scripts in the server. It also means it's easy for people to build custom RPMs. They can use an established spec distributed with the server. They don't have to search for spec files. I can't speak for Debian, I'm not a Deb package maintainer, but at least in the Red Hat world there isn't just one Red Hat distribution, there are many and each can have different build requirements build configurations. Yes. The files distributed with the server should create *a* package. Not *the* canonical package. It will work, and will follow your system packaging method. But it won't be identical to an upstream package. Another problem is the spec file under ./redhat is forever getting out of sync (as evidenced by the OP). Patch sets are a superb example of this (compounded by the problem there is no single rpm spec file for all Red Hat versions). For our purposes, there doesn't need to be. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). That's pretty much the goal, yes. The generic RPM spec file that upstream maintains should be exercised on regular basis. Far too often we've seen upstream changes that required spec file changes but which were never done (e.g. add/removing modules and/or other files). I have a redhat VM around somewhere... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/07/2013 04:46 AM, Fajar A. Nugraha wrote: On Tue, May 7, 2013 at 4:28 AM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. You've pretty much covered it. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). IMHO some of it (e.g. changelog, patches for cert config) is/was necessary. Yes, this is sensible. My suggestion was mostly aimed at simplifying the task with the hope it would then be more robust and easier to maintain. My use case was that I wanted the build to be as much drop-in as possible, so I can (for example) upgrade to 2.2.1 as soon as possible when it comes out, but switch to Red Hat's official RPM when it's available, without having to change my config. Without some of the patches, I'd need to modify my config file as well. I think the only thing of consequence we customize is the bootstrap cert creation which is done via RPM during the install step (plus tweaking some of the cert parameters to tighten up security). Any other patches are bug fixes found either by our QA team or customers. Those are usually break down into one of two categories. Fixes upstream has made post release and we've 'backported' or fixes we've made and have submitted to the project. The lifetime of these patches is short because in almost every instance the next upstream release has addressed the issue. Kudos to the team for that. So my thought was if you didn't try to mirror that patch set it would be much easier and little would be lost. Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( Yeah. Before 2.2.0 was out, I made sure that I can build RPMs for RHEL5 and 6 (because that's what I use), and submit the necessary changes upstream. It seems to be enough (i.e. those two versions made up for most who need to build a Red Hat RPM), because IIRC there hasn't been a mail to the list about I need to build FR 2.2.0 RPM for X flavor or Red Hat but the included spec file doesn't work. Currently the biggest pain point is the transition from SysV initscripts to systemd. How daemons are installed and configured is different between Fedora and RHEL at the moment and because systemd is still in a bit of flux things can be different even between Fedora releases. Differences in BuildRequires occur less often, but do occur. There is a everlasting debate as to whether it's best to maintain one spec file thats common across distributions and parameterize so that it behaves differently in different targets or whether it's best to maintain completely different spec files and merge changes across them. Those who argue for merging cite the complexity of parameterized spec files complaining all that conditional logic is difficult to work with and fragile making it difficult to maintain. Those who argue for parameterizing cite how merging is fragile and is difficult to maintain. So obviously there isn't one right way. But because we're so constrained as to what can appear in RHEL (every change has to have numerous approvals) I gave up on trying to use Fedora spec files in RHEL and instead merge the leading edge Fedora into RHEL. 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. Thanks for the effort. If no one else does this first, I'd probably submit patches to make FR
Need help with making RPM from v2.x.x branch
Hello all, has anyone had success in building an RPM from the v2.x.x branch
from http://git.freeradius.org?
I am following the information from
http://wiki.freeradius.org/guide/Red-Hat-FAQ
On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source
successfully but I want to get all of the recent patches from the v2.x.x
branch. However, when I tried to build the RPM from v2.x.x I get the
following message:
Hunk #1 FAILED at 121.
1 out of 1 hunk FAILED -- saving rejects to file src/main/radtest.in.rej
error: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
Here is the radtest.in.rej file contents:
--- src/main/radtest.in 2011-09-30 10:12:07.0 -0400
+++ src/main/radtest.in 2012-01-05 15:51:56.877585514 -0500
@@ -121,7 +121,7 @@
echo EAP-Code = Response
echo EAP-Type-Identity = \$1\
fi
- if [ $6 ]
+ if [ ! -z $6 ] [[ $6 =~ ^[0-9]+$ ]] [ $6 -gt 0 ]
then
echo Framed-Protocol = PPP
fi
Here is the contents of /var/tmp/rpm-tmp.uETav5
#!/bin/sh
RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES
RPM_BUILD_DIR=/home/test/rpmbuild/BUILD
RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
RPM_ARCH=x86_64
RPM_OS=linux
export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS
RPM_DOC_DIR=/usr/share/doc
export RPM_DOC_DIR
RPM_PACKAGE_NAME=freeradius
RPM_PACKAGE_VERSION=2.2.0
RPM_PACKAGE_RELEASE=1.el6
export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE
LANG=C
export LANG
unset CDPATH DISPLAY ||:
RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64
export RPM_BUILD_ROOT
PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig
export PKG_CONFIG_PATH
set -x
umask 022
cd /home/test/rpmbuild/BUILD
LANG=C
export LANG
unset DISPLAY
cd '/home/test/rpmbuild/BUILD'
rm -rf 'freeradius-server-2.2.0'
/usr/bin/bzip2 -dc
'/home/test/rpmbuild/SOURCES/freeradius-server-2.2.0.tar.bz2' | /bin/tar
-xf -
STATUS=$?
if [ $STATUS -ne 0 ]; then
exit $STATUS
fi
cd 'freeradius-server-2.2.0'
/bin/chmod -Rf a+rX,u+w,g-w,o-w .
echo Patch #1 (freeradius-cert-config.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-cert-config.patch |
/usr/bin/patch -p1 -b --suffix .cert-config --fuzz=0
echo Patch #2 (freeradius-radtest.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-radtest.patch |
/usr/bin/patch -p1 -b --suffix .radtest --fuzz=0
#%patch3 -p1 -b .man
#%patch4 -p1 -b .unix-passwd-expire
echo Patch #5 (freeradius-radeapclient-ipv6.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-radeapclient-ipv6.patch |
/usr/bin/patch -p1 -b --suffix .radeapclient-ipv6 --fuzz=0
#%patch6 -p1
#%patch7 -p1 -b perl
echo Patch #8 (freeradius-dhcp_sqlippool.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-dhcp_sqlippool.patch |
/usr/bin/patch -p1 --fuzz=0
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-2.2.0 \( -name '*.c' -o -name '*.h'
\) -a -perm /0111 -exec chmod a-x {} +
exit 0
Any Ideas?
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 02:57 PM, Divyesh Raithatha wrote:
Hello all, has anyone had success in building an RPM from the v2.x.x
branch from http://git.freeradius.org?
I am following the information from
http://wiki.freeradius.org/guide/Red-Hat-FAQ
On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source
successfully but I want to get all of the recent patches from the v2.x.x
branch. However, when I tried to build the RPM from v2.x.x I get the
following message:
Hunk #1 FAILED at 121.
1 out of 1 hunk FAILED -- saving rejects to file src/main/radtest.in.rej
error: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
Here is the radtest.in.rej file contents:
--- src/main/radtest.in http://radtest.in 2011-09-30
10:12:07.0 -0400
+++ src/main/radtest.in http://radtest.in 2012-01-05
15:51:56.877585514 -0500
@@ -121,7 +121,7 @@
echo EAP-Code = Response
echo EAP-Type-Identity = \$1\
fi
- if [ $6 ]
+ if [ ! -z $6 ] [[ $6 =~ ^[0-9]+$ ]] [ $6 -gt 0 ]
then
echo Framed-Protocol = PPP
fi
Here is the contents of /var/tmp/rpm-tmp.uETav5
#!/bin/sh
RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES
RPM_BUILD_DIR=/home/test/rpmbuild/BUILD
RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64
-mtune=generic
RPM_ARCH=x86_64
RPM_OS=linux
export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS
RPM_DOC_DIR=/usr/share/doc
export RPM_DOC_DIR
RPM_PACKAGE_NAME=freeradius
RPM_PACKAGE_VERSION=2.2.0
RPM_PACKAGE_RELEASE=1.el6
export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE
LANG=C
export LANG
unset CDPATH DISPLAY ||:
RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64
export RPM_BUILD_ROOT
PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig
export PKG_CONFIG_PATH
set -x
umask 022
cd /home/test/rpmbuild/BUILD
LANG=C
export LANG
unset DISPLAY
cd '/home/test/rpmbuild/BUILD'
rm -rf 'freeradius-server-2.2.0'
/usr/bin/bzip2 -dc
'/home/test/rpmbuild/SOURCES/freeradius-server-2.2.0.tar.bz2' |
/bin/tar -xf -
STATUS=$?
if [ $STATUS -ne 0 ]; then
exit $STATUS
fi
cd 'freeradius-server-2.2.0'
/bin/chmod -Rf a+rX,u+w,g-w,o-w .
echo Patch #1 (freeradius-cert-config.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-cert-config.patch |
/usr/bin/patch -p1 -b --suffix .cert-config --fuzz=0
echo Patch #2 (freeradius-radtest.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-radtest.patch |
/usr/bin/patch -p1 -b --suffix .radtest --fuzz=0
#%patch3 -p1 -b .man
#%patch4 -p1 -b .unix-passwd-expire
echo Patch #5 (freeradius-radeapclient-ipv6.patch):
/bin/cat
/home/test/rpmbuild/SOURCES/freeradius-radeapclient-ipv6.patch |
/usr/bin/patch -p1 -b --suffix .radeapclient-ipv6 --fuzz=0
#%patch6 -p1
#%patch7 -p1 -b perl
echo Patch #8 (freeradius-dhcp_sqlippool.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-dhcp_sqlippool.patch
| /usr/bin/patch -p1 --fuzz=0
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-2.2.0 \( -name '*.c' -o -name
'*.h' \) -a -perm /0111 -exec chmod a-x {} +
exit 0
Any Ideas?
The patch set is targeted at a *specific* freeradius version. You're
trying to apply patches from one version against another version.
Sometimes that works, sometimes it doesn't. A patch may not succeed for
several reasons, the code may have shifted position in the file (fuzz
0), RPM disallows this because it's evidence of not keeping the spec
file current against the version being built. You can override this with
%global _default_patch_fuzz 2
at the top of the spec file (2 in this case is an old default before it
was changed to 0). Overriding the patch fuzz factor is not recommended,
instead it's recommended you fix the patch to make it 100% correct for
the current version.
Another reason a patch might not succeed is because the problem was
already reported upstream and upstream fixed it. If they took the patch
verbatim then the error you'll see is something akin to Previously
applied patch or reverse patch. If upstream fixed the issue in some
other way the patch simply won't apply. Figuring exactly which lines of
code changed and why is the work of a package maintainer. In this case
you're assuming that role and you'll have to do that work.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec, and delete the following line: Patch2: freeradius-radtest.patch That should cause it to build. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
Thanks Alan, I had to comment out both Patch 2 and 5 sections
#%patch2 -p1 -b .radtest
#%patch5 -p1 -b .radeapclient-ipv6
to get past the patch error messages but I get another error below:
+ cp README
/home/divtest/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64//usr/share/doc/freeradius-2.2.0
cp: cannot stat `README': No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.wG9x7h (%install)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.wG9x7h (%install)
Here are the contents of the temp file:
cat /var/tmp/rpm-tmp.wG9x7h
#!/bin/sh
RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES
RPM_BUILD_DIR=/home/test/rpmbuild/BUILD
RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
RPM_ARCH=x86_64
RPM_OS=linux
export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS
RPM_DOC_DIR=/usr/share/doc
export RPM_DOC_DIR
RPM_PACKAGE_NAME=freeradius
RPM_PACKAGE_VERSION=2.2.0
RPM_PACKAGE_RELEASE=1.el6
export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE
LANG=C
export LANG
unset CDPATH DISPLAY ||:
RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64
export RPM_BUILD_ROOT
PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig
export PKG_CONFIG_PATH
set -x
umask 022
cd /home/test/rpmbuild/BUILD
[ $RPM_BUILD_ROOT != / ] rm -rf ${RPM_BUILD_ROOT}
mkdir -p `dirname $RPM_BUILD_ROOT`
mkdir $RPM_BUILD_ROOT
cd 'freeradius-server-2.2.0'
LANG=C
export LANG
unset DISPLAY
mkdir -p $RPM_BUILD_ROOT//var/lib/radiusd
# fix for bad libtool bug - can not rebuild dependent libs and bins
#FIXME export LD_LIBRARY_PATH=$RPM_BUILD_ROOT//usr/lib64
make install R=$RPM_BUILD_ROOT
# modify default configuration
RADDB=$RPM_BUILD_ROOT/etc/raddb
perl -i -pe 's/^#user =.*$/user = radiusd/' $RADDB/radiusd.conf
perl -i -pe 's/^#group =.*$/group = radiusd/' $RADDB/radiusd.conf
# logs
mkdir -p $RPM_BUILD_ROOT/var/log/radius/radacct
touch $RPM_BUILD_ROOT/var/log/radius/{radutmp,radius.log}
install -D -m 755 /home/test/rpmbuild/SOURCES/freeradius-radiusd-init
$RPM_BUILD_ROOT//etc/rc.d/init.d/radiusd
install -D -m 644 /home/test/rpmbuild/SOURCES/freeradius-logrotate
$RPM_BUILD_ROOT//etc/logrotate.d/radiusd
install -D -m 644 /home/test/rpmbuild/SOURCES/freeradius-pam-conf
$RPM_BUILD_ROOT//etc/pam.d/radiusd
mkdir -p
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/var/run/
install -d -m 0710
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/var/run/radiusd/
# remove unneeded stuff
rm -rf doc/00-OLD
rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd
rm -rf $RPM_BUILD_ROOT//usr/lib64/freeradius/*.a
rm -rf $RPM_BUILD_ROOT//usr/lib64/freeradius/*.la
rm -rf $RPM_BUILD_ROOT//etc/raddb/sql/mssql
rm -rf $RPM_BUILD_ROOT//etc/raddb/sql/oracle
rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/sql/oracle
rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/lib/sql/oracle
rm -rf $RPM_BUILD_ROOT//usr/share/dialup_admin/lib/sql/drivers/oracle
# remove header files, we don't ship a devel package and the
# headers have multilib conflicts
rm -rf $RPM_BUILD_ROOT//usr/include
# remove unsupported config files
rm -f $RPM_BUILD_ROOT//etc/raddb/experimental.conf
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL README; do
cp $f $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0
done
cp LICENSE $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.gpl
cp src/lib/LICENSE
$RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.lgpl
cp src/LICENSE.openssl
$RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/LICENSE.openssl
# add Red Hat specific documentation
cat $RPM_BUILD_ROOT//usr/share/doc/freeradius-2.2.0/REDHAT EOF
Red Hat, RHEL, Fedora, and CentOS specific information can be found on the
FreeRADIUS Wiki in the Red Hat FAQ.
http://wiki.freeradius.org/guide/Red_Hat_FAQ
Please reference that document.
EOF
# Make sure our user/group is present prior to any package or subpackage
installation
/usr/lib/rpm/find-debuginfo.sh --strict-build-id
/home/test/rpmbuild/BUILD/freeradius-server-2.2.0
/usr/lib/rpm/check-buildroot
/usr/lib/rpm/redhat/brp-compress
/usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip
/usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip
/usr/bin/objdump
/usr/lib/rpm/brp-python-bytecompile
/usr/lib/rpm/redhat/brp-python-hardlink
/usr/lib/rpm/redhat/brp-java-repack-jars
On Mon, May 6, 2013 at 1:09 PM, Alan DeKok al...@deployingradius.comwrote:
Divyesh Raithatha wrote:
Hello all, has anyone had success in building an RPM from the v2.x.x
branch from http://git.freeradius.org?
That should work
I am following the information from
http://wiki.freeradius.org/guide/Red-Hat-FAQ
On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source
successfully but I want to get all of the recent patches from the v2.x.x
branch.
Go to redhat/freeradius.spec,
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 04:09 PM, Alan DeKok wrote: Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec, and delete the following line: Patch2: freeradius-radtest.patch That should cause it to build. Alan DeKok. Why does FreeRADIUS maintain build configurations for Red Hat and Debian? I suppose it makes sense for the person who wants to build an RPM or Deb package from the latest repo. It does not make sense for someone who just wants an RPM package. These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. I can't speak for Debian, I'm not a Deb package maintainer, but at least in the Red Hat world there isn't just one Red Hat distribution, there are many and each can have different build requirements build configurations. Another problem is the spec file under ./redhat is forever getting out of sync (as evidenced by the OP). Patch sets are a superb example of this (compounded by the problem there is no single rpm spec file for all Red Hat versions). My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). The generic RPM spec file that upstream maintains should be exercised on regular basis. Far too often we've seen upstream changes that required spec file changes but which were never done (e.g. add/removing modules and/or other files). Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius CoA - Need Help
Can Anybody help me with this issue? -Original Message- From: freeradius-users-bounces+nasser=rasana@lists.freeradius.org [mailto:freeradius-users-bounces+nasser=rasana@lists.freeradius.org] On Behalf Of Nasser Heidari Sent: Tuesday, January 22, 2013 1:33 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius CoA - Need Help Hi, I'm going to setup Freeradius CoA Virtual Server, I have already gone through originate-coa document, but need some help. This is the way that I traditionally originate CoA or POD packets: - I have wrote a Perl scripts that it listens on port 1810. - when I want to disconnect a user , I use another script to get user session info from DB , and then send it's information (User-Name, Acct-Session-ID, NAS IP Address) to port 1810 - then simply my perl scripts generates radclient commend and sends it to appropriate NAS. For the CoA it's same , the only different is that I send more AVP's to my script. Now what I couldn't understand is that, How should I trigger CoA server to send appropriate AVP's to NAS? How should I tell that I need these AVP's to be sent? I have Googled it but I couldn't find any sample. Thanks in advance. Regards, Nasser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius CoA - Need Help
Nasser Heidari wrote: Can Anybody help me with this issue? To send CoA packets, read raddb/sites-available/originate-coa You choose the attributes to send like you choose any attributes to send. Use unlang, or a module... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius CoA - Need Help
Hi, I'm going to setup Freeradius CoA Virtual Server, I have already gone through originate-coa document, but need some help. This is the way that I traditionally originate CoA or POD packets: - I have wrote a Perl scripts that it listens on port 1810. - when I want to disconnect a user , I use another script to get user session info from DB , and then send it's information (User-Name, Acct-Session-ID, NAS IP Address) to port 1810 - then simply my perl scripts generates radclient commend and sends it to appropriate NAS. For the CoA it's same , the only different is that I send more AVP's to my script. Now what I couldn't understand is that, How should I trigger CoA server to send appropriate AVP's to NAS? How should I tell that I need these AVP's to be sent? I have Googled it but I couldn't find any sample. Thanks in advance. Regards, Nasser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need Help - Problem Working With Session Time Out
Hi Dear List Members,
Radius do not send session timeout attribute in result user do not log off
after time expired. Can anyone help please? what i have done.
enabled cunters.sql in radius.conf sql.sonf my counters.
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE
UserName='%{%k}'
}
radiusd -X
INTERVAL (%{%{Acct-Session-Time}:-0}
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need Help to Troubleshoot MySQL Auth FreeRadius 2.1.X
Dear Freeradius Hackers, This is new implementation. Can someone help me to troubleshoot why freeradius mysql authentication is failing. i have cross check every expect but still seem that something is not in place. What is i have done: installed Freeradius + MySQL Databases Configured Freeradius Created MySQL Database. configured the following files: sql.conf radiusd.conf default enabled in radiusd.conf to $INCLUDE = sql.conf Radius is up and running without authentication even from localhost. Radius database is setup properly, no problem to start/stop radiusd radios_log are shown in section below. Results: tail -f /var/log/radius/radius.log - Output Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Attempting to connect to radius@localhost:3306/radius Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 Sat Dec 15 11:20:34 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Connected new DB handle, #0 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 Sat Dec 15 11:20:34 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Connected new DB handle, #1 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 Sat Dec 15 11:20:34 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Connected new DB handle, #2 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 Sat Dec 15 11:20:34 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Connected new DB handle, #3 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 Sat Dec 15 11:20:34 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Sat Dec 15 11:20:34 2012 : Info: rlm_sql (sql): Connected new DB handle, #4 Sat Dec 15 11:20:34 2012 : Info: Loaded virtual server default Sat Dec 15 11:20:34 2012 : Info: Loaded virtual server inner-tunnel Sat Dec 15 11:20:34 2012 : Info: ... adding new socket proxy address * port 32959 Sat Dec 15 11:20:34 2012 : Info: Ready to process requests. = Output of radiusd -X ... adding new socket proxy address * port 51412 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. Command to Check the radius Authentication: radtest mark mypassword localhost 1812 99THi49UGotool Output: Sending Access-Request of id 48 to 41.171.71.61 port 1812 User-Name = mark User-Password = radmin NAS-IP-Address = 192.168.3.106 NAS-Port = 100 Message-Authenticator = 0x == Two MySQL Radius Users PAY attention to the field OP (:= ==) But auth is not working for any user. mysql select * from radcheck where UserName='mark'; ++--+---++-+ | id | UserName | Attribute | op | Value | ++--+---++-+ | 3 | mark | radmin| := | 99THi49UGotool | ++--+---++-+ 1 row in set (0.00 sec) mysql select * from radcheck where UserName='dany'; ++--+---++-+ | id | UserName | Attribute | op | Value | ++--+---++-+ | 1 | dany | badmin | == | 99THi49UGotool| ++--+---++-+ radius is up and running without authentication == or := make no difference none of the user can authenticate. selinux off freeradius is up mysql db is up there are two database users why auth would be failing? Any tip or clue would be greatly appreciated Thanks / Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help to Troubleshoot MySQL Auth FreeRadius 2.1.X
Prabhpal S. Mavi wrote: This is new implementation. Can someone help me to troubleshoot why freeradius mysql authentication is failing. i have cross check every expect but still seem that something is not in place. You haven't read the documentation which says to run the server in debugging mode. Results: tail -f /var/log/radius/radius.log - Output You WILL NOT solve the problem by doing this. The documentation DOES NOT say to do this, because it is NOT HELPFUL. Output of radiusd -X ... adding new socket proxy address * port 51412 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. Which is completely and totally useless. You do realize that the ENTIRE POINT of running the server in debugging mode is to see what happens when it receives packets... Command to Check the radius Authentication: We don't care. The documentation doesn't say to post this command to the list, because it is NOT HELPFUL. PAY attention to the field OP (:= ==) But auth is not working for any user. No. YOU need to pay attention to the documentation. mysql select * from radcheck where UserName='mark'; ++--+---++-+ | id | UserName | Attribute | op | Value | ++--+---++-+ | 3 | mark | radmin| := | 99THi49UGotool | ++--+---++-+ This is completely wrong. It's hard to describe just how wrong this is. Read the Wiki. It has DETAILED INSTRUCTIONS for getting SQL working. It includes EXAMPLES. These examples WILL WORK. radius is up and running without authentication == or := make no difference none of the user can authenticate. Because you've done something completely wrong. Any tip or clue would be greatly appreciated Follow the instructions on the wiki for configuring SQL. It should take no more than 10 minutes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
I have ntlm_auth working. I can auth my AD users with this command: radtest -t mschap aduser aspassword localhost 0 testing123 And it works. My problem is when I configure one of my Cisco switches to do 802.1x and authenticate with Freeradius my Windows (Windows 7 and Vista) machines fail to get authorized with the Windows supplicant. I am running Freeradius in debug mode and have tried to trace down where it is failing on my own but since I have no experience in this area I am just chasing my tail. Is it a problem with PEAP, EAP, TLS? Do I need a certificate? I just don't know and if I did I wouldn't know how to configure it. I have not been able to find any conclusive documentation in this area. I could put the output here of what Freeradius outputs during a connection attempt but I since I am testing this in our production environment, I don't want to put that kind of information out in a public forum. Any thoughts? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-with-Freeradius-and-802-1X-tp4865617p4958157.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
Hi, I have ntlm_auth working. I can auth my AD users with this command: radtest -t mschap aduser aspassword localhost 0 testing123 And it works. My problem is when I configure one of my Cisco switches to do 802.1x and authenticate with Freeradius my Windows (Windows 7 and Vista) machines fail to get authorized with the Windows supplicant. I am running Freeradius in debug mode and have tried to trace down where it is failing on my own but since I have no experience in this area I am just chasing my tail. Is it a problem with PEAP, EAP, TLS? Do I need a certificate? I just don't know and if I did I wouldn't know how to configure it. I have not been able to find any conclusive documentation in this area. the windows clients need the CA for your RADIUS server installed in their certificate store alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
johnboy68 wrote: I have ntlm_auth working. I can auth my AD users with this command: radtest -t mschap aduser aspassword localhost 0 testing123 And it works. Good! My problem is when I configure one of my Cisco switches to do 802.1x and authenticate with Freeradius my Windows (Windows 7 and Vista) machines fail to get authorized with the Windows supplicant. I am running Freeradius in debug mode and have tried to trace down where it is failing on my own but since I have no experience in this area I am just chasing my tail. Is it a problem with PEAP, EAP, TLS? Do I need a certificate? I just don't know and if I did I wouldn't know how to configure it. I have not been able to find any conclusive documentation in this area. The Wiki describes this. See the Certificate Compatibility page. See also my AD integration guide: http://deployingradius.com. That should be pointed to from the Wiki, too. That guide contains *detailed* instructions for what to do. The only time it hasn't worked for people is when they didn't follow its instructions. I could put the output here of what Freeradius outputs during a connection attempt but I since I am testing this in our production environment, I don't want to put that kind of information out in a public forum. Run it in debug mode and read the output. What does it say? What warnings / errors does it produce? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Need help on ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Hi, I am a newbie to FreeRADIUS and I have run into a problem during the setup. I have spent some time on researching for an answer online, but I got no luck. I have described the problem as below. Could anyone please let me know what went wrong? Thank you so much in advance. Stephen OS: Mac OSX 10.6.8 FreeRADIUS version: 2.1.12 Steps taken: 1. Downloaded freeradius from http://freeradius.org/download.html 2. Decompressed it 3. Copied the decompressed folder to /sw/freeradius-server-2.1.12 4. Added testing Cleartext-Password := password to the top of /sw/freeradius-server-2.1.12/raddb/users and saved the file 5. Opened a terminal console 6. Executed sudo - root 7. Cd to /sw/freeradius-server-2.1.12 8. Followed Building on MAC OSX on http://wiki.freeradius.org/Build: ./configure --enable-developer make sudo make install 9. Cd to /sw/freeradius-server-2.1.12/src/main 10. Executed radiusd -X 11. Open another terminal console 12. Executed sudo - root 13. Cd to /sw/freeradius-server-2.1.12/src/main 14. Executed radtest testing password 127.0.0.1 0 testing123 *Client Output* machine:~ root# radtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 209 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 172.16.142.1 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=209, length=20 FreeRADIUS Debugging Output This colorized output was produced by an automated toolhttp://networkradius.com/freeradius.html from Network RADIUS http://networkradius.com/ -- FreeRADIUS Version 2.1.12, for host i386-apple-darwin10.8.0, built on Oct 25 2011 at 14:21:07 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/redis including configuration file
Re: Fwd: Need help on ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Stephen Kwok wrote: I am a newbie to FreeRADIUS and I have run into a problem during the setup. I have spent some time on researching for an answer online, but I got no luck. I have described the problem as below. Could anyone please let me know what went wrong? Thank you so much in advance. Don't post the same message to the freeradius-users and freeradius-devel list. It's not nice. The whole point of running the server in debugging mode is to *READ* the output. In this case, you've edited /sw//raddb/users, and the server is *clearly* reading /usr/local/etc/raddb/users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Need help on ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Hi, OS: Mac OSX 10.6.8 FreeRADIUS version:�2.1.12 Steps taken: snip okay. so you downloaded the software, extracted it, then built it... great. did you note what happened when you 'make install' ? Starting�-�reading�configuration�files�...� including�configuration�file�/usr/local/etc/raddb/radiusd.conf� including�configuration�file�/usr/local/etc/raddb/proxy.conf� including�configuration�file�/usr/local/etc/raddb/clients.conf� theres a hint the server is reading config files from the /usr/local/etc/raddb directory. the config files you have edited are the source code initial versions.. they arent being readhence your testing/password will never work alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help with Freeradius and 802.1X
I have searched the forum but can't find what I'm looking for. Here is my scenario: Users with Vista machines and the 802.1X supplicant configured Windows Server 2008 with Active Directory Other network connected devices and 'unknown' computers 100% Cisco LAN/WAN Here is what I want to do: Dynamic VLAN assignment based on 802.1X with Freeradius able to use Active Directory for the computers with the supplicant configured and also be able to use MySQL to do MAC authentication bypass for known devices like printers that can't use a supplicant. I don't have much experience with Freeradius but I feel this is something that would be a normal 802.1X configuration. Any help on how to configure this environment would be greatly appreciated. Thanks, John -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-with-Freeradius-and-802-1X-tp4865617p4865617.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
johnboy68 wrote: Users with Vista machines and the 802.1X supplicant configured Windows Server 2008 with Active Directory Other network connected devices and 'unknown' computers 100% Cisco LAN/WAN Here is what I want to do: Dynamic VLAN assignment based on 802.1X with Freeradius able to use Active Directory for the computers with the supplicant configured and also be able to use MySQL to do MAC authentication bypass for known devices like printers that can't use a supplicant. It takes care, but it's not hard. Step 1, configure AD authentication. See my web page: http://deployingradius.com Step 2, configure MAC address authentication. See the Wiki. The key thing is... do each step in isolation. Don't worry about changes in Step 1 breaking step 2. Make sure you understand each piece in isolation before you try to combine them. Once you get that far come back with more questions. I don't have much experience with Freeradius but I feel this is something that would be a normal 802.1X configuration. Pretty much, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
Store them how, where, and for what purposes? On 9/19/2011 23:07, Rajkumar balaji wrote: Hi All, I just want to store user details like, The user name is ABC and the user belongs to XYZ group and PQR group. Thanks Regards Rajkumar Balaji -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-to-store-user-details-tp4821498p4821498.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
On Tue, Sep 20, 2011 at 1:07 PM, Rajkumar balaji rajkumar.balaj...@gmail.com wrote: Hi All, I just want to store user details like, The user name is ABC and the user belongs to XYZ group and PQR group. LDAP/files/SQL/whatever? e.g. https://github.com/alandekok/freeradius-server/blob/v2.1.x/doc/rlm_sql -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
Purpose is After the authentication i need to retrieve the group details associated with this user and according to them I need to Authorize the user. Store it in FreeRADIUS (text file also fine) ( and I want to retrieve it using JRADIUS API) I am new to RADIUS concepts so, Please guide me to implement this. Thanks Regards Rajkumar Balaji -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-to-store-user-details-tp4821498p4821565.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
Hi, Configure freeradius with his ldap module and a ldap server as openldap. http://wiki.freeradius.org/Rlm_ldap could be a good start. Fred, 2011/9/20, Rajkumar balaji rajkumar.balaj...@gmail.com: Hi All, I just want to store user details like, The user name is ABC and the user belongs to XYZ group and PQR group. Thanks Regards Rajkumar Balaji -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-to-store-user-details-tp4821498p4821498.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
On Tue, Sep 20, 2011 at 1:47 PM, Rajkumar balaji rajkumar.balaj...@gmail.com wrote: Purpose is After the authentication i need to retrieve the group details associated with this user and according to them I need to Authorize the user. Store it in FreeRADIUS (text file also fine) ( and I want to retrieve it using JRADIUS API) Since you're going to have two or more different applications reading the data (freeradius and jradius), better store it in db. See the link I sent earlier, should be self-explanatory. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
Since it's not marked as stable, it's not built by default. Try rebuilding it, but this time using ./configure --with-experimental-modules | tee configure.log ... then look at configure.log, see what it says about rlm_opendirectory. Thanks. I now have the opendirectory module working. I am getting the following error now with radtest: [opendirectory] The host 127.0.0.1 does not have an access group. [opendirectory] no access control groups, all users allowed. [opendirectory] Setting Auth-Type = opendirectory ++[opendirectory] returns ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user I was instructed to remove information under authentication, so not sure how to satisfy this error message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
On Thu, Aug 18, 2011 at 10:50 PM, Raymond Norton ad...@lctn.org wrote: Since it's not marked as stable, it's not built by default. Try rebuilding it, but this time using ./configure --with-experimental-modules | tee configure.log ... then look at configure.log, see what it says about rlm_opendirectory. Thanks. I now have the opendirectory module working. I am getting the following error now with radtest: [opendirectory] The host 127.0.0.1 does not have an access group. [opendirectory] no access control groups, all users allowed. [opendirectory] Setting Auth-Type = opendirectory ++[opendirectory] returns ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user I was instructed to remove information under authentication, so not sure how to satisfy this error message. It doesn't hurt to try adding it again :) I'm pretty sure it needs to be in both: http://lists.cistron.nl/pipermail/freeradius-users/2011-July/msg00447.html Your previous error might be because opendirectory module was not available at that time. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
It doesn't hurt to try adding it again :) I'm pretty sure it needs to be in both: http://lists.cistron.nl/pipermail/freeradius-users/2011-July/msg00447.html Yes, that worked. I am now able to authenticate local users with radtest. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
And then list it in the authorize section. What is the proper syntax for adding the opendirectory module? I am getting errors when attempting to start radius: /usr/local/etc/raddb/sites-enabled/inner-tunnel[195]: Entry is not a reference to a module /usr/local/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
On 2011/08/16 10:39 PM, Raymond Norton wrote: And then list it in the authorize section. What is the proper syntax for adding the opendirectory module? I am getting errors when attempting to start radius: /usr/local/etc/raddb/sites-enabled/inner-tunnel[195]: Entry is not a reference to a module /usr/local/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. Read again. list it in the authorize section not the authenticate section -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
Read again. list it in the authorize section not the authenticate section My mistake. I thought the word And meant do both, based on my question. Removed from authenticate and listed opendirectory under authorize of inner tunnel. I now get the following error: /usr/local/etc/raddb/modules/opendirectory[11]: Failed to link to module 'rlm_opendirectory': dlopen(rlm_opendirectory.so, 9): image not found /usr/local/etc/raddb/sites-enabled/default[150]: Failed to load module opendirectory. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
Raymond Norton wrote: What is the proper syntax for adding the opendirectory module? $ man unlang Or, read the dozens of examples in the configuration file you edited. I am getting errors when attempting to start radius: /usr/local/etc/raddb/sites-enabled/inner-tunnel[195]: Entry is not a reference to a module /usr/local/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. OK... you made a change to the file which created that error. Is it a secret? Or did you think we could guess what you did wrong? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
OK... you made a change to the file which created that error. Is it a
secret? Or did you think we could guess what you did wrong?
Johan informed me I misunderstood your original instructions and I was
not to put anything under Authenticate of the inner-tunnel. I removed
what I had there. My entry under Authorize is only this:
authorize {
opendirectory
#
And this is the error I now get with radiusd _X:
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
/usr/local/etc/raddb/modules/opendirectory[11]: Failed to link to module
'rlm_opendirectory': dlopen(rlm_opendirectory.so, 9): image not found
/usr/local/etc/raddb/sites-enabled/inner-tunnel[48]: Failed to load
module opendirectory.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[47]: Errors parsing
authorize section.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
On Wed, Aug 17, 2011 at 7:51 AM, Raymond Norton ad...@lctn.org wrote:
And this is the error I now get with radiusd _X:
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
/usr/local/etc/raddb/modules/opendirectory[11]: Failed to link to module
'rlm_opendirectory': dlopen(rlm_opendirectory.so, 9): image not found
Is your freeradius installation built with opendirectory support?
Since it's not marked as stable, it's not built by default. Try
rebuilding it, but this time using
./configure --with-experimental-modules | tee configure.log
... then look at configure.log, see what it says about rlm_opendirectory.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help authenticating local users on Apple server
Just installed v 2.1.11 on a mac (OSX 6.3) . Freeradius is working with clear text passwords and radtest. According to the wiki, I should be able to authenticate local users accounts without changing anything on the config. That's the way I understood it anyway. However, I am getting Access-Reject errors when using local credentials. What documentation specifically addresses authenticating local users? Raymond - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
Raymond Norton wrote: Just installed v 2.1.11 on a mac (OSX 6.3) . Freeradius is working with clear text passwords and radtest. According to the wiki, I should be able to authenticate local users accounts without changing anything on the config. No, it doesn't do that any more. That's the way I understood it anyway. However, I am getting Access-Reject errors when using local credentials. What documentation specifically addresses authenticating local users? On Mac OS X Server, configure the opendirectory module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
On Mac OS X Server, configure the opendirectory module.
Do you mean just enable the module? The module itself says:
# This module is only used when the server is running on the same
# system as OpenDirectory. The configuration of the module is hard-coded
# by Apple, and cannot be changed here.
#
# There are no configuration entries for this module.
#
opendirectory {
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
Raymond Norton wrote: Do you mean just enable the module? The module itself says: And then list it in the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
Phil Mayers wrote: We maintain a dedicated radius server, with (outbound) eduroam and all our standard configs monitoring probes for just this purpose. Which git branch/revision/tag should I pull? The v2.1.x branch should be it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
Hi, We should release 2.1.11 some time soon. Anyone interested in testing the beta version? We maintain a dedicated radius server, with (outbound) eduroam and all our standard configs monitoring probes for just this purpose. likewise - we have a server with 2.1.11 GIT (well, when it compiles and runs - otherwise it'd be running the previous release to before the GIT pull version broke ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
it still didn't work .
when I seperate command at clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing
}
client localhost {
ipv6addr = ::1
secret = testing123
}
result :
radclient: Failed to find ip address for host ::1: success
so I really confuse now. what i've done wrong and missing some config ?
please. HELP ME
thank you so much..
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/I-need-help-and-some-advice-tp4167834p4283543.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
Hi,
it still didn't work .
when I seperate command at clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing
}
client localhost {
ipv6addr = ::1
secret = testing123
}
result :
radclient: Failed to find ip address for host ::1: success
Give the two clients different names, otherwise, the server may well get
confused. How about:
client localhost-v4 {
ipaddr = 127.0.0.1
secret = testing
}
client localhost-v6 {
ipv6addr = ::1
secret = testing123
}
?
Stefan
so I really confuse now. what i've done wrong and missing some config ?
please. HELP ME
thank you so much..
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/I-need-help-and-some-advice-tp4167834p4283543.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
On Tue, Apr 5, 2011 at 3:54 PM, striderblue strider_b...@hotmail.com wrote:
it still didn't work .
when I seperate command at clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing
}
client localhost {
ipv6addr = ::1
secret = testing123
}
result :
radclient: Failed to find ip address for host ::1: success
so I really confuse now. what i've done wrong and missing some config ?
please. HELP ME
(1) There's an example on client.conf to specify an ipv6 address, use that
(2) radclient can use ipv6 with -6 option (see radclient -h).
AFAIK no such functionality is available for radtest (yet). So you
might need to use radclient directly.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
On 04/05/2011 07:24 AM, Fajar A. Nugraha wrote: (1) There's an example on client.conf to specify an ipv6 address, use that (2) radclient can use ipv6 with -6 option (see radclient -h). AFAIK no such functionality is available for radtest (yet). So you might need to use radclient directly. Attached is a patch we created for radtest to support IPv6 and is in our current packages. I'm pretty sure we've already sent this to Alan. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ --- freeradius-server-2.1.10/src/main/radtest.in.orig 2011-02-14 16:19:05.0 -0500 +++ freeradius-server-2.1.10/src/main/radtest.in 2011-02-14 16:24:18.0 -0500 @@ -16,6 +16,8 @@ echo -t type Set authentication method 2 echo type can be pap, chap, mschap, or eap-md5 2 echo -x Enable debug output 2 + echo -4 Use IPv4 address family for the NAS (default) 2 + echo -6 Use IPv6 address family for the NAS 2 exit 1 } @@ -30,6 +32,7 @@ OPTIONS= PASSWORD=User-Password +family=IPv4 # We need at LEAST these many options if [ $# -lt 5 ] @@ -41,6 +44,14 @@ while [ `echo $1 | cut -c 1` = - ] do case $1 in + -4) + family=IPv4 + shift + ;; + -6) + family=IPv6 + shift + ;; -d) OPTIONS=$OPTIONS -d $2 shift;shift @@ -97,10 +108,25 @@ nas=`hostname` fi +# Set the address family +case $family in + IPv4) + OPTIONS=$OPTIONS -4 + NAS_ADDR_ATTR=NAS-IP-Address + ;; + IPv6) + OPTIONS=$OPTIONS -6 + NAS_ADDR_ATTR=NAS-IPv6-Address + ;; + *) + echo ERROR: unknown address family ($family) 2 + usage +esac + ( echo User-Name = \$1\ echo $PASSWORD = \$2\ - echo NAS-IP-Address = $nas + echo $NAS_ADDR_ATTR = $nas echo NAS-Port = $4 if [ $radclient = $radeapclient ] then - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
John Dennis wrote: On 04/05/2011 07:24 AM, Fajar A. Nugraha wrote: (1) There's an example on client.conf to specify an ipv6 address, use that (2) radclient can use ipv6 with -6 option (see radclient -h). AFAIK no such functionality is available for radtest (yet). So you might need to use radclient directly. Attached is a patch we created for radtest to support IPv6 and is in our current packages. I'm pretty sure we've already sent this to Alan. OK. I've added it with some minor tweaks. We should release 2.1.11 some time soon. Anyone interested in testing the beta version? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
On 04/05/2011 09:21 PM, Alan DeKok wrote: John Dennis wrote: On 04/05/2011 07:24 AM, Fajar A. Nugraha wrote: (1) There's an example on client.conf to specify an ipv6 address, use that (2) radclient can use ipv6 with -6 option (see radclient -h). AFAIK no such functionality is available for radtest (yet). So you might need to use radclient directly. Attached is a patch we created for radtest to support IPv6 and is in our current packages. I'm pretty sure we've already sent this to Alan. OK. I've added it with some minor tweaks. We should release 2.1.11 some time soon. Anyone interested in testing the beta version? We maintain a dedicated radius server, with (outbound) eduroam and all our standard configs monitoring probes for just this purpose. Which git branch/revision/tag should I pull? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need help
Hi, I'm Tony. I'm running FreeRADIUS version 2.1.10. Each time i try to
launch the radiusd daemon, it does not complete successfully and gives an
error messageFailed binding to
/var/run/radiusd/radiusd.sock: No such file or directory
Please I need help on how to take care of this issue. Below is the radiusd
daemon launch debug output;
* *
ossytony@ubuntu:/$ cd /etc//raddb/
ossytony@ubuntu:/etc/raddb$ sudo radiusd -X
[sudo] password for ossytony:
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 27 2011
at 23:34:45
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/local/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding
Re: I need help
Ossy Tony wrote: Hi, I'm Tony. I'm running FreeRADIUS version 2.1.10. Each time i try to launch the radiusd daemon, it does not complete successfully and gives an error messageFailed binding to /var/run/radiusd/radiusd.sock: No such file or directory Does the directory exist? If not, create it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help
On 29/03/11 11:55, Ossy Tony wrote: Hi, I'm Tony. I'm running FreeRADIUS version 2.1.10. Each time i try to launch the radiusd daemon, it does not complete successfully and gives an error message Failed binding to /var/run/radiusd/radiusd.sock: No such file or directory Two choices: 1. Find out why it can't bind this socket; probably because /var/run/radiusd does not exists, in which case: mkdir /var/run/radiusd 2. Disable the control-socket virtual server: rm /etc/raddb/sites-enabled/control-socket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
On 21/03/11 01:47, striderblue wrote:
about IPv6 on freeradius v.2.1.test9 for ubuntu so this version is support
IPv6 right?
but I try to test local with IPv6 ::1
it response like this :
http://freeradius.1045715.n5.nabble.com/file/n4167834/0bcb3b1056e7d9151be5fb8fe6eeb4d3b7f0fc69555e1217fa97d8be993973676g.jpg
radclient: Failed to find ip address for host ::1: success but radtest ipv4
worked!!!
--
at clients.conf
I config :
client localhost {
ipaddr = 127.0.0.1
ipv6addr = ::
secret = testing
}
This is wrong; you can have *either* ipaddr *or* ipv6addr, as per the
comments in the examples:
ipaddr = 127.0.0.1
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
You will need:
client localhost_v4 {
ipaddr = 127.0.0.1
...
}
client localhost_v4 {
ipv6addr = ::1
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need help and some advice !!!
about IPv6 on freeradius v.2.1.test9 for ubuntu so this version is support
IPv6 right?
but I try to test local with IPv6 ::1
it response like this :
http://freeradius.1045715.n5.nabble.com/file/n4167834/0bcb3b1056e7d9151be5fb8fe6eeb4d3b7f0fc69555e1217fa97d8be993973676g.jpg
radclient: Failed to find ip address for host ::1: success but radtest ipv4
worked!!!
--
at clients.conf
I config :
client localhost {
ipaddr = 127.0.0.1
ipv6addr = ::
secret = testing
}
client ::1 {
secret = testing123
shortname = localhost
}
--
at radiusd.conf
I config :
listen { type = auth
ipaddr = *
ipv6addr = ::
port = 0
}
listen { ipaddr = *
ipv6addr = ::
port = 0
type = acct
}
--
so where I missed and do wrong config ?
please help
thank you very much.
golf
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/I-need-help-and-some-advice-tp4167834p4167834.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help on FreeRadius+OTP+OpenLDAP integration
Hi, I need a documentation on how to implement FreeRadius+OTP+OpenLDAP, I have installed and configured FreeRadius+OpenLDAP before but never used OTP, and also would like to know how OTP will be configured with SASL and how does SASL auth store OTP parameters. Another problem am facing is, first there is an authentication with freeradius but the next thing that is triggered in pam.d/ssh is the account section for authorization and here OpenLDAP requires password for the second time. So a user needs to login twice because of this. How to solve this issue Please help me out to solve this issue. /Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help on FreeRadius+OTP+OpenLDAP integration
Hi, I need a documentation on how to implement FreeRadius+OTP+OpenLDAP, I have installed and configured FreeRadius+OpenLDAP before but never used OTP, and also would like to know how OTP will be configured with SASL and how does SASL auth store OTP parameters. Another problem am facing is, first there is an authentication with freeradius but the next thing that is triggered in pam.d/ssh is the account section for authorization and here OpenLDAP requires password for the second time. So a user needs to login twice because of this. How to solve this issue Please help me out to solve this issue. Regards, Pradyumna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on FreeRadius+OTP+OpenLDAP integration
Am 14.03.2011 um 17:40 schrieb pradyumna dash: Hi, We are receiving your emails. See also http://lists.freeradius.org/pipermail/freeradius-users/2011-March/date.html (Please avoid to re-send your questions minutes after sending them the first time.) I need a documentation on how to implement FreeRadius+OTP+OpenLDAP, I have installed and configured FreeRadius+OpenLDAP before but never used OTP, and also would like to know how OTP will be configured with SASL and how does SASL auth store OTP parameters. Another problem am facing is, first there is an authentication with freeradius but the next thing that is triggered in pam.d/ssh is the account section for authorization and here OpenLDAP requires password for the second time. So a user needs to login twice because of this. How to solve this issue Please help me out to solve this issue. Regards, Pradyumna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
Oh dear. A lot of the online info is out-of-date or plain wrong. If you've made a lot of changes, and you're not sure exactly what youve changed and why, my advice would be to start again from scratch. Restore the default configs, and use the following system: 1. Check the config into version control 2. Make ONE and ONLY ONE change 3. Test it 4. Goto step 1 One of the new DVCSes like git/bzr/hg are ideal for this. The *first* change you want to make is adding a user to the users file usernameCleartext-Password := password Check that what you want to do works with that user. Then you can move onto LDAP. Keeping a dump of the debug output at each step can be handy too - then you can compare them. Hope this helps. Phil, Thank you very much the advice worked like a charm, and now I have everything up and running again... - james - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
...there was no userPassword (or it wasn't readable) I think I have a problem with Ldap reading the password correctly. If i have read correctly, it needs a clear text password Secondly, the debug output you posted returns an Access-Accept because, although the LDAP module was unable to see a userPassword attribute on the LDAP entry, a later module sets the Auth-Type to ntlm_auth and your server then obeys that. I shall comment this line out, and try it out today This is all a non-standard config, so *someone* has configured the server - was it you? I have been working on configuring the server for a little bit now. I tried following several different online manuals before I consulted the group. The remote device also told me that the authentication was invalid. I Well, FreeRadius sent an Access-Accept. What is the remote device? If you hadn't trimmed the debugging output I might be able to suggest more. The radius server would tell me Access-Accept, but then my remote device would not let me login. The current remote device is a hp pro- curve 5412. was able to successfully authenticate on this device by using the local users file(on the radius server). So compare the reply in that case with the reply in this case, and configure the radius server to send the same attributes. Will try this today, thank you very much for the informative advice. - james - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On 12/06/2010 02:06 PM, James Winter wrote: I think I have a problem with Ldap reading the password correctly. If i have read correctly, it needs a clear text password If you want FreeRadius to extract information from LDAP, then the LDAP bindDN that FreeRadius uses must have the permission to read this information (and of course, the information must exist in LDAP) Whether you need a plaintext password depends on what authentication protocols you want to use. See: http://deployingradius.com/documents/protocols/compatibility.html Secondly, the debug output you posted returns an Access-Accept because, although the LDAP module was unable to see a userPassword attribute on the LDAP entry, a later module sets the Auth-Type to ntlm_auth and your server then obeys that. I shall comment this line out, and try it out today See below This is all a non-standard config, so *someone* has configured the server - was it you? I have been working on configuring the server for a little bit now. I tried following several different online manuals before I consulted the group. Oh dear. A lot of the online info is out-of-date or plain wrong. If you've made a lot of changes, and you're not sure exactly what youve changed and why, my advice would be to start again from scratch. Restore the default configs, and use the following system: 1. Check the config into version control 2. Make ONE and ONLY ONE change 3. Test it 4. Goto step 1 One of the new DVCSes like git/bzr/hg are ideal for this. The *first* change you want to make is adding a user to the users file usernameCleartext-Password := password Check that what you want to do works with that user. Then you can move onto LDAP. Keeping a dump of the debug output at each step can be handy too - then you can compare them. Hope this helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On 12/03/2010 08:43 PM, James Winter wrote: On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote: You haven't said what your problem is Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true. No. It says is found a match, but that: [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? ...there was no userPassword (or it wasn't readable) [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false. Firstly, radius and the modules don't return false. The modules return one of a number of error codes (e.g. ok, above) and the server returns either an Access-Accept or Access-Reject. Secondly, the debug output you posted returns an Access-Accept because, although the LDAP module was unable to see a userPassword attribute on the LDAP entry, a later module sets the Auth-Type to ntlm_auth and your server then obeys that. This is all a non-standard config, so *someone* has configured the server - was it you? The remote device also told me that the authentication was invalid. I Well, FreeRadius sent an Access-Accept. What is the remote device? If you hadn't trimmed the debugging output I might be able to suggest more. was able to successfully authenticate on this device by using the local users file(on the radius server). So compare the reply in that case with the reply in this case, and configure the radius server to send the same attributes. The radius server is authenticating the user successfully: Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request Like I said - FreeRadius is sending an Access-Accept. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On Sat, Dec 04, 2010 at 03:42:33PM -0600, James Winter wrote: The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section? I do include ldap in my authenticate section of sites-enabled/default, do i need to include any other lines in this area? Ah. Then Phil's hint is correct - the log said 'Found Auth-Type = ntlm_auth' so the LDAP module deferred to that other configured authentication mechanism. Do you actually want/need ntlm_auth? If you don't, remove it? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section? I do include ldap in my authenticate section of sites-enabled/default, do i need to include any other lines in this area? - james - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help Configuring Radius and Ldap
My apologies before hand if this is an easy fix, but I have been
working on configuring a radius server on and off now for a few weeks.
As a note, I have Radius 2.1.10 installed and I am trying to
authenticate using Ldap as the user database. I have little to no
experience in both Radius and Ldap, but I have been reading up and
looking for documents that explain the process well. The majority of
documents that I did find were on an older version of radius, or were
not pertinent to my situation. The following is a copy of my screen
when I try authenticating a remote device to the radius server, please
let me know if this helps(or if you would like more information on my
config)
Thanks in advance,
- James
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[files] users: Matched entry DEFAULT at line 58
++[files] returns ok
[ldap] performing user authorization for jwn6657
[ldap] expand: (samaccountname=%{User-Name}) -
(samaccountname=jwn6657)
[ldap] expand: cn=Users,dc=ds,dc=saintjoe,dc=edu -
cn=Users,dc=ds,dc=saintjoe,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with
filter (samaccountname=jwn6657)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user jwn6657 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group ntlm_auth {...}
[2010/12/03 10:14:58.799575, 1] param/loadparm.c:6494(map_parameter)
Unknown parameter encountered: idmap domains
[2010/12/03 10:14:58.799645, 0] param/loadparm.c:7588(lp_do_parameter)
Ignoring unknown parameter idmap domains
[2010/12/03 10:14:58.799870, 1] param/loadparm.c:6494(map_parameter)
Unknown parameter encountered: master browser
[2010/12/03 10:14:58.799883, 0] param/loadparm.c:7588(lp_do_parameter)
Ignoring unknown parameter master browser
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 186 to 131.93.254.2 port 4844
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 186 with timestamp +452
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On 03/12/10 16:39, James Winter wrote: My apologies before hand if this is an easy fix, but I have been working on configuring a radius server on and off now for a few weeks. As a note, I have Radius 2.1.10 installed and I am trying to authenticate using Ldap as the user database. I have little to no experience in both Radius and Ldap, but I have been reading up and looking for documents that explain the process well. The majority of documents that I did find were on an older version of radius, or were not pertinent to my situation. The following is a copy of my screen when I try authenticating a remote device to the radius server, please let me know if this helps(or if you would like more information on my config) You haven't said what your problem is! The radius server is authenticating the user successfully: Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request ...so what's the problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote: You haven't said what your problem is Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true. [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false. The remote device also told me that the authentication was invalid. I was able to successfully authenticate on this device by using the local users file(on the radius server). The radius server is authenticating the user successfully: Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request ...so what's the problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On Fri, Dec 03, 2010 at 02:43:50PM -0600, James Winter wrote: On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote: You haven't said what your problem is Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true. [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false. The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
I tried to login from another client, but it´s the same problem.
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
sorry that I ask again but I want to be sure that I didn´t understand anything
wrong.
Is it not generally possible to configure the freeradius server so that only
clients with username/password and client certificate can login successfully?
For expample only users who choose PEAP with the right username and password
and having a client certificate can login successfully.
Or is the problem with the error in reading client certificate a problem in the
clients?
Thanks a lot!
Original-Nachricht
Datum: Fri, 17 Sep 2010 11:26:56 -0400
Von: John Dennis jden...@redhat.com
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
CC: Klaus Laus superkla...@gmx.de
Betreff: Re: need help - force EAP-TTLS to validate the server certificate
On 09/17/2010 11:00 AM, Klaus Laus wrote:
thanks a lot for your answer.
Either move the files module before eap, or use unlang to set it:
authorize {
...
update control {
EAP-TLS-Require-Client-Cert = yes
}
eap
...
}
I did the changes in the authorize section, and freeradius seems to
require the client certificate. But the server is not accept my certificate. I
don't think that the certificate is bad because I can login any client with
the same certificate when I use TLS instead of PEAP.
This is my way to login with PEAP on a windows xp client maybe I do
anything wrong? :
I import the pksc12 certificate from the freeradius server in the
windows xp certificate management. When I type certmgr.msc under run I can
see
that the certificate is successfully imported. Then I scan for the wireless
networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in
testuser as user with the correct password.
Here you can see the debug output (freeradius did not find my
certificate):
That's right, the server didn't get your cert, it's right in the debug.
As Alan said this isn't a server issue, it's a client issue, figure out
why your client is not returning a cert.
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
--
GMX DSL SOMMER-SPECIAL: Surf Phone Flat 16.000 für nur 19,99 Euro/mtl.!*
http://portal.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. So... the issue is that you haven't configured the client to use the client certificate. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? Ask Microsoft how their software works. It's annoying to have you ask a question here when you *already* know that you haven't configured the client certificate for PEAP. It means that you *know* it's not sending a client certificate. You *know* you haven't configured one on the client. And you *still* post the FreeRADIUS debug output, asking us to debug the *server* to see why the client certificate isn't being used. Microsoft has documentation for Windows. Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: need help - force EAP-TTLS to validate the server certificate
EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
I *only* want to know all the time if it´s possible to login on a client with user/userpassword and client certificate. I pleased you *only* to say *no* or *yes* and maybe one sentence more. I know you´re a freeradius expert not a M$ expert but I thought when you know how to set up a server you just know how to configure any clients. When you don´t want to answer me that question it´s ok, I can search on M$ websites, you´re right. But I think if you wanted you could simply answer my question. nevertheless thank you for the great help with the configuration of the server. Greetings misterklaus Original-Nachricht Datum: Tue, 21 Sep 2010 14:21:26 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. So... the issue is that you haven't configured the client to use the client certificate. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? Ask Microsoft how their software works. It's annoying to have you ask a question here when you *already* know that you haven't configured the client certificate for PEAP. It means that you *know* it's not sending a client certificate. You *know* you haven't configured one on the client. And you *still* post the FreeRADIUS debug output, asking us to debug the *server* to see why the client certificate isn't being used. Microsoft has documentation for Windows. Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: I *only* want to know all the time if it´s possible to login on a client with user/userpassword and client certificate. I pleased you *only* to say *no* or *yes* and maybe one sentence more. I know you´re a freeradius expert not a M$ expert but I thought when you know how to set up a server you just know how to configure any clients. When you don´t want to answer me that question it´s ok, I can search on M$ websites, you´re right. But I think if you wanted you could simply answer my question. Honestly, I haven't configured a Windows system for EAP in 3-4 years. And my frustration wasn't about asking a Microsoft question. It's that you were *hiding* information. The information you hid from us was *exactly* the information needed to solve the problem. That was not nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: need help - force EAP-TTLS to validate the server certificate
A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht Datum: Tue, 21 Sep 2010 08:02:27 -0500 Von: Danner, Mearl jmdan...@samford.edu An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: RE: need help - force EAP-TTLS to validate the server certificate EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: need help - force EAP-TTLS to validate the server certificate
Not possible with the Microsoft supplicant as far as I know. PEAP encapsulation doesn't support client certificates. Probably what you want is EAP-TTLS which is not supported by Microsoft. You'll need a third party supplicant for it. Might look at this for reference: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 10:30 AM To: FreeRadius users mailing list Subject: Re: RE: need help - force EAP-TTLS to validate the server certificate A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht Datum: Tue, 21 Sep 2010 08:02:27 -0500 Von: Danner, Mearl jmdan...@samford.edu An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: RE: need help - force EAP-TTLS to validate the server certificate EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
6160301018d0c0001890040dd176c46152fe3c986afa59e242da816936065e55afc075caad17d1a554fa9185954096f6eb07311af328409df210464d11d1280d5cb083a2a09de1eca09bc1f000105004055311a5874c6e2b72f961e668c6b3d2d601b9e6c36fa6315071d69e8c5138a3851327f2de71b320c924b04d10069
EAP-Message =
0xc65cb7bcb9c577f35991aa38aa19aa4906c601004d1186b953e90603a1826fd3e48b6dc487d3fd5451923e97dd9dc9e5b4e9485940eb47f64c2d54e2a4998f5b0a56766ee64ce2cc9f677a1e0dec6fa0b990bc6717f48981b2ec4e3b35ef56c29763c5505c9fc1014c31923a439e20a16b49f9812bab931d0eb5f862dd274124d3e067d63fe9303a61a7e37d51d18ed0521b6dbd12184e46ca95f30cefd9f94e29bf2cd28babb6a56f03a111ecfea8eb7b6ebf8ffc55871f3ad45fb5edd5a1cc0c12b9b4223489574cb45f4268662fa805844acf1b080b88760edfa6f1198814ab12a2e87262245ed54b9a634f14743e83aa4edb1219fec8815e9a01ca
EAP-Message =
0xf5699d21162364c1ebc9a42d907af3559344c46a17418316030100880d80050304010240007800763074310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267311c301a060355040a13135361757465722d43756d756c757320476d6248311730150603550403130e4d6172636f204b616c6d626163680e00
Message-Authenticator = 0x
State = 0x3f25f9043b23e0753b744dff47904da8
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.65.100.50 port 32791, id=9,
length=310
User-Name = testuser
NAS-IP-Address = 10.65.100.50
NAS-Identifier = other
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 0022FB1D434E
Called-Station-Id = 001B2F249FE0
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0206009c1980009216030100070b0300160301004610420040d2f3945de07408d38befe9ee2604880eeff1ed35718731b387080e2941942cbb8fe43238881d111b1a36a020e5c21a5739c9d0a66c3c955cc84baeb3138f2b0914030100010116030100308cf41a7573c4ad40a8161b748b11fa3a9888e0fa13c3d2f41cc6a7703902fa736455ce112c2951d5fe166af5041d8294
State = 0x3f25f9043b23e0753b744dff47904da8
Aruba-Essid-Name = wifix
Aruba-Location-Id = 1.1.1
Message-Authenticator = 0x0aa542dcaac69b04c228e15d97addc5a
+- entering group authorize {...}
++[control] returns notfound
[eap] EAP packet type response id 6 length 156
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 146
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] TLS 1.0 Handshake [length 0007], Certificate
[peap] TLS 1.0 Alert [length 0002], fatal handshake_failure
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 9 to 10.65.100.50 port 32791
EAP-Message = 0x04060004
Message-Authenticator = 0x
Waking up in 3.7 seconds.
Cleaning up request 0 ID 4 with timestamp +16
Cleaning up request 1 ID 5 with timestamp +16
Waking up in 0.2 seconds.
Cleaning up request 2 ID 6 with timestamp +16
Cleaning up request 3 ID 7 with timestamp +16
Cleaning up request 4 ID 8 with timestamp +16
Waking up in 1.0 seconds.
Cleaning up request 5 ID 9 with timestamp +16
Ready to process requests.
Original-Nachricht
Datum: Thu, 16 Sep 2010 15:35:54 +0100
Von: Phil Mayers p.may...@imperial.ac.uk
An: freeradius-users@lists.freeradius.org
Betreff: Re: need help - force EAP-TTLS to validate the server certificate
On 16/09/10 14:35, Klaus Laus wrote:
ok, this is the debug output:
FreeRADIUS Version 2.1.6, for host i686-pc-linux-gnu, built on Oct 27
2009 at 17:05:49
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb
Re: need help - force EAP-TTLS to validate the server certificate
On 09/17/2010 11:00 AM, Klaus Laus wrote:
thanks a lot for your answer.
Either move the files module before eap, or use unlang to set it:
authorize {
...
update control {
EAP-TLS-Require-Client-Cert = yes
}
eap
...
}
I did the changes in the authorize section, and freeradius seems to require the
client certificate. But the server is not accept my certificate. I don't think
that the certificate is bad because I can login any client with the same
certificate when I use TLS instead of PEAP.
This is my way to login with PEAP on a windows xp client maybe I do anything
wrong? :
I import the pksc12 certificate from the freeradius server in the windows xp certificate
management. When I type certmgr.msc under run I can see that the certificate
is successfully imported. Then I scan for the wireless networks and connect to wifix, I
use PEAP with MSCHAP v.2 and type in testuser as user with the correct password.
Here you can see the debug output (freeradius did not find my certificate):
That's right, the server didn't get your cert, it's right in the debug.
As Alan said this isn't a server issue, it's a client issue, figure out
why your client is not returning a cert.
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates. Put this into the users file: DEFAULT EAP-TLS-Require-Client-Cert = yes This will require client certificates for *all* EAP methods. If you want it to be more specific, see man unlang for writing general policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Put this into the users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
I did this, but the clients can login furthermore without any client
certificate for example with PEAP or EAP-TTLS. Here is my users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
testuserCleartext-Password := xxx
Reply-Message = Hello, %{User-Name}
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
Here's the eap.conf file
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = /etc/ssl
cadir = /etc/ssl
private_key_password = xx
private_key_file = ${certdir}/serverkey.pem
certificate_file = ${certdir}/servercert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
check_crl = no
CA_path = /etc/ssl
cipher_list = DEFAULT
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
}
mschapv2 {
}
}
Any idea's what is wrong here? Thanks
Original-Nachricht
Datum: Thu, 16 Sep 2010 09:54:28 +0200
Von: Alan DeKok al...@deployingradius.com
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote:
Thanks a lot Alan DeKok, do I have any possibility to permit login only
persons with username/password and client certificate?
All authentications methods works fine on my server, but I´ll only
permit login with username/password and client certificate. Which code I need
to set in users/eap.conf ?
TLS works fine on my server and the users can login themselves with the
client certificate, but I don´t want allow login without
username/password, also I don´t want allow logins with username and password
but without
client certificates.
Put this into the users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
This will require client certificates for *all* EAP methods. If you
want it to be more specific, see man unlang for writing general
policies.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
Jetzt freischalten! http://portal.gmx.net/de/go/maxdome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file: sigh Is it that hard to show the debug output? Here's the eap.conf file Neither the documentation or messages on this list ask for the EAP configuration. Any idea's what is wrong here? Thanks If you're not going to post the debug output, we have no idea what's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
On 16/09/10 14:35, Klaus Laus wrote:
ok, this is the debug output:
FreeRADIUS Version 2.1.6, for host i686-pc-linux-gnu, built on Oct 27 2009 at
17:05:49
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
need help - force EAP-TTLS to validate the server certificate
Hello, I have one question, is it possible to configure my freeradius server so that only clients with a ca certificate can login themselves with their username and password? I want to configure my freeradius server so that the users can only login after the successfully server certificate validation. At the moment I use EAP-TTLS for authentication, but the options in the clients servercertificate validation is optional. I want to use EAP-TTLS and force the ca certificate on the clients. Thanks for help! misterklaus -- GMX DSL SOMMER-SPECIAL: Surf Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: Hello, I have one question, is it possible to configure my freeradius server so that only clients with a ca certificate can login themselves with their username and password? I want to configure my freeradius server so that the users can only login after the successfully server certificate validation. At the moment I use EAP-TTLS for authentication, but the options in the clients servercertificate validation is optional. I want to use EAP-TTLS and force the ca certificate on the clients. You can't force the client to validate the CA cert. That is a configuration which needs to be set on the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates. Best Greetings, misterklaus Original-Nachricht Datum: Wed, 15 Sep 2010 10:47:52 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: Hello, I have one question, is it possible to configure my freeradius server so that only clients with a ca certificate can login themselves with their username and password? I want to configure my freeradius server so that the users can only login after the successfully server certificate validation. At the moment I use EAP-TTLS for authentication, but the options in the clients servercertificate validation is optional. I want to use EAP-TTLS and force the ca certificate on the clients. You can't force the client to validate the CA cert. That is a configuration which needs to be set on the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GMX DSL SOMMER-SPECIAL: Surf Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie need help!
Hi gurus:
i followed the advice to sue radiusd -X and here is what i got:
rad_recv: Access-Request packet from host 192.168.255.138 port 65267, id=176,
length=53
User-Name = glu
User-Password = 12345678
NAS-Identifier = r8
NAS-IP-Address = 10.100.11.3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = glu, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry glu at line 199
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No known good password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - glu
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 176 to 192.168.255.138 port 65267
Waking up in 4.9 seconds.
Cleaning up request 0 ID 176 with timestamp +13
Ready to process requests.
here is my config for users:
glu Auth-Type := Local
Cleartext-Password := 12345678,
Juniper-Local-User-Name = tester
anyone knows what the problems are?
Thanks...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie need help!
gahn wrote: i followed the advice to sue radiusd -X and here is what i got: The point of using debug mode is to *read* the output. Have you tried doing that? here is my config for users: glu Auth-Type := Local Cleartext-Password := 12345678, Juniper-Local-User-Name = tester anyone knows what the problems are? Yes. You haven't read the documentation or examples, either. Read the FAQ for how to configure a test user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
On 2010/05/15 08:28 AM, Alan DeKok wrote: ... Do I have to do anything more than any default configuration? In 2.1.8, there's an example CoA server in raddb/sites-available/coa The coa example was missing from 2.1.8. Please have a look here. http://github.com/alandekok/freeradius-server/blob/master/raddb/sites-available/coa -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
Eric Martell wrote: I followed the direction of how to setup COA in the freeradius. Uncommented from client.conf coa_server = localhost-coa When I ran the sample radclient, I am not seeing any response back. ... Do I have to do anything more than any default configuration? In 2.1.8, there's an example CoA server in raddb/sites-available/coa Fri May 14 19:59:04 2010 : Debug: Listening on authentication address * port 1812 Fri May 14 19:59:04 2010 : Debug: Listening on accounting address * port 1813 Fri May 14 19:59:04 2010 : Debug: Listening on command file /home/test/freeradius-2.1.8/var/run/radiusd/radiusd.sock Fri May 14 19:59:04 2010 : Debug: Listening on proxy address * port 1814 The server isn't listening on the CoA port. Ensure that it's listening on the CoA port *before* sending it packets via radclient. Again, the whole purpose of debugging mode is to *read it*. If you *read* the rest of the debug output and look for coa, it becomes clear that you configured the server to *originate* CoA packets. Yet you're trying to *send* it CoA packets. This won't work. Please *read* the documentation at the top of raddb/sites-available/originate-coa. You configured the server to use it, so you *must* know it exists. The documentation explains what that file does, and how you can test it. This *is* documented. Please read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
Hi Alan, Thanks for the reply. Pardon my ignorance but as you mentioned I did not find raddb/sites-available/coa. In 2.1.8, there's an example CoA server in raddb/sites-available/coa I only see, # ls -lart sites-available/ total 124 -rw-r- 1 root root 2538 May 14 15:37 vmps -rw-r- 1 root root 849 May 14 15:37 virtual.example.com -rw-r- 1 root root 4042 May 14 15:37 status -rw-r- 1 root root 5057 May 14 15:37 robust-proxy-accounting -rw-r- 1 root root 8543 May 14 15:37 README -rw-r- 1 root root 982 May 14 15:37 proxy-inner-tunnel -rw-r- 1 root root 11757 May 14 15:37 inner-tunnel -rw-r- 1 root root 3340 May 14 15:37 example -rw-r- 1 root root 4544 May 14 15:37 dynamic-clients -rw-r- 1 root root 4506 May 14 15:37 dhcp -rw-r- 1 root root 16544 May 14 15:37 default -rw-r- 1 root root 3508 May 14 15:37 decoupled-accounting -rw-r- 1 root root 5342 May 14 15:37 copy-acct-to-home-server -rw-r- 1 root root 4095 May 14 15:37 buffered-sql -rw-r- 1 root root 2040 May 14 15:37 control-socket -rw-r- 1 root root 5266 May 14 15:56 originate-coa drwxr-x--- 2 root root 4096 May 15 12:42 . drwxr-xr-x 7 root root 4096 May 15 12:58 .. # Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
Eric Martell wrote: Hi Alan, Thanks for the reply. Pardon my ignorance but as you mentioned I did not find raddb/sites-available/coa. In 2.1.8, there's an example CoA server in raddb/sites-available/coa Ah... it's in 2.1.9, then. See http://git.freeradius.org/pre/ for a pre-release of 2.1.9. Use that instead of 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
Awesome. Thanks Alan. That did the trick. I will ask more implementation
questions if any issues.
Sun May 16 01:43:19 2010 : Debug: Listening on authentication address * port
1812
Sun May 16 01:43:19 2010 : Debug: Listening on accounting address * port 1813
Sun May 16 01:43:19 2010 : Debug: Listening on coa address * port 3799 as
server coa
Sun May 16 01:43:19 2010 : Debug: Listening on command file
/home/test/freeradius-2.1.9/var/run/radiusd/radiusd.sock
Sun May 16 01:43:19 2010 : Debug: Listening on proxy address * port 1814
Sun May 16 01:43:19 2010 : Info: Ready to process requests.
rad_recv: CoA-Request packet from host 127.0.0.1 port 33844, id=90, length=106
User-Name = cisco
User-Password = ,\247\262\374\222\\\345\321\36543\201:\001
Cisco-AVPair = subscriber:command=account-logon
Cisco-Account-Info = S172.16.xx.xx
Sun May 16 01:43:22 2010 : Info: server coa {
Sun May 16 01:43:22 2010 : Info: +- entering group recv-coa {...}
Sun May 16 01:43:22 2010 : Info: ++[ok] returns ok
Sun May 16 01:43:22 2010 : Info: +- entering group send-coa {...}
Sun May 16 01:43:22 2010 : Info: ++[ok] returns ok
Sun May 16 01:43:22 2010 : Info: } # server coa
Sending CoA-ACK of id 90 to 127.0.0.1 port 33844
Sun May 16 01:43:22 2010 : Info: Finished request 0.
Sun May 16 01:43:22 2010 : Debug: Going to the next request
Sun May 16 01:43:22 2010 : Info: Cleaning up request 0 ID 90 with timestamp +3
Sun May 16 01:43:22 2010 : Info: Ready to process requests.
Thanks.
--- On Sat, 5/15/10, Alan DeKok al...@deployingradius.com wrote:
From: Alan DeKok al...@deployingradius.com
Subject: Re: COA default configuration...Need help to test radclient
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Date: Saturday, May 15, 2010, 9:43 AM
Eric Martell wrote:
Hi Alan,
Thanks for the reply. Pardon my ignorance but as you mentioned I did
not find raddb/sites-available/coa.
In 2.1.8, there's an example CoA server in raddb/sites-available/coa
Ah... it's in 2.1.9, then.
See http://git.freeradius.org/pre/ for a pre-release of 2.1.9.
Use that instead of 2.1.8.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
