Re: Any body here?Please help me to test my server.
2012/3/17 ZhenJoey snan4l...@hotmail.com: Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. And what makes you think it will work when other test it? Don't be lazy. Do your own homework. Some things to check: - make sure there's no firewall active in the server (e.g. make sure iptables is disabled, or that the default rule is ACCEPT). It simplifies things a lot. - make sure the NAS can communicate with the radius serer (ping will be a good start) - run the server in debug mode (radiusd -X) If you need another host to run radtest, use virtualbox/kvm/whatever, have it use bridged networking and assign the guest an IP address in the same network segment as the host. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any body here?Please help me to test my server.
Thank YOu Fajar: Thank you for ur advice,the problem soloved. the probelm is i forgot to set up the NAS's gateway IP address, so it still a two layer device,the request message could not get out of the device. Than k you very much Joey Date: Sat, 17 Mar 2012 14:47:03 +0700 Subject: Re: Any body here?Please help me to test my server. From: l...@fajar.net To: freeradius-users@lists.freeradius.org 2012/3/17 ZhenJoey snan4l...@hotmail.com: Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. And what makes you think it will work when other test it? Don't be lazy. Do your own homework. Some things to check: - make sure there's no firewall active in the server (e.g. make sure iptables is disabled, or that the default rule is ACCEPT). It simplifies things a lot. - make sure the NAS can communicate with the radius serer (ping will be a good start) - run the server in debug mode (radiusd -X) If you need another host to run radtest, use virtualbox/kvm/whatever, have it use bridged networking and assign the guest an IP address in the same network segment as the host. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any body here?Please help me to test my server.
Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. is there something like TimeOut in NAS when it try to connect the radius server? Thank you very much Joey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help me :Failed binding to authentication address 192.168.1.102 port 1812
Harshavardhan Ch wrote: Hello sir, while activating the free radius server with eap authentication via vmware virtual machine i got error like Failed binding to authentication address 192.168.1.102 port 1812 and i attched the output file. Stop posting ODT files or you will be unsubscribed from the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help me :Failed binding to authentication address 192.168.1.102 port 1812
On Tue, Nov 22, 2011 at 12:05 PM, Harshavardhan Ch harshavardhan...@intelligraphics.com wrote: Hello sir, while activating the free radius server with eap authentication via vmware virtual machine i got error like Failed binding to authentication address 192.168.1.102 port 1812 and i attched the output file. (1) paste the debug log directly in your email. There's really no need put it inside odt (2) Make sure IP address 192.168.1.102 is REALLY active on your system (i.e. it's not some copy-paste error) (3) Look for any programs already using the port. Running netstat -anup | grep 181 should help. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me ASAP
On 07/24/2011 09:29 AM, Its Me wrote: Hi, I am new user in Linux,I have install freeradius2 rpm in my Linux machine(RHEL-5.5 Server),I m facing problem below detail ,please help me how can i install and setup my radiusd -X output below problem. radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 Failed binding to authentication address * port 1812: Address already in use /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 You probably have another copy of the server running, you can only have one copy running at a time. Did you start one as a service? If so: sudo service radiusd stop Need help on how to manage FreeRADIUS on Redhat systems? http://wiki.freeradius.org/Red_Hat_FAQ P.S.: It's not polite to demand help ASAP on a free volunteer mailing list. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me ASAP
Hi, I am new user in Linux,I have install freeradius2 rpm in my Linux machine(RHEL-5.5 Server),I m facing problem below detail ,please help me how can i install and setup my radiusd -X output below problem. radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 Failed binding to authentication address * port 1812: Address already in use /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me ASAP
Either a version of freeradius is already running or something else is running on that port or you are trying to start the program as a non-root user. As root run this command and paste the output: lsof -i :1812 Cheers, Harry On 07/24/2011 09:29 AM, Its Me wrote: Hi, I am new user in Linux,I have install freeradius2 rpm in my Linux machine(RHEL-5.5 Server),I m facing problem below detail ,please help me how can i install and setup my radiusd -X output below problem. radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 Failed binding to authentication address * port 1812: Address already in use /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschapv2 and peap not working, please help
Hi, I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help. Module: Instantiating module digest from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module unix from file /etc/raddb/modules/unix unix { radwtmp = /var/log/radius/radwtmp } Module: Linked to module rlm_ldap Module: Instantiating module ldap from file /etc/raddb/modules/ldap ldap { server = 10.73.93.13 port = 389 password = identity = net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = allow tls { start_tls = no require_cert = allow } basedn = dc=uforadius,dc=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) base_filter = (objectclass=radiusprofile) auto_header = no access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) dictionary_mapping = /etc/raddb/ldap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x9ac42e8 Module: Linked to module rlm_eap Module: Instantiating module eap from file /etc/raddb/eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug
Re: mschapv2 and peap not working, please help
syharash wrote: I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help. Thanks for posting the debug output, but it would help if you read it. It's not complicated. Also post the debug output into the form at: http://networkradius.com/freeradius.html That will make it clearer what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288211.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288213.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
[ldap] looking for check items in directory... [ldap] userPassword - Password-With-Header == {crypt}$1$94hl3NgJ$AuuZleae5i2GkzrT9XIye0 crypt passwords cannot be used to do MS-CHAP. It is impossible. MS-CHAP requires either the cleartext password or NT/LM hashes. See: http://deployingradius.com/documents/protocols/compatibility.html [ldap] looking for reply items in directory... [ldap] user mahendra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: mahendra [mschap] Told to do MS-CHAPv2 for mahendra with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. ...because you only have crypt passwords, it fails. You MUST store plaintext or nt/lm hashes if you want to do PEAP/MSCHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Great Phil, I've changed my /etc/raddb/users file and it worked, could you please help me if i can make a particular user login only from a single machine using the MAC Address of that machine. my existing /etc/raddb/users file looks like this DEFAULT Auth-Type = System Fall-Through = 1 # # Defaults for LDAP # #DEFAULT Auth-Type := LDAP #Fall-Through = 1 DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Service-Type = Framed-User, Fall-Through = Yes abdul Cleartext-Password := test123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288360.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Hi, comparisons/requirements are ont he first line, replies are on following lines ie user Cleartext-Password := testing, NAS-IP-Address = 192.168.0.1 AttributeX = this, AttributeY = that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Cleaning up request 33 ID 65 with timestamp +402 Cleaning up request 34 ID 66 with timestamp +402 Cleaning up request 35 ID 67 with timestamp +402 Cleaning up request 36 ID 68 with timestamp +402 Cleaning up request 37 ID 69 with timestamp +402 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288707.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me with sqlcounter
I want to use sqlcounter to control the user's traffic usage, and I have these needs: 1. I have read http://wiki.freeradius.org/Rlm_sqlcounter the wiki about the sqlcounter, and I get %b as the unix time value of beginning of reset period but how can I set this value? I want to sqlcounter begin count at a specific time such as the register time.. Is it possible? 2. When user's traffic usage over a value, I hope the server will disconnect the connected user immediately, Is it possible for doing this? I have read some article about sqlcounter, but I'm still confused about these questions, can anyone help me? I'm very appreciate for your help -- View this message in context: http://freeradius.1045715.n5.nabble.com/Please-help-me-with-sqlcounter-tp4192991p4192991.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me with sqlcounter
I am trying to do the same in sqlcounter but looks like the %b is hard coded and there is no way to make it dynamically read from database. I have tried using custom sqlcounter but it doe not escapes properly. Anyone effort in commenting on this thread will be highly appreciable as it will enable the user to do a custom time based session accounting instead of fixed 1 ~ 30 date accounting. Best Regards Suman On 3/21/2011 11:54 AM, frankfang wrote: I want to use sqlcounter to control the user's traffic usage, and I have these needs: 1. I have read http://wiki.freeradius.org/Rlm_sqlcounter the wiki about the sqlcounter, and I get %b as the unix time value of beginning of reset period but how can I set this value? I want to sqlcounter begin count at a specific time such as the register time.. Is it possible? 2. When user's traffic usage over a value, I hope the server will disconnect the connected user immediately, Is it possible for doing this? I have read some article about sqlcounter, but I'm still confused about these questions, can anyone help me? I'm very appreciate for your help -- View this message in context: http://freeradius.1045715.n5.nabble.com/Please-help-me-with-sqlcounter-tp4192991p4192991.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 5924 (20110303) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
JRadius with FreeRADIUS - Please help me in solving this issue
Hi, I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the Access-Request, it gives me the error No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. Please help me. Did I missed any configuration? In sites-available/default file, I have added 'jradius' under authorize module commenting 'files'. In radiusd.conf, I added the following module. jradius { name = example # The Requester name (a single # JRadius server can have # multiple applications) primary = localhost # Uses default port 1814 secondary = 192.168.0.1 # Fail-over server tertiary = 192.168.0.1:8002# Fail-over server on port 8002 timeout = 1 # Connect Timeout onfail= NOOP # What to do if no JRadius # Server is found. Options are: # FAIL (default), OK, REJECT, NOOP keepalive = yes # Keep connections to JRadius pooled connections = 8 # Number of pooled JRadius connections } Thanking You, Karun. Log: FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on May 10 2010 at 16:37:47 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Karuna G. Kumar wrote: Hi, I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the Access-Request, it gives me the error No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. Please help me. Did I missed any configuration? You need to tell the server what the users known good password is. You also need to list pap last in the authorize section. You have deleted it. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
I am trying to authorize / authenticate the user from a JRadius handler. I want to validate the user name and password both from our application's data repository using EJB calls. Hence, I don't want to look in to users file at all. Do I need to still enable PAP for it? Please let me know if I am going in a wrong direction. Please suggest me how to get success in this scenario. -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Alan DeKok Sent: Wed 6/2/2010 2:14 PM To: FreeRadius users mailing list Cc: Subject:Re: JRadius with FreeRADIUS - Please help me in solving this issue Karuna G. Kumar wrote: Hi, I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the Access-Request, it gives me the error No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. Please help me. Did I missed any configuration? You need to tell the server what the users known good password is. You also need to list pap last in the authorize section. You have deleted it. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Karuna G. Kumar wrote: I am trying to authorize / authenticate the user from a JRadius handler. I want to validate the user name and password both from our application's data repository using EJB calls. Hence, I don't want to look in to users file at all. Do I need to still enable PAP for it? What did my previous message say? Please let me know if I am going in a wrong direction. Please suggest me how to get success in this scenario. I made a suggestion. You refused to follow it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
Hi, Now I got some improvement than before I guess. Now, I am getting the error like... [pap] login attempt with password testing [pap] Using CRYPT encryption. [pap] Passwords don't match I am passing the Clear text password to FreeRADIUS. but, why is this failing ? Please help me. Logs: = Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.109 port 44867, id=15, length=95 User-Name = karun Acct-Session-Id = 001 NAS-Identifier = NASIDTest NAS-IP-Address = 192.168.1.120 Called-Station-Id = called Calling-Station-Id = caller NAS-Port = 1234 NAS-Port-Type = Ethernet User-Password = testing +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = karun, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated rlm_jradius: Reserving JRadius socket id: 7 rlm_jradius: packing attribute User-Name (type: 1; len: 5) rlm_jradius: packing attribute Acct-Session-Id (type: 44; len: 3) rlm_jradius: packing attribute NAS-Identifier (type: 32; len: 9) rlm_jradius: packing attribute NAS-IP-Address (type: 4; len: 4) rlm_jradius: packing attribute Called-Station-Id (type: 30; len: 6) rlm_jradius: packing attribute Calling-Station-Id (type: 31; len: 6) rlm_jradius: packing attribute NAS-Port (type: 5; len: 4) rlm_jradius: packing attribute NAS-Port-Type (type: 61; len: 4) rlm_jradius: packing attribute User-Password (type: 2; len: 7) rlm_jradius: packing packet with code: 1 (attr length: 156) rlm_jradius: packing packet with code: 0 (attr length: 0) rlm_jradius: packing attribute Crypt-Password (type: 1006; len: 98) rlm_jradius: sending 307 bytes to socket 7 rlm_jradius: return code 8; receiving 2 packets rlm_jradius: reading packet: code=1 len=156 rlm_jradius: reading attribute: type=1; len=5 rlm_jradius: reading attribute: type=44; len=3 rlm_jradius: reading attribute: type=32; len=9 rlm_jradius: reading attribute: type=4; len=4 rlm_jradius: reading attribute: type=30; len=6 rlm_jradius: reading attribute: type=31; len=6 rlm_jradius: reading attribute: type=5; len=4 rlm_jradius: reading attribute: type=61; len=4 rlm_jradius: reading attribute: type=2; len=7 rlm_jradius: reading packet: code=0 len=0 rlm_jradius: reading request: config_item: len=187 rlm_jradius: reading attribute: type=1006; len=98 rlm_jradius: reading attribute: type=1100; len=7 rlm_jradius: reading attribute: type=1259012098; len=32 rlm_jradius: reading attribute: type=1259012097; len=2 rlm_jradius: Released JRadius socket id: 7 ++[jradius] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password testing [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - karun attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 15 to 192.168.1.109 port 44867 Waking up in 4.9 seconds. Cleaning up request 0 ID 15 with timestamp +6 Ready to process requests. -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Karuna G. Kumar Sent: Wed 6/2/2010 3:20 PM To: FreeRadius users mailing list Cc: Subject:RE: JRadius with FreeRADIUS - Please help me in solving this issue I am trying to authorize / authenticate the user from a JRadius handler. I want to validate the user name and password both from our application's data repository using EJB calls. Hence, I don't want to look in to users file at all. Do I need to still enable PAP for it? Please let me know if I am going in a wrong direction. Please suggest me how to get success in this scenario. -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Alan DeKok Sent: Wed 6/2/2010 2:14 PM To: FreeRadius users mailing list Cc: Subject:Re: JRadius with FreeRADIUS - Please help me in solving this issue Karuna G. Kumar wrote: Hi, I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the Access-Request, it gives me the error No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. Please help me. Did I missed any configuration? You need to tell the server what the users known good password is. You also need to list pap last in the authorize section. You have deleted it. Why? Alan DeKok
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Hi, [pap] login attempt with password testing [pap] Using CRYPT encryption. yes, crypt...which means ++[unix] returns updated ..tht you have a matching entry in /etc/passwd - hence CRYPT alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
I used different user name (karun) and password (karunkarun) also. But the result is same. I am using Ubuntu. Very new to this OS. Can you please explain me little more about what's going wrong here ? Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password karunkarun [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Thanking You, Karun. -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Alan Buxey Sent: Wed 6/2/2010 4:49 PM To: FreeRadius users mailing list Cc: Subject:Re: JRadius with FreeRADIUS - Please help me in solving this issue Hi, [pap] login attempt with password testing [pap] Using CRYPT encryption. yes, crypt...which means ++[unix] returns updated ..tht you have a matching entry in /etc/passwd - hence CRYPT alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Karuna G. Kumar Sent: Wed 6/2/2010 4:42 PM To: FreeRadius users mailing list Cc: Subject:RE: JRadius with FreeRADIUS - Please help me in solving this issue Hi, Now I got some improvement than before I guess. Now, I am getting the error like... [pap] login attempt with password testing [pap] Using CRYPT encryption. [pap] Passwords don't match I am passing the Clear text password to FreeRADIUS. but, why is this failing ? Please help me. Logs: = Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.109 port 44867, id=15, length=95 User-Name = karun Acct-Session-Id = 001 NAS-Identifier = NASIDTest NAS-IP-Address = 192.168.1.120 Called-Station-Id = called Calling-Station-Id = caller NAS-Port = 1234 NAS-Port-Type = Ethernet User-Password = testing +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = karun, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated rlm_jradius: Reserving JRadius socket id: 7 rlm_jradius: packing attribute User-Name (type: 1; len: 5) rlm_jradius: packing attribute Acct-Session-Id (type: 44; len: 3) rlm_jradius: packing attribute NAS-Identifier (type: 32; len: 9) rlm_jradius: packing attribute NAS-IP-Address (type: 4; len: 4) rlm_jradius: packing attribute Called-Station-Id (type: 30; len: 6) rlm_jradius: packing attribute Calling-Station-Id (type: 31; len: 6) rlm_jradius: packing attribute NAS-Port (type: 5; len: 4) rlm_jradius: packing attribute NAS-Port-Type (type: 61; len: 4) rlm_jradius: packing attribute User-Password (type: 2; len: 7) rlm_jradius: packing packet with code: 1 (attr length: 156) rlm_jradius: packing packet with code: 0 (attr length: 0) rlm_jradius: packing attribute Crypt-Password (type: 1006; len: 98) rlm_jradius: sending 307 bytes to socket 7 rlm_jradius: return code 8; receiving 2 packets rlm_jradius: reading packet: code=1 len=156 rlm_jradius: reading attribute: type=1; len=5 rlm_jradius: reading attribute: type=44; len=3 rlm_jradius: reading attribute: type=32; len=9 rlm_jradius: reading attribute: type=4; len=4 rlm_jradius: reading attribute: type=30; len=6 rlm_jradius: reading attribute: type=31; len=6 rlm_jradius: reading attribute: type=5; len=4 rlm_jradius: reading attribute: type=61; len=4 rlm_jradius: reading attribute: type=2; len=7 rlm_jradius: reading packet: code=0 len=0 rlm_jradius: reading request: config_item: len=187 rlm_jradius: reading attribute: type=1006; len=98 rlm_jradius: reading attribute: type=1100; len=7 rlm_jradius: reading attribute: type=1259012098; len=32 rlm_jradius: reading attribute: type=1259012097; len=2 rlm_jradius: Released JRadius socket id: 7 ++[jradius] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password testing [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - karun attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 15 to 192.168.1.109 port 44867 Waking up in 4.9 seconds. Cleaning up request 0 ID 15 with timestamp +6 Ready to process requests. winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Hi, I used different user name (karun) and password (karunkarun) also. But the result is same. do you have karun in the /etc/passwd file? from the logs you do alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
Yes. As you said, I found 'karun' in /etc/passwd file. Now, I used different credentials and it's working fine. I am able to do PAP authentication now. Thanks alot. Thanks alot to Alan DeKok too for his valuable response. -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Alan Buxey Sent: Wed 6/2/2010 7:01 PM To: FreeRadius users mailing list Cc: Subject:Re: JRadius with FreeRADIUS - Please help me in solving this issue Hi, I used different user name (karun) and password (karunkarun) also. But the result is same. do you have karun in the /etc/passwd file? from the logs you do alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me
Hi , I am useing a free radius version available with redhat 4.5 ,RPM name is freeradius-1.0.1-3.RHEL4.3.i386.rpm I am trying to use ippool configuration configurations i had made is in radiusd.conf file ippool main_pool { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start =10.143.71.15 range-stop =10.143.71.25 # netmask: The network mask used for the ip's netmask = 255.255.255.0 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/db.ipindex # override: Will this ippool override a Framed-IP-Address already set override = yes # maximum-timeout: If not zero specifies the maximum time in seconds an # entry may be active. Default: 0 maximum-timeout = 0 } accounting { main_pool } post-auth { main_pool } -- in users file steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP DEFAULT Pool-Name := main_pool -- in clients file nas ip secret key - and i am getting errors when i run /usr/sbin/radiusd -A -X modcall: entering group post-auth for request 0 rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module main_pool returns noop for request 0 rlm_ippool: Could not find Pool-Name attribute. I am suspecting some problem with users file ... Can you please help me to find out what is missing -- Thanks and regards Jos george. 9844459056 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me
in users file steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Add Fall-Through = yes. DEFAULT Pool-Name := main_pool Or add it to DEFAULT entry and place DEFAULT entry above user entries. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me (Ivan Kalik)
Hi , Thank you very much for the response but still i am getting same error can you please suggest accordingly .I had done 3 different tries in my user file those tries and output is given below Also i more think i remember while my installation db.ippool file and db.index file where not formed then i had to created those files in respective directory and i had given appropriate permission for that whether it will create any problem ? Also while useing command *rlm_ippool_tool -a ip-pool.db ip-index.db *i am getting output as 0 whether is it any problem ?... * DEFAULT Pool-Name := main_pool Fall-Through = Yes* ** *steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP* modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = steve, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 81 users: Matched steve at 84 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module main_pool returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 2 to 10.143.71.15:3734 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4a3f7d84 Nothing to do. Sleeping until we see a request. -- *steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP,* *Fall-Through = Yes DEFAULT Pool-Name := main_pool* Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = steve, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched steve at 82 users: Matched DEFAULT at 94 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module main_pool returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 3 to 10.143.71.15:3740 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 3 with timestamp 4a3f7e1c Nothing to do. Sleeping until we see a request.
radclient: no response from server ... please help newbe.
Hi Please could someone help a newbe ... I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700 User-Name = TC-Demo ^X^C [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo radclient: no response from server for ID 77 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo radclient: no response from server for ID 215 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo radclient: no response from server for ID 168 socket 3 The server is listening on all the port's I have tried .. r...@localhost ~]# netstat -antup | grep rad udp0 0 0.0.0.0:18120.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:18130.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:18140.0.0.0:* 2461/radiusd What have I missed ... Regards Gregory Machin Email: gmac...@techconcepts.co.za Cell: +27 (0) 72 524 5098 gtalk: gmachin.techconce...@gmail.com Support helpd...@techconcepts.co.za Tell: +27 (0) 11 803 2169 Fax: +27 (0) 11 803 2189 After Hours Cell:+27 (0) 82 790 0796 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server ... please help newbe.
Am 17.06.2009 um 13:43 schrieb Gregory Machin: Hi Please could someone help a newbe ... I'm using the following stack FreeRADIUS Version 2.1.3 with coova- chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700 User-Name = TC-Demo ^X^C [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo radclient: no response from server for ID 77 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo radclient: no response from server for ID 215 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo radclient: no response from server for ID 168 socket 3 The server is listening on all the port's I have tried .. r...@localhost ~]# netstat -antup | grep rad udp0 0 0.0.0.0:1812 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1813 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1814 0.0.0.0:* 2461/radiusd What have I missed ... Do you know (via tcpdump, wireshark or so) that the packets do arrive on the computer where Freeradius runs? If not, check firewall settings of both computers and of anything that might be between. Have a nice day! Regards Gregory Machin Email: gmac...@techconcepts.co.za Cell: +27 (0) 72 524 5098 gtalk: gmachin.techconce...@gmail.com Support helpd...@techconcepts.co.za Tell: +27 (0) 11 803 2169 Fax: +27 (0) 11 803 2189 After Hours Cell:+27 (0) 82 790 0796 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server ... please help newbe.
I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line Send it to NAS (coova-chilli), not radius server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radclient: no response from server ... please help newbe.
From: freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org [freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org] On Behalf Of Ivan Kalik [...@kalik.net] Sent: Wednesday, June 17, 2009 1:57 PM To: FreeRadius users mailing list Subject: Re: radclient: no response from server ... please help newbe. I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line Send it to NAS (coova-chilli), not radius server. Ivan Kalik Kalik Informatika ISP The whole stack is running on the same server. I have tried to send it to the chilli ports with the same results.. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me ...thanks in advance
Hi , I am a newbie in Radius field. I have a Linux machine which has RHEL WS 4 Update 5 OS loaded. I have installed freeRadius server version 2.1.5. in another machine. I want to authenticate the linux machine login through Radius server. I have tried several ways to configure the linux machine as published in several groups but did not work.Tried through PAM module. If some body can help me out in this matter or point to some good links,will be helpful to me. Best Regards Praveen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me ...thanks in advance
I have a Linux machine which has RHEL WS 4 Update 5 OS loaded. I have installed freeRadius server version 2.1.5. in another machine. I want to authenticate the linux machine login through Radius server. I have tried several ways to configure the linux machine as published in several groups but did not work.Tried through PAM module. If some body can help me out in this matter or point to some good links,will be helpful to me. http://freeradius.org/pam_radius_auth/ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Alan DeKok, Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. You need to re-build the server without support for udpfromto. I read up on udpfromto, and from what I can tell the openSUSE 11.1 (x64) package for v2.1.1 DOESN'T have udpfromto support compiled in. I believe this to be the case, because changing my radiusd.conf so that the server is only listening on a single IP, instead of the default of *, fixed my problem. radtest now gets a reply, and no longer issues an error. With this configuration, udpfromto isn't needed, so there is no more problem. Thanks for pointing me in the right direction. Will Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Will D. Spann wrote: I see; thanks for the clarification. This is a departure from how FreeRADIUS 1.0 was configured, where the authenticate and authorize sections resided in the radiusd.conf file. Yes... and the comments in the file you edited document this. However, I noticed a new permission denied error, related to SSL in the rlm_eap module. Based on this, I checked the ownership/permissions of the configuration files and keys in the /etc/raddb folder below. It turns out they were all set to root.root r/w for root user only! That is an issue, and should be fixed. But the default configuration has radiusd running as the radiusd user, Maybe on Suse. That's not the default in the freeradius distribution. Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. You need to re-build the server without support for udpfromto. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with udpfromto in version 2.1.1 - please help
Ivan Kalik, I should note that in my radiusd.conf file, I'm not including eap.conf nor sites-enabled/, but other than that I have all default settings. Well done! By removing /sites-enabled you have stopped the server from processing all As from AAA (authentication, authorization and accounting) in one masterfull stroke. Now put everything back as it was. Thanks for the reply. I didn't realize disabling sites-enabled would disable all AAA services. Running radiusd -X as root with default settings gives errors related to EAP and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS 2.1.1). I have OpenSSL 0.9.8h installed. The radiusd -X output is listed below. Thanks for any comments on this. Will gcwifi-auth-vm:~ # radiusd -X FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Dec 3 2008 at 13:57:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other }
Re: Problem with udpfromto in version 2.1.1 - please help
Will D. Spann wrote: Thanks for the reply. I didn't realize disabling sites-enabled would disable all AAA services. The comments in radiusd.conf just before that say that the authorize etc. sections are in virtual hosts, and that the include line includes those virtual hosts. Running radiusd -X as root with default settings gives errors related to EAP and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS 2.1.1). I have OpenSSL 0.9.8h installed. Run the bootstrap command as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Alan, The comments in radiusd.conf just before that say that the authorize etc. sections are in virtual hosts, and that the include line includes those virtual hosts. I see; thanks for the clarification. This is a departure from how FreeRADIUS 1.0 was configured, where the authenticate and authorize sections resided in the radiusd.conf file. Running radiusd -X as root with default settings gives errors related to EAP and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS 2.1.1). I have OpenSSL 0.9.8h installed. Run the bootstrap command as root. Thanks for the suggestion. I ran the /etc/raddb/certs/bootstrap script, and it successfully created the self-signed SSL certificates for EAP. Now the Diffie-Hellman errors have gone away, when I run radiusd -X. At this point I was still getting the remaining EAP-related errors. However, I noticed a new permission denied error, related to SSL in the rlm_eap module. Based on this, I checked the ownership/permissions of the configuration files and keys in the /etc/raddb folder below. It turns out they were all set to root.root r/w for root user only! But the default configuration has radiusd running as the radiusd user, so it couldn't read the files it needed access to. Changing the ownership to root.radiusd and the permissions to r/w for root and read for the radiusd group solved my startup problem. Thanks again. I would never have seen this cause without getting past the SSL key creation issue. Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. Thanks for any additional help. Will Spann The abbreviated radiusd -X output I received PRIOR to fixing the ownership/permissions problem is below, for reference. Now radiusd runs without errors. gcwifi-auth-vm:/etc/raddb # radiusd -X FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Dec 3 2008 at 13:57:16 [...] rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module eap /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } } Errors initializing modules - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
I should note that in my radiusd.conf file, I'm not including eap.conf nor sites-enabled/, but other than that I have all default settings. Well done! By removing /sites-enabled you have stopped the server from processing all As from AAA (authentication, authorization and accounting) in one masterfull stroke. Now put everything back as it was. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
If i use PEAP with NT-PASSWORD, my freeradius it works ? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Please, Explain me how to do this. Can you explain me please ? I not found anywhere tutorial that explain: Howto freeradius + peap + DB with NT-Passwords !!! For Use PEAP with NT-PASSWORD, the only thing that i can do is add new user in DB with this query : INSERT INTO radcheck (username, attribute, op, value) VALUES ('NT','NT-Password', ':=', 'C6E4266FEBEBD6A8AAD3B435B51404EE'); ??? C6E4266FEBEBD6A8AAD3B435B51404EE == tiger I don't kwow how can i generate NT-Passwords ! =/ in radiusd.conf i have to configure anything ? Very Very Thanks for your BIG patience. Best Regards, Diogo Teixeira 2008/12/7 [EMAIL PROTECTED] If i use PEAP with NT-PASSWORD, my freeradius it works ? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Diogo Teixeira wrote: Explain me how to do this. Can you explain me please ? I not found anywhere tutorial that explain: Howto freeradius + peap + DB with NT-Passwords !!! There is no howto. Most people use systems like AD or Samba that automatically calculate the NT password. For Use PEAP with NT-PASSWORD, the only thing that i can do is add new user in DB with this query : INSERT INTO radcheck (username, attribute, op, value) VALUES ('NT','NT-Password', ':=', 'C6E4266FEBEBD6A8AAD3B435B51404EE'); That's the LM password for tiger, not the NT password. I don't kwow how can i generate NT-Passwords ! =/ $ smbencrypt tiger LM Hash NT Hash C6E4266FEBEBD6A8AAD3B435B51404EE0B9957E8BED733E0350C703AC1CDA822 This program comes with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please help !!!! =/ - freeradius + mysql with encrypted MD5
Hi people, I'm Portuguese student ! I have a big problem to solve. I have my freeradius, thats authenticates users by mysql database. I have passwords encrypted with MD5, but when i test, the Login is always Incorrect ! If password is clear, the freeradius works OK ! In the attachment i put my config files. My only query to create new user is: *INSERT INTO radcheck (username, attribute, op, value) VALUES ('5','MD5-Password', '==', MD5('teste'));* I have create many users, in different ways ! please look: mysql SELECT id,UserName,Attribute,Value,op FROM radcheck; ++--++--++ | id | UserName | Attribute | Value| op | ++--++--++ | 1 | teste| Password | teste| == | | 2 | 1| Password | 698dc19d489c4e4db73e28a713eab07b | == | | 3 | 2| Password | 698dc19d489c4e4db73e28a713eab07b | == | | 4 | 3| User-Password | 698dc19d489c4e4db73e28a713eab07b | == | | 5 | 4| Crypt-Password | 698dc19d489c4e4db73e28a713eab07b | == | | 6 | 5| MD5-Password | 698dc19d489c4e4db73e28a713eab07b | == | ++--++--++ I have read, many many times the man rlm_pap but i don't know where i put the headers (i.e {md5} {clear} etc...) !!! please help me to solve this big truble !!! =/ I need this to put my freeradius authenticate users, and the passwords in Mysql DB have to be encrypted !! Sorry for my poor english ! =/ Big thks Regards, Diogo Teixeira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
I have passwords encrypted with MD5, but when i test, the Login is always Incorrect ! You should provide debug for that case. If password is clear, the freeradius works OK ! *INSERT INTO radcheck (username, attribute, op, value) VALUES ('5','MD5-Password', '==', MD5('teste'));* That should be := not ==. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Big BIG Thanks Ivan !!! But the only problem is the == ? In attachment i put debug lines, with the option: freeradius -xx Best Regards, Diogo Teixeira 2008/12/6 [EMAIL PROTECTED] I have passwords encrypted with MD5, but when i test, the Login is always Incorrect ! You should provide debug for that case. If password is clear, the freeradius works OK ! *INSERT INTO radcheck (username, attribute, op, value) VALUES ('5','MD5-Password', '==', MD5('teste'));* That should be := not ==. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
In attachment i put debug lines, with the option: freeradius -xx I don't see the attachment. Use -X not -xx. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Ok ! Now, the attach is the log with Freeradius -x option, and with new user. Create with: INSERT INTO radcheck (username, attribute, op, value) VALUES ('7','MD5-Password', ':=', MD5('teste')); Big thks ! Best Regards, Diogo Teixeira 2008/12/7 [EMAIL PROTECTED] In attachment i put debug lines, with the option: freeradius -xx I don't see the attachment. Use -X not -xx. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html output Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Now, the attach is the log with Freeradius -x option, and with new user. Create with: INSERT INTO radcheck (username, attribute, op, value) VALUES ('7','MD5-Password', ':=', MD5('teste')); Ah, you can't use md5 encryption with PEAP. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Big Thanks for your answer ! really ? =// I don't know this ! =/ Can you explain me why ? I'm not doubting from you. Just for curiosity! I can use another type of encryption with PEAP ? Best Regards, Diogo Teixeira 2008/12/7 [EMAIL PROTECTED] Now, the attach is the log with Freeradius -x option, and with new user. Create with: INSERT INTO radcheck (username, attribute, op, value) VALUES ('7','MD5-Password', ':=', MD5('teste')); Ah, you can't use md5 encryption with PEAP. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
I don't know this ! =/ Can you explain me why ? I can use another type of encryption with PEAP ? It's all on the page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
If i use PEAP with NT-PASSWORD, my freeradius it works ? Query: INSERT INTO radcheck (username, attribute, op, value) VALUES ('10','NT-Password', ':=', '2a5f0679ba350887d5a800902056134e'); Best Regards Diogo Teixeira 2008/12/7 [EMAIL PROTECTED] I don't know this ! =/ Can you explain me why ? I can use another type of encryption with PEAP ? It's all on the page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi, PEAP MSCHAPv2 works well with Active Directory Backend. I am not sure of its Authentication Process with users file. Try with EAP MD5, it works well with Users file. SYED On Thu, Oct 16, 2008 at 5:21 PM, saini_jas16 [EMAIL PROTECTED] wrote: Hello All, I am trying to authenticate a Windows XP Client with the username and password configured in the Users file on the Radius Server. I have tried saveral changes, but I am not able to get rid of this error. I am running freeradius 2.1.1 on Suse 10 SP1. Kindly Help, I am in urgent need of making this radius server up and running. Below is the error I am receiving. rad_recv: Access-Request packet from host 130.1.254.174 port 2, id=212, length=182 NAS-Port-Id = 2049/1 Calling-Station-Id = 00-1F-3B-70-5B-7F Called-Station-Id = 00-18-6E-30-70-C0:NYCC_TEST Service-Type = Framed-User User-Name = jaswinder State = 0x2aaca71b29aabed260fc846046180105 EAP-Message = 0x0206002119800017150301001294659677442f8e7a361ee8ee93374c90ed53 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 3Com NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = jaswinder, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 6 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 23 [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Any help is greatly appreciated. Thanks, Jas -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20015619.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 212 to 130.1.254.174 port 2 EAP-Message = 0x04060004 Message-Authenticator = 0x Waking up in 3.4 seconds. Cleaning up request 0 ID 207 with timestamp +46 Cleaning up request 1 ID 208 with timestamp +46 Cleaning up request 2 ID 209 with timestamp +46 Cleaning up request 3 ID 210 with timestamp +46 Waking up in 0.3 seconds. Cleaning up request 4 ID 211 with timestamp +46 Waking up in 1.0 seconds. Cleaning up request 5 ID 212 with timestamp +47 Ready to process requests. Thanks, Jas tnt-4 wrote: [peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. Something is badly broken here. XP rejected CA certificate. It tends to do that if certificate doesn't have xpextensions. Are you using the CA certificate generated by freeradius? Were there any errors when you were making certificates? Is your XP patched up-to-date? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031019.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi, [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select all gone wonky here - your certs are readable by the correct group/user daemon process what version of openssl do you have? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi The version is 0.9.8a - 18.15 - i586 Jas A.L.M.Buxey wrote: Hi, [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select all gone wonky here - your certs are readable by the correct group/user daemon process what version of openssl do you have? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031374.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi, I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 well, thats wrong then. the docs havent been read and you havent followed the guides or the current cert gen script. you need to ensure that the certs have the required extensions alan Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Can you please guide me in this regard. What guidlines shall I follow? Many Thanks, Jas A.L.M.Buxey wrote: Hi, I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 well, thats wrong then. the docs havent been read and you havent followed the guides or the current cert gen script. you need to ensure that the certs have the required extensions alan Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031799.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hello, I am sure it works well with Users file as well. I remember doing it in the university. But I do not know y its not working this time. I will be integrating this freeradius with Novell's edirectory in few days time, but I wanted to test if its working or not before integrating with edirectory, as that will be complex structure. I have a tight dealine to finish it in. Kindly help me in eliminating the error its showing. Many Thanks, Jas Syed Anwarul Hasan wrote: Hi, PEAP MSCHAPv2 works well with Active Directory Backend. I am not sure of its Authentication Process with users file. Try with EAP MD5, it works well with Users file. SYED On Thu, Oct 16, 2008 at 5:21 PM, saini_jas16 [EMAIL PROTECTED] wrote: Hello All, I am trying to authenticate a Windows XP Client with the username and password configured in the Users file on the Radius Server. I have tried saveral changes, but I am not able to get rid of this error. I am running freeradius 2.1.1 on Suse 10 SP1. Kindly Help, I am in urgent need of making this radius server up and running. Below is the error I am receiving. rad_recv: Access-Request packet from host 130.1.254.174 port 2, id=212, length=182 NAS-Port-Id = 2049/1 Calling-Station-Id = 00-1F-3B-70-5B-7F Called-Station-Id = 00-18-6E-30-70-C0:NYCC_TEST Service-Type = Framed-User User-Name = jaswinder State = 0x2aaca71b29aabed260fc846046180105 EAP-Message = 0x0206002119800017150301001294659677442f8e7a361ee8ee93374c90ed53 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 3Com NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = jaswinder, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 6 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 23 [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Any help is greatly appreciated. Thanks, Jas -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20015619.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20029803.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
saini_jas16 wrote: Can you please guide me in this regard. What guidlines shall I follow? eap.conf, for one. If you're going to edit the configuration files, it might be prudent to *read* them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
So you haven't used xpextensions and your certificates are useless for connecting XP clients. Use certificate creation provided with the server: raddb/certs/README Ivan Kalik Kalik Informatika ISP Dana 17/10/2008, saini_jas16 [EMAIL PROTECTED] piše: I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
[peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. Something is badly broken here. XP rejected CA certificate. It tends to do that if certificate doesn't have xpextensions. Are you using the CA certificate generated by freeradius? Were there any errors when you were making certificates? Is your XP patched up-to-date? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
I created the certificates in the way as explained in the readme file. But when I try to open or import the ca.der in the XP machine, it say that the file type is not recognized. What wrong am I doing here? Jas tnt-4 wrote: So you haven't used xpextensions and your certificates are useless for connecting XP clients. Use certificate creation provided with the server: raddb/certs/README Ivan Kalik Kalik Informatika ISP Dana 17/10/2008, saini_jas16 [EMAIL PROTECTED] piše: I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20033604.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
I created the certificates in the way as explained in the readme file. But when I try to open or import the ca.der in the XP machine, it say that the file type is not recognized. What wrong am I doing here? Your XP is broken. Mine knows what .der file is. Go to Control Panel/Folders/File Types and see if der is listed. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please Help!
Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
Thanks a lot guys :D effort appreciated :) 2008/10/10 [EMAIL PROTECTED] raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
Thanks a lot guys :D effort appreciated :) 2008/10/10 [EMAIL PROTECTED] raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Not really. But Windows XP caches credentials: http://support.microsoft.com/kb/823731 Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Koko Kurniawan [EMAIL PROTECTED] piše: Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!!please HELP!!!)
Please, help me.. I am confuse why my freeradius server can´t detect the password that i write on the client? I am use OpenLDAP for the database rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 NAS-IP-Address = 10.10.53.100 Message-Authenticator = 0x4e8851c2f8e7f31d426d4a853af3ef1d ... auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 1 modcall: leaving group LDAP (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [htrisnadi/no User-Password attribute] (from client liv1 port 0) There is no User-Password in there. Should i change the configuration? in which file? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - Looking for last minute shopping deals? Find them fast with Yahoo! Search.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!!please HELP!!!)
Koko Kurniawan wrote: why my freeradius server can´t detect the password that i write on the client? Because the password is NOT in the RADIUS packet. Go read it: no User-Password attribute. rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 EAP is an authentication protocol that does not send the password from the client to the server. auth: type LDAP You forced Auth-Type := LDAP. DO NOT DO THAT. Please explain WHY you are doing this, and WHERE in the documentation (or web pages) it said to do this. There is no User-Password in there. Should i change the configuration? in which file? Do NOT set Auth-Type. If LDAP has a clear-text password available for the user, FreeRADIUS will figure out how to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!! please HELP!!!)
thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? so where is the user-password?? i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? LDAP doesn´t know EAP, so what kind of authentication i must use. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. i will show you my freeradius log, and i hope you will correct that Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radius main: group = radius main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = radiusd Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = ldap: basedn = dc=aiueo,dc=com ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = {CRYPT} ldap: password_attribute = userPassword ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? so where is the user-password?? Most protocols don't work on password matching but on challenge-response. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? So where is the debug? LDAP doesn´t know EAP, so what kind of authentication i must use. Donćt force anzthing. Server will figure it out. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configuration looks fine. Debug of the request will tell more. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
Koko Kurniawan wrote: thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? I mean it's not. so where is the user-password?? Some authentication protocols do not require exchanging the password. CHAP, MS-CHAP, and EAP all work this way. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? Post the debug log, as suggested in the FAQ, README, INSTALL, etc. LDAP doesn´t know EAP, so what kind of authentication i must use. We know that LDAP doesn't do EAP. This isn't news. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configure LDAP EAP. It's that easy. i will show you my freeradius log, and i hope you will correct that You didn't show the server receiving any authentication packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
Have you configured nastype in your clent configuration? If checkrad script is to check sessions with NAS it needs that. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] piše: I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mailyahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
Thank you but in the nas file. it said to use clients.conf i configure the clients.conf and put the NAS (linux) there can you help? or teach me to run the command Thank you Peter more naslist # # THIS FILE IS DEPRECATED. # # You should NOT be using this file to configure the server. # It is here ONLY for backwards compatibility. # # See 'clients.conf' for the new configuration. # --- [EMAIL PROTECTED] wrote: Have you configured nastype in your clent configuration? If checkrad script is to check sessions with NAS it needs that. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] pi¹e: I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mailyahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
btw, i saw some users are fine but some users are not not sure it is limited by time or modem Do you have idea? Thank you --- [EMAIL PROTECTED] wrote: nastype is a setting in clients.conf. Read instructions in the file. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] pi¹e: Thank you but in the nas file. it said to use clients.conf i configure the clients.conf and put the NAS (linux) there can you help? or teach me to run the command Thank you Peter more naslist # # THIS FILE IS DEPRECATED. # # You should NOT be using this file to configure the server. # It is here ONLY for backwards compatibility. # # See 'clients.conf' for the new configuration. # --- [EMAIL PROTECTED] wrote: Have you configured nastype in your clent configuration? If checkrad script is to check sessions with NAS it needs that. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] pi¹e: I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mailyahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
btw, i saw some users are fine but some users are not not sure it is limited by time or modem Do you have idea? Thank you Sorry. I don't know what are you on about. Whatever it is, modem is the most unlikely culprit. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
basically I don't know how to solve it out I follow the freeradius/doc 1/ add group in freeradius/users eg: DEFAULT Group == homeuse,Simultaneous-Use = 1,Fall-Through = 1 2/ insert radius database INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values(homeuse, Simultaneous-Use, :=, 1); After restart the mysql, freeradius, I can see the some users can have Multiple logins (max 1) [MPP attempt] in radius log When I tested to kick out those users from NAS, it still shows Multiple logins in the radius log and the users can't log on again. and I can't see any login in the NAS But some users I can kick it out and have logon again sucessful in the radius log I check checkrad this script. he looks like to use the naslist and naspassword files. but in our naslist, the comment told me to use the clients.conf instead I add naslist and naspassword but I don't know how to test it. ls there any conflict? I am using linux as NAS, what is the type of this one? ls the type as Other? Thank you again --- [EMAIL PROTECTED] wrote: btw, i saw some users are fine but some users are not not sure it is limited by time or modem Do you have idea? Thank you Sorry. I don't know what are you on about. Whatever it is, modem is the most unlikely culprit. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
1. Delete that entry in users file. You are checkig Simultaneous-Use in radgroupcheck. 2. In session{} module in radiusd.conf change checking to sql. 3. Uncomment simunltaneous use queries in sql.conf. 4. If your NAS is not listed in docs enter other as nastype. That means there will be no check of NAS sessions, only what's written in the database. 5. Find all open entries in the database (SELECT * FROM radacct WHERE AcctStopTime = 0). If there are some open sessions older than what is normal - delete them - they are most likely stale and are preventing users from connecting. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] piše: basically I don't know how to solve it out I follow the freeradius/doc 1/ add group in freeradius/users eg: DEFAULT Group == homeuse,Simultaneous-Use = 1,Fall-Through = 1 2/ insert radius database INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values(homeuse, Simultaneous-Use, :=, 1); After restart the mysql, freeradius, I can see the some users can have Multiple logins (max 1) [MPP attempt] in radius log When I tested to kick out those users from NAS, it still shows Multiple logins in the radius log and the users can't log on again. and I can't see any login in the NAS But some users I can kick it out and have logon again sucessful in the radius log I check checkrad this script. he looks like to use the naslist and naspassword files. but in our naslist, the comment told me to use the clients.conf instead I add naslist and naspassword but I don't know how to test it. ls there any conflict? I am using linux as NAS, what is the type of this one? ls the type as Other? Thank you again --- [EMAIL PROTECTED] wrote: btw, i saw some users are fine but some users are not not sure it is limited by time or modem Do you have idea? Thank you Sorry. I don't know what are you on about. Whatever it is, modem is the most unlikely culprit. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mailyahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
Thank you In the freeradius/doc/Simultaneous-Use, I don't understand this one. ls it in the radius.conf? Can you teach me how to add this? NOTE!!! The Simultaneous-Use parameter is in the check A/V pairs, and not in the Reply A/V pairs (it _is_ a check). Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: please help not allow the many connections from single user
Simultaneous-Use parameter is in the check A/V pairs Just like a password check. username Cleartext-Password := somepass, Simultaneous-Use := 1 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please help not allow the many connections from single user
Hi We has big problem to have many connections from single user in DSL clients A single user can authenticate on the different LNS server to use the internet connection. how can we prevent it? As our users are using the dynamic ip, the ip address is assigned by the LNS not the radius in this case, the ip pool can't be defined in the radius setting. Right? Can you help to give us detail info? thank you so much Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help with my EAP config - PEAP/MSCHAP
Hello, I'm trying to set up Freeradius on SuSe 9 to authenticate against LDAP on the same box. I can use radtest locally and ntradping from a remote workstation and receive an accept. So it looks like it's configured well enough for the direct LDAP with clients.conf. However, when I try and use a Windows XP Pro client with my 3COM AP it returned a reject. I've tried searching on the what appears to be the errors in the below log but nothing seems to stand out. I'm sure it's something simple I missed when following the online setup guides that are supposed to walk you through. I've checked and re-checked my eap.conf and rediusd.conf. Below is the output from radiusd. Any help is greatly appreciated and thanks in advance. :-D http://www.nabble.com/file/p13363453/radiusd.conf radiusd.conf http://www.nabble.com/file/p13363453/eap.conf eap.conf -Nyle Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = localhost ldap: port = 636 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = cn=RADMIN,o=SuSeRadius ldap: tls_mode = yes ldap: start_tls = no ldap: tls_cacertfile = /etc/raddb/certs/rootcert.pem ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = XX ldap: basedn = ou=TechSupport,ou=JeffS,o=Jeff ldap: filter = (cn=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = nspmPassword ldap: access_attr = wirelessAccess ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped
Re: Please help with my EAP config - PEAP/MSCHAP
Nyle wrote: I'm trying to set up Freeradius on SuSe 9 to authenticate against LDAP on the same box. I can use radtest locally and ntradping from a remote workstation and receive an accept. So it looks like it's configured well enough for the direct LDAP with clients.conf. However, when I try and use a Windows XP Pro client with my 3COM AP it returned a reject. I've tried searching on the what appears to be the errors in the below log but nothing seems to stand out. I'm sure it's something simple I missed when following the online setup guides that are supposed to walk you through. I've checked and re-checked my eap.conf and rediusd.conf. There's a lot of this error: Maybe you want to check that out. rlm_ldap: performing search in ou=TechSupport,ou=JeffS,o=Jeff, with filter (cn=auser) rlm_ldap: checking if remote access for auser is allowed by wirelessAccess rlm_ldap: Error reading Universal Password.Return Code = -16049 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... And there's no known good password found for the user. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for auser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Tell the server what the users correct password is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help with my EAP config - PEAP/MSCHAP
Alan DeKok-4 wrote: Nyle wrote: I'm sure it's something simple I missed when following the online setup guides that are supposed to walk you through. I've checked and re-checked my eap.conf and rediusd.conf. There's a lot of this error: Maybe you want to check that out. rlm_ldap: performing search in ou=TechSupport,ou=JeffS,o=Jeff, with filter (cn=auser) rlm_ldap: checking if remote access for auser is allowed by wirelessAccess rlm_ldap: Error reading Universal Password.Return Code = -16049 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... And there's no known good password found for the user. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for auser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Tell the server what the users correct password is. Alan DeKok. Thank you, thank you, thank you - You know after you've looked at a problem from 6 different directions for too long. Often the simplest solution doesn't come to mind. You last statement - Tell the server what the users correct password is. - took me to the simplest fix. Reset the users Novell eDirectory based Universal Password. Once I set the password it worked, now I can debug why the system that should synchronize those passwords automatically isn't working right. I do have another related question but it might need to be a separate post. However, let me ask it here and see. The built in Windows XP Pro SP2 wireless will now connect correctly but when I switch back to the DELL Wireless Utility and use WPA-ENTERPRISE/PEAP/MSCHAPv2, I don't even see debugging information from radiusd. It's like it doesn't even receive the request at all. As I said, I understand if I don't get a reply but has anyone seen this? -Nyle -- View this message in context: http://www.nabble.com/Please-help-with-my-EAP-config---PEAP-MSCHAP-tf4677183.html#a13369086 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help with my EAP config - PEAP/MSCHAP
Nyle wrote: Thank you, thank you, thank you - You know after you've looked at a problem from 6 different directions for too long. Often the simplest solution doesn't come to mind. You last statement - Tell the server what the users correct password is. - took me to the simplest fix. Reset the users Novell eDirectory based Universal Password. Once I set the password it worked, now I can debug why the system that should synchronize those passwords automatically isn't working right. :) I do have another related question but it might need to be a separate post. However, let me ask it here and see. The built in Windows XP Pro SP2 wireless will now connect correctly but when I switch back to the DELL Wireless Utility and use WPA-ENTERPRISE/PEAP/MSCHAPv2, I don't even see debugging information from radiusd. It's like it doesn't even receive the request at all. Well, that would suggest that the machine isn't trying to log in at *all*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting is not working. Please help.
Hey guys, i just follow this guide. http://www.frontios.com/freeradius.html and everything looks ok, the users are already working and login without problem. But the accounting is not working, the mysql tables are empty, i checked when i user access and everything looks ok, and the radacct still empty. In my radiusd.conf i have accounting { detail radutmp sql } Other guy is checking in the AP, but i wanna be sure i have the correct values in the server. Any comment is appreciated. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is not working. Please help.
On Monday 26 March 2007 16:30:35 alex wrote: Hey guys, i just follow this guide. http://www.frontios.com/freeradius.html and everything looks ok, the users are already working and login without problem. But the accounting is not working, the mysql tables are empty, i checked when i user access and everything looks ok, and the radacct still empty. In my radiusd.conf i have accounting { detail radutmp sql } Other guy is checking in the AP, but i wanna be sure i have the correct values in the server. Any comment is appreciated. Alex Did you run in debug mode (-X)? If so, did the output show anything strange when processing an accounting packet? Is the NAS configured to send accounting records to the radius server? -Kevin pgpy71kZbTCgQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is not working. Please help.
I think everything is ok. rad_recv: Access-Request packet from host 192.168.1.1:6001, id=91, length=124 User-Name = 00:13:02:a7:57:9f User-Password = testing123 NAS-IP-Address = 192.168.1.1 Called-Station-Id = 00-20-a6-6b-72-aa:PIM DOCK A Calling-Station-Id = 00-13-02-a7-57-9f NAS-Port = 9 NAS-Port-Type = Wireless-802.11 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module preprocess returns ok for request 14 modcall[authorize]: module chap returns noop for request 14 modcall[authorize]: module mschap returns noop for request 14 rlm_realm: No '@' in User-Name = 00:13:02:a7:57:9f, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 14 radius_xlat: '00:13:02:a7:57:9f' rlm_sql (sql): sql_set_user escaped user -- '00:13:02:a7:57:9f' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '00:13:02:a7:57:9f' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '00:13:02:a7:57:9f' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '00:13:02:a7:57:9f' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '00:13:02:a7:57:9f' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok for request 14 modcall: leaving group authorize (returns ok) for request 14 auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [00:13:02:a7:57:9f/testing123] (from client other port 9 cli 00-13-02-a7-57-9f) Sending Access-Accept of id 91 to 192.168.1.1 port 6001 Finished request 14 Going to the next request ---Original Message--- From: Kevin Bonner [EMAIL PROTECTED] Subject: Re: Accounting is not working. Please help. Sent: 27 Mar '07 02:08 On Monday 26 March 2007 16:30:35 alex wrote: Hey guys, i just follow this guide. http://www.frontios.com/freeradius.html and everything looks ok, the users are already working and login without problem. But the accounting is not working, the mysql tables are empty, i checked when i user access and everything looks ok, and the radacct still empty. In my radiusd.conf i have accounting { detail radutmp sql } Other guy is checking in the AP, but i wanna be sure i have the correct values in the server. Any comment is appreciated. Alex Did you run in debug mode (-X)? If so, did the output show anything strange when processing an accounting packet? Is the NAS configured to send accounting records to the radius server? -Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius 1.1.5 compile errors - please help
I am trying to build/compile freeRadius 1.1.5. My Cygwin environment is 1.5.24-2 from www.cygwin.com. freeRadius 1.1.5 from www.freeradius.org. I ran configure for freeRadius with following parameters: ./configure -without-snmp -disable-shared -enable-static -without-rlm_perl. Configure and make outputlogs are attached to this email. configure log http://www.nabble.com/file/7292/config.log config.log make log http://www.nabble.com/file/7293/make.log make.log -- View this message in context: http://www.nabble.com/freeRadius-1.1.5-compile-errors---please-help-tf3434397.html#a9574830 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: PEAP+MSCHAP+AD (please help)
(SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same. I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :( Well, now I have to try things on the server side. Do you have any more ideas to try? Héctor -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Phil Mayers Gesendet: Montag, 11. Dezember 2006 11:26 An: FreeRadius users mailing list Betreff: Re: AW: PEAP+MSCHAP+AD (please help) [EMAIL PROTECTED] wrote: Hello. No, I haven't edited the debug output. Why would I do this if I have a problem that want to get solved??. The debug output is exactly what I get from FreeRadius. People do some surprising things on this mailing list... I saw that you had a domain called DOMAIN, which is not very common, and assumed the worst i.e. that you had edited the output. There have been more people in this list with the same problem, being the latest http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html. Even though he found a solution for his own problem, I followed his howto but unfortunately didn't worked for me. About the client, when I turn the computer on, I have to type in the user credentials, the same ones that I use when testing FreeRadius. Windows sends FreeRadius the same user information in the two cases, but the outcome is completely different and this of course makes no sense. There is no trick, this is a real problem I have. I didn't imagine you were trying to trick us. As far as I can tell, your FreeRadius configuration looks correct. It's able to answer at least some MS-CHAP requests, and as you say there's no real difference as far as the server is concerned between and automatic or manual client login. This makes me suspect that there *is* a difference between such on the client side. Couple of other things you could try: netsh ras set tracing * enable ...on the windows client side, then inspect the logs (If memory serves they go do %WINDIR%/system32/tracing) Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in, you're not trying to authenticate a trusted domain user? Finally, I see you've got the ntlm_auth helper set to: /opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} You could try removing the --domain argument completely - though you should not need to. You could obviously also bump the Samba debugging level for a failing login and inspect the samba logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote: on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows: Hmph. That wasn't as useful as I'd hoped (the PPP logs are much better) Windows sends both domain and username, but only the manual login succeeds. For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it? Not really - the automatic login calls out to the LSA to get the logged-in creds. The manual login does a portion of that locally. I've also tried other things on the client side: Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same. I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :( Well, now I have to try things on the server side. I doubt there's anything in the Radius server that'll help at this point. Only two things I can think of: 1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware 2. Does the domain you are in have particular tight security policies that might be preventing the LSA from successfully completing an MS-CHAP but would allow the manual code to work? Both are extremely unlikely. Sorry I can't be more help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html