Re: Any body here?Please help me to test my server.
2012/3/17 ZhenJoey snan4l...@hotmail.com: Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. And what makes you think it will work when other test it? Don't be lazy. Do your own homework. Some things to check: - make sure there's no firewall active in the server (e.g. make sure iptables is disabled, or that the default rule is ACCEPT). It simplifies things a lot. - make sure the NAS can communicate with the radius serer (ping will be a good start) - run the server in debug mode (radiusd -X) If you need another host to run radtest, use virtualbox/kvm/whatever, have it use bridged networking and assign the guest an IP address in the same network segment as the host. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any body here?Please help me to test my server.
Thank YOu Fajar: Thank you for ur advice,the problem soloved. the probelm is i forgot to set up the NAS's gateway IP address, so it still a two layer device,the request message could not get out of the device. Than k you very much Joey Date: Sat, 17 Mar 2012 14:47:03 +0700 Subject: Re: Any body here?Please help me to test my server. From: l...@fajar.net To: freeradius-users@lists.freeradius.org 2012/3/17 ZhenJoey snan4l...@hotmail.com: Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. And what makes you think it will work when other test it? Don't be lazy. Do your own homework. Some things to check: - make sure there's no firewall active in the server (e.g. make sure iptables is disabled, or that the default rule is ACCEPT). It simplifies things a lot. - make sure the NAS can communicate with the radius serer (ping will be a good start) - run the server in debug mode (radiusd -X) If you need another host to run radtest, use virtualbox/kvm/whatever, have it use bridged networking and assign the guest an IP address in the same network segment as the host. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any body here?Please help me to test my server.
Hello every body: I just set up a freeradius server right now, Please help me to test it by run $radtest snan4love 123456 119.127.12.6 1812 12345678 I will be waiting here. BTW,i do a test my self via a NAS not radtest, it doesnt work. is there something like TimeOut in NAS when it try to connect the radius server? Thank you very much Joey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help me :Failed binding to authentication address 192.168.1.102 port 1812
Harshavardhan Ch wrote: Hello sir, while activating the free radius server with eap authentication via vmware virtual machine i got error like Failed binding to authentication address 192.168.1.102 port 1812 and i attched the output file. Stop posting ODT files or you will be unsubscribed from the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help me :Failed binding to authentication address 192.168.1.102 port 1812
On Tue, Nov 22, 2011 at 12:05 PM, Harshavardhan Ch harshavardhan...@intelligraphics.com wrote: Hello sir, while activating the free radius server with eap authentication via vmware virtual machine i got error like Failed binding to authentication address 192.168.1.102 port 1812 and i attched the output file. (1) paste the debug log directly in your email. There's really no need put it inside odt (2) Make sure IP address 192.168.1.102 is REALLY active on your system (i.e. it's not some copy-paste error) (3) Look for any programs already using the port. Running netstat -anup | grep 181 should help. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me ASAP
On 07/24/2011 09:29 AM, Its Me wrote:
Hi,
I am new user in Linux,I have install freeradius2 rpm in my Linux
machine(RHEL-5.5 Server),I m facing problem below detail ,please help me
how can i install and setup my radiusd -X output below problem.
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
Failed binding to authentication address * port 1812: Address already in use
/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
You probably have another copy of the server running, you can only have
one copy running at a time. Did you start one as a service? If so:
sudo service radiusd stop
Need help on how to manage FreeRADIUS on Redhat systems?
http://wiki.freeradius.org/Red_Hat_FAQ
P.S.: It's not polite to demand help ASAP on a free volunteer mailing list.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me ASAP
Hi,
I am new user in Linux,I have install freeradius2 rpm in my Linux
machine(RHEL-5.5 Server),I m facing problem below detail ,please help me how
can i install and setup my radiusd -X output below problem.
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
Failed binding to authentication address * port 1812: Address already in use
/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me ASAP
Either a version of freeradius is already running or something else is
running on that port or you are trying to start the program as a
non-root user.
As root run this command and paste the output:
lsof -i :1812
Cheers,
Harry
On 07/24/2011 09:29 AM, Its Me wrote:
Hi,
I am new user in Linux,I have install freeradius2 rpm in my Linux
machine(RHEL-5.5 Server),I m facing problem below detail ,please help me how
can i install and setup my radiusd -X output below problem.
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
Failed binding to authentication address * port 1812: Address already in use
/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschapv2 and peap not working, please help
Hi,
I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP
and Win 7 machines on wireless using Freeradius, LDAP authentication. Please
help.
Module: Instantiating module digest from file /etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module unix from file /etc/raddb/modules/unix
unix {
radwtmp = /var/log/radius/radwtmp
}
Module: Linked to module rlm_ldap
Module: Instantiating module ldap from file /etc/raddb/modules/ldap
ldap {
server = 10.73.93.13
port = 389
password =
identity =
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=uforadius,dc=com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
dictionary_mapping = /etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x9ac42e8
Module: Linked to module rlm_eap
Module: Instantiating module eap from file /etc/raddb/eap.conf
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug
Re: mschapv2 and peap not working, please help
syharash wrote: I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help. Thanks for posting the debug output, but it would help if you read it. It's not complicated. Also post the debug output into the form at: http://networkradius.com/freeradius.html That will make it clearer what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288211.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288213.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{crypt}$1$94hl3NgJ$AuuZleae5i2GkzrT9XIye0
crypt passwords cannot be used to do MS-CHAP. It is impossible.
MS-CHAP requires either the cleartext password or NT/LM hashes.
See:
http://deployingradius.com/documents/protocols/compatibility.html
[ldap] looking for reply items in directory...
[ldap] user mahendra authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: mahendra
[mschap] Told to do MS-CHAPv2 for mahendra with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
...because you only have crypt passwords, it fails.
You MUST store plaintext or nt/lm hashes if you want to do PEAP/MSCHAP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Great Phil, I've changed my /etc/raddb/users file and it worked, could you please help me if i can make a particular user login only from a single machine using the MAC Address of that machine. my existing /etc/raddb/users file looks like this DEFAULT Auth-Type = System Fall-Through = 1 # # Defaults for LDAP # #DEFAULT Auth-Type := LDAP #Fall-Through = 1 DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Service-Type = Framed-User, Fall-Through = Yes abdul Cleartext-Password := test123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288360.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Hi, comparisons/requirements are ont he first line, replies are on following lines ie user Cleartext-Password := testing, NAS-IP-Address = 192.168.0.1 AttributeX = this, AttributeY = that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Cleaning up request 33 ID 65 with timestamp +402 Cleaning up request 34 ID 66 with timestamp +402 Cleaning up request 35 ID 67 with timestamp +402 Cleaning up request 36 ID 68 with timestamp +402 Cleaning up request 37 ID 69 with timestamp +402 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288707.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me with sqlcounter
I want to use sqlcounter to control the user's traffic usage, and I have these needs: 1. I have read http://wiki.freeradius.org/Rlm_sqlcounter the wiki about the sqlcounter, and I get %b as the unix time value of beginning of reset period but how can I set this value? I want to sqlcounter begin count at a specific time such as the register time.. Is it possible? 2. When user's traffic usage over a value, I hope the server will disconnect the connected user immediately, Is it possible for doing this? I have read some article about sqlcounter, but I'm still confused about these questions, can anyone help me? I'm very appreciate for your help -- View this message in context: http://freeradius.1045715.n5.nabble.com/Please-help-me-with-sqlcounter-tp4192991p4192991.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me with sqlcounter
I am trying to do the same in sqlcounter but looks like the %b is hard coded and there is no way to make it dynamically read from database. I have tried using custom sqlcounter but it doe not escapes properly. Anyone effort in commenting on this thread will be highly appreciable as it will enable the user to do a custom time based session accounting instead of fixed 1 ~ 30 date accounting. Best Regards Suman On 3/21/2011 11:54 AM, frankfang wrote: I want to use sqlcounter to control the user's traffic usage, and I have these needs: 1. I have read http://wiki.freeradius.org/Rlm_sqlcounter the wiki about the sqlcounter, and I get %b as the unix time value of beginning of reset period but how can I set this value? I want to sqlcounter begin count at a specific time such as the register time.. Is it possible? 2. When user's traffic usage over a value, I hope the server will disconnect the connected user immediately, Is it possible for doing this? I have read some article about sqlcounter, but I'm still confused about these questions, can anyone help me? I'm very appreciate for your help -- View this message in context: http://freeradius.1045715.n5.nabble.com/Please-help-me-with-sqlcounter-tp4192991p4192991.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 5924 (20110303) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
JRadius with FreeRADIUS - Please help me in solving this issue
Hi,
I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the
Access-Request, it gives me the error No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user. Please help me. Did I
missed any configuration?
In sites-available/default file, I have added 'jradius' under authorize module
commenting 'files'.
In radiusd.conf, I added the following module.
jradius {
name = example # The Requester name (a single
# JRadius server can have
# multiple applications)
primary = localhost # Uses default port 1814
secondary = 192.168.0.1 # Fail-over server
tertiary = 192.168.0.1:8002# Fail-over server on port 8002
timeout = 1 # Connect Timeout
onfail= NOOP # What to do if no JRadius
# Server is found. Options are:
# FAIL (default), OK, REJECT, NOOP
keepalive = yes # Keep connections to JRadius pooled
connections = 8 # Number of pooled JRadius
connections
}
Thanking You,
Karun.
Log:
FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on May 10 2010 at
16:37:47
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Karuna G. Kumar wrote: Hi, I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the Access-Request, it gives me the error No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. Please help me. Did I missed any configuration? You need to tell the server what the users known good password is. You also need to list pap last in the authorize section. You have deleted it. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
I am trying to authorize / authenticate the user from a JRadius handler. I want to validate the user name and password both from our application's data repository using EJB calls. Hence, I don't want to look in to users file at all. Do I need to still enable PAP for it? Please let me know if I am going in a wrong direction. Please suggest me how to get success in this scenario. -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Alan DeKok Sent: Wed 6/2/2010 2:14 PM To: FreeRadius users mailing list Cc: Subject:Re: JRadius with FreeRADIUS - Please help me in solving this issue Karuna G. Kumar wrote: Hi, I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the Access-Request, it gives me the error No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. Please help me. Did I missed any configuration? You need to tell the server what the users known good password is. You also need to list pap last in the authorize section. You have deleted it. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Karuna G. Kumar wrote: I am trying to authorize / authenticate the user from a JRadius handler. I want to validate the user name and password both from our application's data repository using EJB calls. Hence, I don't want to look in to users file at all. Do I need to still enable PAP for it? What did my previous message say? Please let me know if I am going in a wrong direction. Please suggest me how to get success in this scenario. I made a suggestion. You refused to follow it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
Hi,
Now I got some improvement than before I guess.
Now, I am getting the error like...
[pap] login attempt with password testing
[pap] Using CRYPT encryption.
[pap] Passwords don't match
I am passing the Clear text password to FreeRADIUS. but, why is this failing ?
Please help me.
Logs:
=
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.109 port 44867, id=15,
length=95
User-Name = karun
Acct-Session-Id = 001
NAS-Identifier = NASIDTest
NAS-IP-Address = 192.168.1.120
Called-Station-Id = called
Calling-Station-Id = caller
NAS-Port = 1234
NAS-Port-Type = Ethernet
User-Password = testing
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = karun, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
rlm_jradius: Reserving JRadius socket id: 7
rlm_jradius: packing attribute User-Name (type: 1; len: 5)
rlm_jradius: packing attribute Acct-Session-Id (type: 44; len: 3)
rlm_jradius: packing attribute NAS-Identifier (type: 32; len: 9)
rlm_jradius: packing attribute NAS-IP-Address (type: 4; len: 4)
rlm_jradius: packing attribute Called-Station-Id (type: 30; len: 6)
rlm_jradius: packing attribute Calling-Station-Id (type: 31; len: 6)
rlm_jradius: packing attribute NAS-Port (type: 5; len: 4)
rlm_jradius: packing attribute NAS-Port-Type (type: 61; len: 4)
rlm_jradius: packing attribute User-Password (type: 2; len: 7)
rlm_jradius: packing packet with code: 1 (attr length: 156)
rlm_jradius: packing packet with code: 0 (attr length: 0)
rlm_jradius: packing attribute Crypt-Password (type: 1006; len: 98)
rlm_jradius: sending 307 bytes to socket 7
rlm_jradius: return code 8; receiving 2 packets
rlm_jradius: reading packet: code=1 len=156
rlm_jradius: reading attribute: type=1; len=5
rlm_jradius: reading attribute: type=44; len=3
rlm_jradius: reading attribute: type=32; len=9
rlm_jradius: reading attribute: type=4; len=4
rlm_jradius: reading attribute: type=30; len=6
rlm_jradius: reading attribute: type=31; len=6
rlm_jradius: reading attribute: type=5; len=4
rlm_jradius: reading attribute: type=61; len=4
rlm_jradius: reading attribute: type=2; len=7
rlm_jradius: reading packet: code=0 len=0
rlm_jradius: reading request: config_item: len=187
rlm_jradius: reading attribute: type=1006; len=98
rlm_jradius: reading attribute: type=1100; len=7
rlm_jradius: reading attribute: type=1259012098; len=32
rlm_jradius: reading attribute: type=1259012097; len=2
rlm_jradius: Released JRadius socket id: 7
++[jradius] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - karun
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 15 to 192.168.1.109 port 44867
Waking up in 4.9 seconds.
Cleaning up request 0 ID 15 with timestamp +6
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org
on behalf of Karuna G. Kumar
Sent: Wed 6/2/2010 3:20 PM
To: FreeRadius users mailing list
Cc:
Subject:RE: JRadius with FreeRADIUS - Please help me in solving this
issue
I am trying to authorize / authenticate the user from a JRadius handler. I want
to validate the user name and password both from our application's data
repository using EJB calls. Hence, I don't want to look in to users file at
all. Do I need to still enable PAP for it?
Please let me know if I am going in a wrong direction. Please suggest me how to
get success in this scenario.
-Original Message-
From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org
on behalf of Alan DeKok
Sent: Wed 6/2/2010 2:14 PM
To: FreeRadius users mailing list
Cc:
Subject:Re: JRadius with FreeRADIUS - Please help me in solving this
issue
Karuna G. Kumar wrote:
Hi,
I am using FreeRADIUS 2.1.8 and JRadius 1.0.0 in my machine. When I send the
Access-Request, it gives me the error No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user. Please help me. Did
I missed any configuration?
You need to tell the server what the users known good password is.
You also need to list pap last in the authorize section. You have
deleted it. Why?
Alan DeKok
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Hi, [pap] login attempt with password testing [pap] Using CRYPT encryption. yes, crypt...which means ++[unix] returns updated ..tht you have a matching entry in /etc/passwd - hence CRYPT alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
I used different user name (karun) and password (karunkarun) also. But the
result is same.
I am using Ubuntu. Very new to this OS. Can you please explain me little more
about what's going wrong here ?
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password karunkarun
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Thanking You,
Karun.
-Original Message-
From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org
on behalf of Alan Buxey
Sent: Wed 6/2/2010 4:49 PM
To: FreeRadius users mailing list
Cc:
Subject:Re: JRadius with FreeRADIUS - Please help me in solving this
issue
Hi,
[pap] login attempt with password testing
[pap] Using CRYPT encryption.
yes, crypt...which means
++[unix] returns updated
..tht you have a matching entry in /etc/passwd - hence CRYPT
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Original Message-
From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org
on behalf of Karuna G. Kumar
Sent: Wed 6/2/2010 4:42 PM
To: FreeRadius users mailing list
Cc:
Subject:RE: JRadius with FreeRADIUS - Please help me in solving this
issue
Hi,
Now I got some improvement than before I guess.
Now, I am getting the error like...
[pap] login attempt with password testing
[pap] Using CRYPT encryption.
[pap] Passwords don't match
I am passing the Clear text password to FreeRADIUS. but, why is this failing ?
Please help me.
Logs:
=
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.109 port 44867, id=15,
length=95
User-Name = karun
Acct-Session-Id = 001
NAS-Identifier = NASIDTest
NAS-IP-Address = 192.168.1.120
Called-Station-Id = called
Calling-Station-Id = caller
NAS-Port = 1234
NAS-Port-Type = Ethernet
User-Password = testing
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = karun, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
rlm_jradius: Reserving JRadius socket id: 7
rlm_jradius: packing attribute User-Name (type: 1; len: 5)
rlm_jradius: packing attribute Acct-Session-Id (type: 44; len: 3)
rlm_jradius: packing attribute NAS-Identifier (type: 32; len: 9)
rlm_jradius: packing attribute NAS-IP-Address (type: 4; len: 4)
rlm_jradius: packing attribute Called-Station-Id (type: 30; len: 6)
rlm_jradius: packing attribute Calling-Station-Id (type: 31; len: 6)
rlm_jradius: packing attribute NAS-Port (type: 5; len: 4)
rlm_jradius: packing attribute NAS-Port-Type (type: 61; len: 4)
rlm_jradius: packing attribute User-Password (type: 2; len: 7)
rlm_jradius: packing packet with code: 1 (attr length: 156)
rlm_jradius: packing packet with code: 0 (attr length: 0)
rlm_jradius: packing attribute Crypt-Password (type: 1006; len: 98)
rlm_jradius: sending 307 bytes to socket 7
rlm_jradius: return code 8; receiving 2 packets
rlm_jradius: reading packet: code=1 len=156
rlm_jradius: reading attribute: type=1; len=5
rlm_jradius: reading attribute: type=44; len=3
rlm_jradius: reading attribute: type=32; len=9
rlm_jradius: reading attribute: type=4; len=4
rlm_jradius: reading attribute: type=30; len=6
rlm_jradius: reading attribute: type=31; len=6
rlm_jradius: reading attribute: type=5; len=4
rlm_jradius: reading attribute: type=61; len=4
rlm_jradius: reading attribute: type=2; len=7
rlm_jradius: reading packet: code=0 len=0
rlm_jradius: reading request: config_item: len=187
rlm_jradius: reading attribute: type=1006; len=98
rlm_jradius: reading attribute: type=1100; len=7
rlm_jradius: reading attribute: type=1259012098; len=32
rlm_jradius: reading attribute: type=1259012097; len=2
rlm_jradius: Released JRadius socket id: 7
++[jradius] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - karun
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 15 to 192.168.1.109 port 44867
Waking up in 4.9 seconds.
Cleaning up request 0 ID 15 with timestamp +6
Ready to process requests.
winmail.dat-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: JRadius with FreeRADIUS - Please help me in solving this issue
Hi, I used different user name (karun) and password (karunkarun) also. But the result is same. do you have karun in the /etc/passwd file? from the logs you do alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRadius with FreeRADIUS - Please help me in solving this issue
Yes. As you said, I found 'karun' in /etc/passwd file. Now, I used different credentials and it's working fine. I am able to do PAP authentication now. Thanks alot. Thanks alot to Alan DeKok too for his valuable response. -Original Message- From: freeradius-users-bounces+karuna.kumar=indscape@lists.freeradius.org on behalf of Alan Buxey Sent: Wed 6/2/2010 7:01 PM To: FreeRadius users mailing list Cc: Subject:Re: JRadius with FreeRADIUS - Please help me in solving this issue Hi, I used different user name (karun) and password (karunkarun) also. But the result is same. do you have karun in the /etc/passwd file? from the logs you do alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me
Hi ,
I am useing a free radius version available with redhat 4.5
,RPM name is freeradius-1.0.1-3.RHEL4.3.i386.rpm
I am trying to use ippool configuration configurations i had made is
in radiusd.conf file
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start =10.143.71.15
range-stop =10.143.71.25
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to
clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a Framed-IP-Address
already set
override = yes
# maximum-timeout: If not zero specifies the maximum time in
seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
accounting {
main_pool
}
post-auth {
main_pool
}
--
in users file
steve Auth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
DEFAULT Pool-Name := main_pool
--
in clients file
nas ip secret key
-
and i am getting errors when i run /usr/sbin/radiusd -A -X
modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute.
modcall[post-auth]: module main_pool returns noop for request 0
rlm_ippool: Could not find Pool-Name attribute.
I am suspecting some problem with users file ... Can you please help me
to find out what is missing
--
Thanks and regards
Jos george.
9844459056
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me
in users file steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Add Fall-Through = yes. DEFAULT Pool-Name := main_pool Or add it to DEFAULT entry and place DEFAULT entry above user entries. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me (Ivan Kalik)
Hi , Thank you very much for the response but still i am getting same error can you please suggest accordingly .I had done 3 different tries in my user file those tries and output is given below Also i more think i remember while my installation db.ippool file and db.index file where not formed then i had to created those files in respective directory and i had given appropriate permission for that whether it will create any problem ? Also while useing command *rlm_ippool_tool -a ip-pool.db ip-index.db *i am getting output as 0 whether is it any problem ?... * DEFAULT Pool-Name := main_pool Fall-Through = Yes* ** *steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP* modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = steve, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 81 users: Matched steve at 84 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module main_pool returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 2 to 10.143.71.15:3734 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 4a3f7d84 Nothing to do. Sleeping until we see a request. -- *steve Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP,* *Fall-Through = Yes DEFAULT Pool-Name := main_pool* Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = steve, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched steve at 82 users: Matched DEFAULT at 94 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module main_pool returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 3 to 10.143.71.15:3740 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 3 with timestamp 4a3f7e1c Nothing to do. Sleeping until we see a request.
radclient: no response from server ... please help newbe.
Hi Please could someone help a newbe ... I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700 User-Name = TC-Demo ^X^C [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo radclient: no response from server for ID 77 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo radclient: no response from server for ID 215 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo radclient: no response from server for ID 168 socket 3 The server is listening on all the port's I have tried .. r...@localhost ~]# netstat -antup | grep rad udp0 0 0.0.0.0:18120.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:18130.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:18140.0.0.0:* 2461/radiusd What have I missed ... Regards Gregory Machin Email: gmac...@techconcepts.co.za Cell: +27 (0) 72 524 5098 gtalk: gmachin.techconce...@gmail.com Support helpd...@techconcepts.co.za Tell: +27 (0) 11 803 2169 Fax: +27 (0) 11 803 2189 After Hours Cell:+27 (0) 82 790 0796 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server ... please help newbe.
Am 17.06.2009 um 13:43 schrieb Gregory Machin: Hi Please could someone help a newbe ... I'm using the following stack FreeRADIUS Version 2.1.3 with coova- chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1700' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 114 to 192.168.11.1 port 1700 User-Name = TC-Demo ^X^C [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1814' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo Sending Disconnect-Request of id 77 to 192.168.11.1 port 1814 User-Name = TC-Demo radclient: no response from server for ID 77 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1813' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo Sending Disconnect-Request of id 215 to 192.168.11.1 port 1813 User-Name = TC-Demo radclient: no response from server for ID 215 socket 3 [r...@localhost ~]# echo User-Name='TC-Demo' | radclient -c '1' -n '3' -r '3' -t '3' -x '192.168.11.1:1812' 'disconnect' 'test123' 21 Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo Sending Disconnect-Request of id 168 to 192.168.11.1 port 1812 User-Name = TC-Demo radclient: no response from server for ID 168 socket 3 The server is listening on all the port's I have tried .. r...@localhost ~]# netstat -antup | grep rad udp0 0 0.0.0.0:1812 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1813 0.0.0.0:* 2461/radiusd udp0 0 0.0.0.0:1814 0.0.0.0:* 2461/radiusd What have I missed ... Do you know (via tcpdump, wireshark or so) that the packets do arrive on the computer where Freeradius runs? If not, check firewall settings of both computers and of anything that might be between. Have a nice day! Regards Gregory Machin Email: gmac...@techconcepts.co.za Cell: +27 (0) 72 524 5098 gtalk: gmachin.techconce...@gmail.com Support helpd...@techconcepts.co.za Tell: +27 (0) 11 803 2169 Fax: +27 (0) 11 803 2189 After Hours Cell:+27 (0) 82 790 0796 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server ... please help newbe.
I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line Send it to NAS (coova-chilli), not radius server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radclient: no response from server ... please help newbe.
From: freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org [freeradius-users-bounces+gregorym=techconcepts.co...@lists.freeradius.org] On Behalf Of Ivan Kalik [...@kalik.net] Sent: Wednesday, June 17, 2009 1:57 PM To: FreeRadius users mailing list Subject: Re: radclient: no response from server ... please help newbe. I'm using the following stack FreeRADIUS Version 2.1.3 with coova-chilli-1.0.13 with Daloradius . I'm having issues with sending POD from Daloradius and radclient via the command line Send it to NAS (coova-chilli), not radius server. Ivan Kalik Kalik Informatika ISP The whole stack is running on the same server. I have tried to send it to the chilli ports with the same results.. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help me ...thanks in advance
Hi , I am a newbie in Radius field. I have a Linux machine which has RHEL WS 4 Update 5 OS loaded. I have installed freeRadius server version 2.1.5. in another machine. I want to authenticate the linux machine login through Radius server. I have tried several ways to configure the linux machine as published in several groups but did not work.Tried through PAM module. If some body can help me out in this matter or point to some good links,will be helpful to me. Best Regards Praveen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help me ...thanks in advance
I have a Linux machine which has RHEL WS 4 Update 5 OS loaded. I have installed freeRadius server version 2.1.5. in another machine. I want to authenticate the linux machine login through Radius server. I have tried several ways to configure the linux machine as published in several groups but did not work.Tried through PAM module. If some body can help me out in this matter or point to some good links,will be helpful to me. http://freeradius.org/pam_radius_auth/ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Alan DeKok, Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. You need to re-build the server without support for udpfromto. I read up on udpfromto, and from what I can tell the openSUSE 11.1 (x64) package for v2.1.1 DOESN'T have udpfromto support compiled in. I believe this to be the case, because changing my radiusd.conf so that the server is only listening on a single IP, instead of the default of *, fixed my problem. radtest now gets a reply, and no longer issues an error. With this configuration, udpfromto isn't needed, so there is no more problem. Thanks for pointing me in the right direction. Will Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Will D. Spann wrote: I see; thanks for the clarification. This is a departure from how FreeRADIUS 1.0 was configured, where the authenticate and authorize sections resided in the radiusd.conf file. Yes... and the comments in the file you edited document this. However, I noticed a new permission denied error, related to SSL in the rlm_eap module. Based on this, I checked the ownership/permissions of the configuration files and keys in the /etc/raddb folder below. It turns out they were all set to root.root r/w for root user only! That is an issue, and should be fixed. But the default configuration has radiusd running as the radiusd user, Maybe on Suse. That's not the default in the freeradius distribution. Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. You need to re-build the server without support for udpfromto. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with udpfromto in version 2.1.1 - please help
Ivan Kalik,
I should note that in my radiusd.conf file, I'm not including eap.conf nor
sites-enabled/, but other than that I have all default settings.
Well done! By removing /sites-enabled you have stopped the server from
processing all As from AAA (authentication, authorization and
accounting) in one masterfull stroke. Now put everything back as it was.
Thanks for the reply. I didn't realize disabling sites-enabled would disable
all AAA services.
Running radiusd -X as root with default settings gives errors related to EAP
and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS
2.1.1). I have OpenSSL 0.9.8h installed.
The radiusd -X output is listed below. Thanks for any comments on this.
Will
gcwifi-auth-vm:~ # radiusd -X
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Dec 3 2008
at 13:57:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
Re: Problem with udpfromto in version 2.1.1 - please help
Will D. Spann wrote: Thanks for the reply. I didn't realize disabling sites-enabled would disable all AAA services. The comments in radiusd.conf just before that say that the authorize etc. sections are in virtual hosts, and that the include line includes those virtual hosts. Running radiusd -X as root with default settings gives errors related to EAP and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS 2.1.1). I have OpenSSL 0.9.8h installed. Run the bootstrap command as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Alan, The comments in radiusd.conf just before that say that the authorize etc. sections are in virtual hosts, and that the include line includes those virtual hosts. I see; thanks for the clarification. This is a departure from how FreeRADIUS 1.0 was configured, where the authenticate and authorize sections resided in the radiusd.conf file. Running radiusd -X as root with default settings gives errors related to EAP and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS 2.1.1). I have OpenSSL 0.9.8h installed. Run the bootstrap command as root. Thanks for the suggestion. I ran the /etc/raddb/certs/bootstrap script, and it successfully created the self-signed SSL certificates for EAP. Now the Diffie-Hellman errors have gone away, when I run radiusd -X. At this point I was still getting the remaining EAP-related errors. However, I noticed a new permission denied error, related to SSL in the rlm_eap module. Based on this, I checked the ownership/permissions of the configuration files and keys in the /etc/raddb folder below. It turns out they were all set to root.root r/w for root user only! But the default configuration has radiusd running as the radiusd user, so it couldn't read the files it needed access to. Changing the ownership to root.radiusd and the permissions to r/w for root and read for the radiusd group solved my startup problem. Thanks again. I would never have seen this cause without getting past the SSL key creation issue. Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. Thanks for any additional help. Will Spann The abbreviated radiusd -X output I received PRIOR to fixing the ownership/permissions problem is below, for reference. Now radiusd runs without errors. gcwifi-auth-vm:/etc/raddb # radiusd -X FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Dec 3 2008 at 13:57:16 [...] rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module eap /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } } Errors initializing modules - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
I should note that in my radiusd.conf file, I'm not including eap.conf nor sites-enabled/, but other than that I have all default settings. Well done! By removing /sites-enabled you have stopped the server from processing all As from AAA (authentication, authorization and accounting) in one masterfull stroke. Now put everything back as it was. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
If i use PEAP with NT-PASSWORD, my freeradius it works ? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Please,
Explain me how to do this. Can you explain me please ? I not found anywhere
tutorial that explain: Howto freeradius + peap + DB with NT-Passwords !!!
For Use PEAP with NT-PASSWORD, the only thing that i can do is add new user
in DB with this query :
INSERT INTO radcheck (username, attribute, op, value) VALUES
('NT','NT-Password', ':=', 'C6E4266FEBEBD6A8AAD3B435B51404EE');
???
C6E4266FEBEBD6A8AAD3B435B51404EE == tiger
I don't kwow how can i generate NT-Passwords ! =/
in radiusd.conf i have to configure anything ?
Very Very Thanks for your BIG patience.
Best Regards,
Diogo Teixeira
2008/12/7 [EMAIL PROTECTED]
If i use PEAP with NT-PASSWORD, my freeradius it works ?
Yes.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Diogo Teixeira wrote:
Explain me how to do this. Can you explain me please ? I not found
anywhere tutorial that explain: Howto freeradius + peap + DB with
NT-Passwords !!!
There is no howto. Most people use systems like AD or Samba that
automatically calculate the NT password.
For Use PEAP with NT-PASSWORD, the only thing that i can do is add new
user in DB with this query :
INSERT INTO radcheck (username, attribute, op, value) VALUES
('NT','NT-Password', ':=', 'C6E4266FEBEBD6A8AAD3B435B51404EE');
That's the LM password for tiger, not the NT password.
I don't kwow how can i generate NT-Passwords ! =/
$ smbencrypt tiger
LM Hash NT Hash
C6E4266FEBEBD6A8AAD3B435B51404EE0B9957E8BED733E0350C703AC1CDA822
This program comes with the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please help !!!! =/ - freeradius + mysql with encrypted MD5
Hi people,
I'm Portuguese student !
I have a big problem to solve.
I have my freeradius, thats authenticates users by mysql database.
I have passwords encrypted with MD5, but when i test, the Login is always
Incorrect !
If password is clear, the freeradius works OK !
In the attachment i put my config files.
My only query to create new user is:
*INSERT INTO radcheck (username, attribute, op, value) VALUES
('5','MD5-Password', '==', MD5('teste'));*
I have create many users, in different ways ! please look:
mysql SELECT id,UserName,Attribute,Value,op FROM radcheck;
++--++--++
| id | UserName | Attribute | Value| op |
++--++--++
| 1 | teste| Password | teste| == |
| 2 | 1| Password | 698dc19d489c4e4db73e28a713eab07b | == |
| 3 | 2| Password | 698dc19d489c4e4db73e28a713eab07b | == |
| 4 | 3| User-Password | 698dc19d489c4e4db73e28a713eab07b | == |
| 5 | 4| Crypt-Password | 698dc19d489c4e4db73e28a713eab07b | == |
| 6 | 5| MD5-Password | 698dc19d489c4e4db73e28a713eab07b | == |
++--++--++
I have read, many many times the man rlm_pap but i don't know where i put
the headers (i.e {md5} {clear} etc...) !!!
please help me to solve this big truble !!! =/
I need this to put my freeradius authenticate users, and the passwords in
Mysql DB have to be encrypted !!
Sorry for my poor english ! =/
Big thks
Regards,
Diogo Teixeira
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
I have passwords encrypted with MD5, but when i test, the Login is always
Incorrect !
You should provide debug for that case.
If password is clear, the freeradius works OK !
*INSERT INTO radcheck (username, attribute, op, value) VALUES
('5','MD5-Password', '==', MD5('teste'));*
That should be := not ==.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Big BIG Thanks Ivan !!!
But the only problem is the == ?
In attachment i put debug lines, with the option: freeradius -xx
Best Regards,
Diogo Teixeira
2008/12/6 [EMAIL PROTECTED]
I have passwords encrypted with MD5, but when i test, the Login is always
Incorrect !
You should provide debug for that case.
If password is clear, the freeradius works OK !
*INSERT INTO radcheck (username, attribute, op, value) VALUES
('5','MD5-Password', '==', MD5('teste'));*
That should be := not ==.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
In attachment i put debug lines, with the option: freeradius -xx I don't see the attachment. Use -X not -xx. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Ok !
Now, the attach is the log with Freeradius -x option, and with new user.
Create with:
INSERT INTO radcheck (username, attribute, op, value) VALUES
('7','MD5-Password', ':=', MD5('teste'));
Big thks !
Best Regards,
Diogo Teixeira
2008/12/7 [EMAIL PROTECTED]
In attachment i put debug lines, with the option: freeradius -xx
I don't see the attachment. Use -X not -xx.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
output
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Now, the attach is the log with Freeradius -x option, and with new user.
Create with:
INSERT INTO radcheck (username, attribute, op, value) VALUES
('7','MD5-Password', ':=', MD5('teste'));
Ah, you can't use md5 encryption with PEAP.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
Big Thanks for your answer !
really ? =//
I don't know this ! =/ Can you explain me why ?
I'm not doubting from you. Just for curiosity!
I can use another type of encryption with PEAP ?
Best Regards,
Diogo Teixeira
2008/12/7 [EMAIL PROTECTED]
Now, the attach is the log with Freeradius -x option, and with new user.
Create with:
INSERT INTO radcheck (username, attribute, op, value) VALUES
('7','MD5-Password', ':=', MD5('teste'));
Ah, you can't use md5 encryption with PEAP.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
I don't know this ! =/ Can you explain me why ? I can use another type of encryption with PEAP ? It's all on the page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help !!!! =/ - freeradius + mysql with encrypted MD5
If i use PEAP with NT-PASSWORD, my freeradius it works ?
Query:
INSERT INTO radcheck (username, attribute, op, value) VALUES
('10','NT-Password', ':=', '2a5f0679ba350887d5a800902056134e');
Best Regards
Diogo Teixeira
2008/12/7 [EMAIL PROTECTED]
I don't know this ! =/ Can you explain me why ?
I can use another type of encryption with PEAP ?
It's all on the page.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi,
PEAP MSCHAPv2 works well with Active Directory Backend. I am not sure of its
Authentication Process with users file.
Try with EAP MD5, it works well with Users file.
SYED
On Thu, Oct 16, 2008 at 5:21 PM, saini_jas16
[EMAIL PROTECTED] wrote:
Hello All,
I am trying to authenticate a Windows XP Client with the username and
password configured in the Users file on the Radius Server. I have tried
saveral changes, but I am not able to get rid of this error. I am running
freeradius 2.1.1 on Suse 10 SP1.
Kindly Help, I am in urgent need of making this radius server up and
running.
Below is the error I am receiving.
rad_recv: Access-Request packet from host 130.1.254.174 port 2,
id=212,
length=182
NAS-Port-Id = 2049/1
Calling-Station-Id = 00-1F-3B-70-5B-7F
Called-Station-Id = 00-18-6E-30-70-C0:NYCC_TEST
Service-Type = Framed-User
User-Name = jaswinder
State = 0x2aaca71b29aabed260fc846046180105
EAP-Message =
0x0206002119800017150301001294659677442f8e7a361ee8ee93374c90ed53
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 3Com
NAS-IP-Address = 130.1.254.174
Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = jaswinder, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 6 length 33
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 23
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - jaswinder
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Any help is greatly appreciated.
Thanks,
Jas
--
View this message in context:
http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20015619.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - jaswinder
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 212 to 130.1.254.174 port 2
EAP-Message = 0x04060004
Message-Authenticator = 0x
Waking up in 3.4 seconds.
Cleaning up request 0 ID 207 with timestamp +46
Cleaning up request 1 ID 208 with timestamp +46
Cleaning up request 2 ID 209 with timestamp +46
Cleaning up request 3 ID 210 with timestamp +46
Waking up in 0.3 seconds.
Cleaning up request 4 ID 211 with timestamp +46
Waking up in 1.0 seconds.
Cleaning up request 5 ID 212 with timestamp +47
Ready to process requests.
Thanks,
Jas
tnt-4 wrote:
[peap] eaptls_verify returned 11
[peap] TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
Something is badly broken here. XP rejected CA certificate. It tends to
do that if certificate doesn't have xpextensions. Are you using the CA
certificate generated by freeradius? Were there any errors when you were
making certificates? Is your XP patched up-to-date?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031019.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi, [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select all gone wonky here - your certs are readable by the correct group/user daemon process what version of openssl do you have? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi The version is 0.9.8a - 18.15 - i586 Jas A.L.M.Buxey wrote: Hi, [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select all gone wonky here - your certs are readable by the correct group/user daemon process what version of openssl do you have? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031374.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hi, I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 well, thats wrong then. the docs havent been read and you havent followed the guides or the current cert gen script. you need to ensure that the certs have the required extensions alan Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Can you please guide me in this regard. What guidlines shall I follow? Many Thanks, Jas A.L.M.Buxey wrote: Hi, I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 well, thats wrong then. the docs havent been read and you havent followed the guides or the current cert gen script. you need to ensure that the certs have the required extensions alan Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031799.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
Hello,
I am sure it works well with Users file as well. I remember doing it in the
university. But I do not know y its not working this time. I will be
integrating this freeradius with Novell's edirectory in few days time, but I
wanted to test if its working or not before integrating with edirectory, as
that will be complex structure.
I have a tight dealine to finish it in. Kindly help me in eliminating the
error its showing.
Many Thanks,
Jas
Syed Anwarul Hasan wrote:
Hi,
PEAP MSCHAPv2 works well with Active Directory Backend. I am not sure of
its
Authentication Process with users file.
Try with EAP MD5, it works well with Users file.
SYED
On Thu, Oct 16, 2008 at 5:21 PM, saini_jas16
[EMAIL PROTECTED] wrote:
Hello All,
I am trying to authenticate a Windows XP Client with the username and
password configured in the Users file on the Radius Server. I have tried
saveral changes, but I am not able to get rid of this error. I am running
freeradius 2.1.1 on Suse 10 SP1.
Kindly Help, I am in urgent need of making this radius server up and
running.
Below is the error I am receiving.
rad_recv: Access-Request packet from host 130.1.254.174 port 2,
id=212,
length=182
NAS-Port-Id = 2049/1
Calling-Station-Id = 00-1F-3B-70-5B-7F
Called-Station-Id = 00-18-6E-30-70-C0:NYCC_TEST
Service-Type = Framed-User
User-Name = jaswinder
State = 0x2aaca71b29aabed260fc846046180105
EAP-Message =
0x0206002119800017150301001294659677442f8e7a361ee8ee93374c90ed53
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 3Com
NAS-IP-Address = 130.1.254.174
Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = jaswinder, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 6 length 33
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 23
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - jaswinder
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Any help is greatly appreciated.
Thanks,
Jas
--
View this message in context:
http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20015619.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20029803.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
saini_jas16 wrote: Can you please guide me in this regard. What guidlines shall I follow? eap.conf, for one. If you're going to edit the configuration files, it might be prudent to *read* them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
So you haven't used xpextensions and your certificates are useless for connecting XP clients. Use certificate creation provided with the server: raddb/certs/README Ivan Kalik Kalik Informatika ISP Dana 17/10/2008, saini_jas16 [EMAIL PROTECTED] piše: I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
[peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. Something is badly broken here. XP rejected CA certificate. It tends to do that if certificate doesn't have xpextensions. Are you using the CA certificate generated by freeradius? Were there any errors when you were making certificates? Is your XP patched up-to-date? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
I created the certificates in the way as explained in the readme file. But when I try to open or import the ca.der in the XP machine, it say that the file type is not recognized. What wrong am I doing here? Jas tnt-4 wrote: So you haven't used xpextensions and your certificates are useless for connecting XP clients. Use certificate creation provided with the server: raddb/certs/README Ivan Kalik Kalik Informatika ISP Dana 17/10/2008, saini_jas16 [EMAIL PROTECTED] piše: I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 Jas tnt-4 wrote: My certificate generation went really well, no errors at all. I generated the certificates with openssl. Did you use Makefile provided in raddb/certs directory? Or did you make them yourself? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031328.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20033604.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mschapv2 not working! Please help!
I created the certificates in the way as explained in the readme file. But when I try to open or import the ca.der in the XP machine, it say that the file type is not recognized. What wrong am I doing here? Your XP is broken. Mine knows what .der file is. Go to Control Panel/Folders/File Types and see if der is listed. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please Help!
Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
Thanks a lot guys :D effort appreciated :) 2008/10/10 [EMAIL PROTECTED] raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
Thanks a lot guys :D effort appreciated :) 2008/10/10 [EMAIL PROTECTED] raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Not really. But Windows XP caches credentials: http://support.microsoft.com/kb/823731 Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Koko Kurniawan [EMAIL PROTECTED] piše: Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!!please HELP!!!)
Please, help me.. I am confuse why my freeradius server can´t detect the password that i write on the client? I am use OpenLDAP for the database rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 NAS-IP-Address = 10.10.53.100 Message-Authenticator = 0x4e8851c2f8e7f31d426d4a853af3ef1d ... auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 1 modcall: leaving group LDAP (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [htrisnadi/no User-Password attribute] (from client liv1 port 0) There is no User-Password in there. Should i change the configuration? in which file? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - Looking for last minute shopping deals? Find them fast with Yahoo! Search.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!!please HELP!!!)
Koko Kurniawan wrote: why my freeradius server can´t detect the password that i write on the client? Because the password is NOT in the RADIUS packet. Go read it: no User-Password attribute. rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 EAP is an authentication protocol that does not send the password from the client to the server. auth: type LDAP You forced Auth-Type := LDAP. DO NOT DO THAT. Please explain WHY you are doing this, and WHERE in the documentation (or web pages) it said to do this. There is no User-Password in there. Should i change the configuration? in which file? Do NOT set Auth-Type. If LDAP has a clear-text password available for the user, FreeRADIUS will figure out how to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!! please HELP!!!)
thanks for the answer,
i want ask something
what do you mean about the password is NOT in the RADIUS packet??
so where is the user-password??
i have removed Auth-Type := LDAP in users..
it´s still not working. what must i do?
LDAP doesn´t know EAP, so what kind of authentication i must use.
can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP
so that the authentication be performed successfully.
i will show you my freeradius log, and i hope you will correct that
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file:
/etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radius
main: group = radius
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay =
5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module:
Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = radiusd
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = localhost
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = dc=aiueo,dc=com
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = {CRYPT}
ldap: password_attribute = userPassword
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap:
compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? so where is the user-password?? Most protocols don't work on password matching but on challenge-response. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? So where is the debug? LDAP doesn´t know EAP, so what kind of authentication i must use. Donćt force anzthing. Server will figure it out. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configuration looks fine. Debug of the request will tell more. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
Koko Kurniawan wrote: thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? I mean it's not. so where is the user-password?? Some authentication protocols do not require exchanging the password. CHAP, MS-CHAP, and EAP all work this way. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? Post the debug log, as suggested in the FAQ, README, INSTALL, etc. LDAP doesn´t know EAP, so what kind of authentication i must use. We know that LDAP doesn't do EAP. This isn't news. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configure LDAP EAP. It's that easy. i will show you my freeradius log, and i hope you will correct that You didn't show the server receiving any authentication packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
Have you configured nastype in your clent configuration? If checkrad script is to check sessions with NAS it needs that. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] piše: I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mailyahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
Thank you but in the nas file. it said to use clients.conf i configure the clients.conf and put the NAS (linux) there can you help? or teach me to run the command Thank you Peter more naslist # # THIS FILE IS DEPRECATED. # # You should NOT be using this file to configure the server. # It is here ONLY for backwards compatibility. # # See 'clients.conf' for the new configuration. # --- [EMAIL PROTECTED] wrote: Have you configured nastype in your clent configuration? If checkrad script is to check sessions with NAS it needs that. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] pi¹e: I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mailyahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
btw, i saw some users are fine but some users are not not sure it is limited by time or modem Do you have idea? Thank you --- [EMAIL PROTECTED] wrote: nastype is a setting in clients.conf. Read instructions in the file. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] pi¹e: Thank you but in the nas file. it said to use clients.conf i configure the clients.conf and put the NAS (linux) there can you help? or teach me to run the command Thank you Peter more naslist # # THIS FILE IS DEPRECATED. # # You should NOT be using this file to configure the server. # It is here ONLY for backwards compatibility. # # See 'clients.conf' for the new configuration. # --- [EMAIL PROTECTED] wrote: Have you configured nastype in your clent configuration? If checkrad script is to check sessions with NAS it needs that. Ivan Kalik Kalik Informatika ISP Dana 20/11/2007, ann kok [EMAIL PROTECTED] pi¹e: I did attribute in mysql and start freeradius In the /var/log/radius.log I can see Auth: Multiple logins (max 1) [MPP attempt]: When I kick out the user in the nas server, I am still seeing this Auth: Multiple logins (max 1) [MPP attempt]: ls it any delay time to take? how can I control it? Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mailyahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
btw, i saw some users are fine but some users are not not sure it is limited by time or modem Do you have idea? Thank you Sorry. I don't know what are you on about. Whatever it is, modem is the most unlikely culprit. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
basically I don't know how to solve it out I follow the freeradius/doc 1/ add group in freeradius/users eg: DEFAULT Group == homeuse,Simultaneous-Use = 1,Fall-Through = 1 2/ insert radius database INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values(homeuse, Simultaneous-Use, :=, 1); After restart the mysql, freeradius, I can see the some users can have Multiple logins (max 1) [MPP attempt] in radius log When I tested to kick out those users from NAS, it still shows Multiple logins in the radius log and the users can't log on again. and I can't see any login in the NAS But some users I can kick it out and have logon again sucessful in the radius log I check checkrad this script. he looks like to use the naslist and naspassword files. but in our naslist, the comment told me to use the clients.conf instead I add naslist and naspassword but I don't know how to test it. ls there any conflict? I am using linux as NAS, what is the type of this one? ls the type as Other? Thank you again --- [EMAIL PROTECTED] wrote: btw, i saw some users are fine but some users are not not sure it is limited by time or modem Do you have idea? Thank you Sorry. I don't know what are you on about. Whatever it is, modem is the most unlikely culprit. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
1. Delete that entry in users file. You are checkig Simultaneous-Use in
radgroupcheck.
2. In session{} module in radiusd.conf change checking to sql.
3. Uncomment simunltaneous use queries in sql.conf.
4. If your NAS is not listed in docs enter other as nastype. That means
there will be no check of NAS sessions, only what's written in the
database.
5. Find all open entries in the database (SELECT * FROM radacct WHERE
AcctStopTime = 0). If there are some open sessions older than what is
normal - delete them - they are most likely stale and are preventing
users from connecting.
Ivan Kalik
Kalik Informatika ISP
Dana 20/11/2007, ann kok [EMAIL PROTECTED] piše:
basically I don't know how to solve it out
I follow the freeradius/doc
1/ add group in freeradius/users
eg: DEFAULT Group == homeuse,Simultaneous-Use =
1,Fall-Through = 1
2/ insert radius database
INSERT INTO radgroupcheck (GroupName, Attribute, op,
Value) values(homeuse, Simultaneous-Use, :=,
1);
After restart the mysql, freeradius, I can see the
some users can have Multiple logins (max 1) [MPP
attempt] in radius log
When I tested to kick out those users from NAS, it
still shows Multiple logins in the radius log and the
users can't log on again. and I can't see any login
in the NAS
But some users I can kick it out and have logon again
sucessful in the radius log
I check checkrad this script. he looks like to use the
naslist and naspassword files. but in our naslist, the
comment told me to use the clients.conf instead
I add naslist and naspassword but I don't know how to
test it. ls there any conflict?
I am using linux as NAS, what is the type of this one?
ls the type as Other?
Thank you again
--- [EMAIL PROTECTED] wrote:
btw, i saw some users are fine
but some users are not
not sure it is limited by time or modem
Do you have idea?
Thank you
Sorry. I don't know what are you on about. Whatever
it is, modem is the
most unlikely culprit.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Be a better pen pal.
Text or chat with friends inside Yahoo! Mail. See how.
http://overview.mailyahoo.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
Thank you In the freeradius/doc/Simultaneous-Use, I don't understand this one. ls it in the radius.conf? Can you teach me how to add this? NOTE!!! The Simultaneous-Use parameter is in the check A/V pairs, and not in the Reply A/V pairs (it _is_ a check). Thank you --- [EMAIL PROTECTED] wrote: how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: please help not allow the many connections from single user
Simultaneous-Use parameter is in the check A/V pairs Just like a password check. username Cleartext-Password := somepass, Simultaneous-Use := 1 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please help not allow the many connections from single user
Hi We has big problem to have many connections from single user in DSL clients A single user can authenticate on the different LNS server to use the internet connection. how can we prevent it? As our users are using the dynamic ip, the ip address is assigned by the LNS not the radius in this case, the ip pool can't be defined in the radius setting. Right? Can you help to give us detail info? thank you so much Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help with my EAP config - PEAP/MSCHAP
Hello,
I'm trying to set up Freeradius on SuSe 9 to authenticate against LDAP on
the same box. I can use radtest locally and ntradping from a remote
workstation and receive an accept. So it looks like it's configured well
enough for the direct LDAP with clients.conf. However, when I try and use a
Windows XP Pro client with my 3COM AP it returned a reject. I've tried
searching on the what appears to be the errors in the below log but nothing
seems to stand out. I'm sure it's something simple I missed when following
the online setup guides that are supposed to walk you through. I've checked
and re-checked my eap.conf and rediusd.conf.
Below is the output from radiusd. Any help is greatly appreciated and thanks
in advance. :-D
http://www.nabble.com/file/p13363453/radiusd.conf radiusd.conf
http://www.nabble.com/file/p13363453/eap.conf eap.conf
-Nyle
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = localhost
ldap: port = 636
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=RADMIN,o=SuSeRadius
ldap: tls_mode = yes
ldap: start_tls = no
ldap: tls_cacertfile = /etc/raddb/certs/rootcert.pem
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = XX
ldap: basedn = ou=TechSupport,ou=JeffS,o=Jeff
ldap: filter = (cn=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = nspmPassword
ldap: access_attr = wirelessAccess
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped
Re: Please help with my EAP config - PEAP/MSCHAP
Nyle wrote: I'm trying to set up Freeradius on SuSe 9 to authenticate against LDAP on the same box. I can use radtest locally and ntradping from a remote workstation and receive an accept. So it looks like it's configured well enough for the direct LDAP with clients.conf. However, when I try and use a Windows XP Pro client with my 3COM AP it returned a reject. I've tried searching on the what appears to be the errors in the below log but nothing seems to stand out. I'm sure it's something simple I missed when following the online setup guides that are supposed to walk you through. I've checked and re-checked my eap.conf and rediusd.conf. There's a lot of this error: Maybe you want to check that out. rlm_ldap: performing search in ou=TechSupport,ou=JeffS,o=Jeff, with filter (cn=auser) rlm_ldap: checking if remote access for auser is allowed by wirelessAccess rlm_ldap: Error reading Universal Password.Return Code = -16049 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... And there's no known good password found for the user. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for auser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Tell the server what the users correct password is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help with my EAP config - PEAP/MSCHAP
Alan DeKok-4 wrote: Nyle wrote: I'm sure it's something simple I missed when following the online setup guides that are supposed to walk you through. I've checked and re-checked my eap.conf and rediusd.conf. There's a lot of this error: Maybe you want to check that out. rlm_ldap: performing search in ou=TechSupport,ou=JeffS,o=Jeff, with filter (cn=auser) rlm_ldap: checking if remote access for auser is allowed by wirelessAccess rlm_ldap: Error reading Universal Password.Return Code = -16049 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... And there's no known good password found for the user. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for auser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Tell the server what the users correct password is. Alan DeKok. Thank you, thank you, thank you - You know after you've looked at a problem from 6 different directions for too long. Often the simplest solution doesn't come to mind. You last statement - Tell the server what the users correct password is. - took me to the simplest fix. Reset the users Novell eDirectory based Universal Password. Once I set the password it worked, now I can debug why the system that should synchronize those passwords automatically isn't working right. I do have another related question but it might need to be a separate post. However, let me ask it here and see. The built in Windows XP Pro SP2 wireless will now connect correctly but when I switch back to the DELL Wireless Utility and use WPA-ENTERPRISE/PEAP/MSCHAPv2, I don't even see debugging information from radiusd. It's like it doesn't even receive the request at all. As I said, I understand if I don't get a reply but has anyone seen this? -Nyle -- View this message in context: http://www.nabble.com/Please-help-with-my-EAP-config---PEAP-MSCHAP-tf4677183.html#a13369086 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help with my EAP config - PEAP/MSCHAP
Nyle wrote: Thank you, thank you, thank you - You know after you've looked at a problem from 6 different directions for too long. Often the simplest solution doesn't come to mind. You last statement - Tell the server what the users correct password is. - took me to the simplest fix. Reset the users Novell eDirectory based Universal Password. Once I set the password it worked, now I can debug why the system that should synchronize those passwords automatically isn't working right. :) I do have another related question but it might need to be a separate post. However, let me ask it here and see. The built in Windows XP Pro SP2 wireless will now connect correctly but when I switch back to the DELL Wireless Utility and use WPA-ENTERPRISE/PEAP/MSCHAPv2, I don't even see debugging information from radiusd. It's like it doesn't even receive the request at all. Well, that would suggest that the machine isn't trying to log in at *all*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting is not working. Please help.
Hey guys, i just follow this guide.
http://www.frontios.com/freeradius.html
and everything looks ok, the users are already working and login without
problem.
But the accounting is not working, the mysql tables are empty, i checked when i
user access and everything looks ok, and the radacct still empty.
In my radiusd.conf i have
accounting {
detail
radutmp
sql
}
Other guy is checking in the AP, but i wanna be sure i have the correct values
in the server.
Any comment is appreciated.
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is not working. Please help.
On Monday 26 March 2007 16:30:35 alex wrote:
Hey guys, i just follow this guide.
http://www.frontios.com/freeradius.html
and everything looks ok, the users are already working and login without
problem. But the accounting is not working, the mysql tables are empty, i
checked when i user access and everything looks ok, and the radacct still
empty.
In my radiusd.conf i have
accounting {
detail
radutmp
sql
}
Other guy is checking in the AP, but i wanna be sure i have the correct
values in the server.
Any comment is appreciated.
Alex
Did you run in debug mode (-X)? If so, did the output show anything strange
when processing an accounting packet? Is the NAS configured to send
accounting records to the radius server?
-Kevin
pgpy71kZbTCgQ.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is not working. Please help.
I think everything is ok.
rad_recv: Access-Request packet from host 192.168.1.1:6001, id=91, length=124
User-Name = 00:13:02:a7:57:9f
User-Password = testing123
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 00-20-a6-6b-72-aa:PIM DOCK A
Calling-Station-Id = 00-13-02-a7-57-9f
NAS-Port = 9
NAS-Port-Type = Wireless-802.11
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module preprocess returns ok for request 14
modcall[authorize]: module chap returns noop for request 14
modcall[authorize]: module mschap returns noop for request 14
rlm_realm: No '@' in User-Name = 00:13:02:a7:57:9f, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 14
radius_xlat: '00:13:02:a7:57:9f'
rlm_sql (sql): sql_set_user escaped user -- '00:13:02:a7:57:9f'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '00:13:02:a7:57:9f' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '00:13:02:a7:57:9f' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '00:13:02:a7:57:9f' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '00:13:02:a7:57:9f' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '00:13:02:a7:57:9f'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns ok for request 14
modcall: leaving group authorize (returns ok) for request 14
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [00:13:02:a7:57:9f/testing123] (from client other port 9 cli
00-13-02-a7-57-9f)
Sending Access-Accept of id 91 to 192.168.1.1 port 6001
Finished request 14
Going to the next request
---Original Message---
From: Kevin Bonner [EMAIL PROTECTED]
Subject: Re: Accounting is not working. Please help.
Sent: 27 Mar '07 02:08
On Monday 26 March 2007 16:30:35 alex wrote:
Hey guys, i just follow this guide.
http://www.frontios.com/freeradius.html
and everything looks ok, the users are already working and login without
problem. But the accounting is not working, the mysql tables are empty, i
checked when i user access and everything looks ok, and the radacct still
empty.
In my radiusd.conf i have
accounting {
detail
radutmp
sql
}
Other guy is checking in the AP, but i wanna be sure i have the correct
values in the server.
Any comment is appreciated.
Alex
Did you run in debug mode (-X)? If so, did the output show anything strange
when processing an accounting packet? Is the NAS configured to send
accounting records to the radius server?
-Kevin
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius 1.1.5 compile errors - please help
I am trying to build/compile freeRadius 1.1.5. My Cygwin environment is 1.5.24-2 from www.cygwin.com. freeRadius 1.1.5 from www.freeradius.org. I ran configure for freeRadius with following parameters: ./configure -without-snmp -disable-shared -enable-static -without-rlm_perl. Configure and make outputlogs are attached to this email. configure log http://www.nabble.com/file/7292/config.log config.log make log http://www.nabble.com/file/7293/make.log make.log -- View this message in context: http://www.nabble.com/freeRadius-1.1.5-compile-errors---please-help-tf3434397.html#a9574830 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: PEAP+MSCHAP+AD (please help)
(SecureW2) seemed to work, but not using PEAP. I
selected EAP-MSCHAP v2 and both automatic and manual logins worked on my
computer through SW2. Then I tried it on another computer, and didn't work.
Different accounts and the result is the same.
I haven't tried yet bumping the debugging level in Samba. I was just trying on
the client side, but unfortunately nothing succeeded :(
Well, now I have to try things on the server side.
Do you have any more ideas to try?
Héctor
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Phil Mayers
Gesendet: Montag, 11. Dezember 2006 11:26
An: FreeRadius users mailing list
Betreff: Re: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote:
Hello. No, I haven't edited the debug output. Why would I do this if I
have a problem that want to get solved??. The debug output is exactly
what I get from FreeRadius.
People do some surprising things on this mailing list...
I saw that you had a domain called DOMAIN, which is not very common, and
assumed the worst i.e. that you had edited the output.
There have been more people in this list with the same problem, being
the latest
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31032.html.
Even though he found a solution for his own problem, I followed his
howto but unfortunately didn't worked for me.
About the client, when I turn the computer on, I have to type in the
user credentials, the same ones that I use when testing FreeRadius.
Windows sends FreeRadius the same user information in the two cases,
but the outcome is completely different and this of course makes no
sense.
There is no trick, this is a real problem I have.
I didn't imagine you were trying to trick us.
As far as I can tell, your FreeRadius configuration looks correct. It's able to
answer at least some MS-CHAP requests, and as you say there's no real
difference as far as the server is concerned between and automatic or manual
client login.
This makes me suspect that there *is* a difference between such on the client
side.
Couple of other things you could try:
netsh ras set tracing * enable
...on the windows client side, then inspect the logs (If memory serves they go
do %WINDIR%/system32/tracing)
Also - the client is in DOMAIN, the server is also in DOMAIN yes? As in, you're
not trying to authenticate a trusted domain user?
Finally, I see you've got the ntlm_auth helper set to:
/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-DOMAIN}
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
You could try removing the --domain argument completely - though you should not
need to.
You could obviously also bump the Samba debugging level for a failing login and
inspect the samba logs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote: on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows: Hmph. That wasn't as useful as I'd hoped (the PPP logs are much better) Windows sends both domain and username, but only the manual login succeeds. For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it? Not really - the automatic login calls out to the LSA to get the logged-in creds. The manual login does a portion of that locally. I've also tried other things on the client side: Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same. I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :( Well, now I have to try things on the server side. I doubt there's anything in the Radius server that'll help at this point. Only two things I can think of: 1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware 2. Does the domain you are in have particular tight security policies that might be preventing the LSA from successfully completing an MS-CHAP but would allow the manual code to work? Both are extremely unlikely. Sorry I can't be more help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
