Re: Get errors with radtest on ip address

[Patricia Julien]

etc/hosts file below :

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1       localhost localhost.localdomain localhost6 
localhost6.localdomain6
192.168.17.9    linux-mail.amber.com    linux-mail





 From: Alan Buxey a.l.m.bu...@lboro.ac.uk
To: Patricia Julien pljulie...@yahoo.com; FreeRadius users mailing list 
freeradius-users@lists.freeradius.org 
Sent: Thursday, September 5, 2013 5:36 PM
Subject: Re: Get errors with radtest on ip address
 


No problem with radiusd at this point.  It's not received a single packet.  
You've got a problem with your local network environment on the host.  Care to 
share /etc/hosts?

alan-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Get errors with radtest on ip address

[Alan Buxey]

No problem with radiusd at this point.  It's not received a single packet.  
You've got a problem with your local network environment on the host.  Care to 
share /etc/hosts?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Get errors with radtest on ip address

[Alan DeKok]

Patricia Julien wrote:
 - I made a change to the users file to add the testing
 Cleartext-Password := password.  My hosts file indicates both lo and
 the ip address for the server.  I can ping the server without issues. 
 - After I added the line to the users file, I started radiusd -X
debug.txt   I then opened another terminal window on the same server
 and performed the - radtest testing password 127.0.0.1 0 testing123. 
 - I received an error indicating failed to find ip address for
 linux-mail.amber.net followed by nothing to do. 

  radtest looks up the $HOSTNAME to get an IP address, which it puts
into the NAS-IP-Address.  If it says failed to find IP address for
host, it's because the host name doesn't have a corresponding IP address.

 - I looked at clients.conf and change the ip address from 127.0.0.1 to
 my ip address and added hostname.  The results remained the same so I've
 reverted to original config for this.

  You're changing the server configuration.  You need fix your DNS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Get errors with radtest on ip address

[Patricia Julien]

I've done the following to install and test freeradius on Scientific Linux 
el6_4.  The server is one I use for testing and also has Splunk installed on 
it.  No issues with Splunk and the ip address have been found as I've gotten 
logs from other test equipment into Splunk


- I installed the freeradius-2.1.12-4.el6_3.x86_64 and then the utilities 
freeradius-utils-2.1.12-4.el6_3.x86_64.rpm to get the client (radtest).  

- I made a change to the users file to add the testing Cleartext-Password := 
password.  My hosts file indicates both lo and the ip address for the server. 
 I can ping the server without issues.  

- After I added the line to the users file, I started radiusd -X debug.txt   I 
then opened another terminal window on the same server and performed the - 
radtest testing password 127.0.0.1 0 testing123.  

- I received an error indicating failed to find ip address for 
linux-mail.amber.net followed by nothing to do.  

- I looked at clients.conf and change the ip address from 127.0.0.1 to my ip 
address and added hostname.  The results remained the same so I've reverted to 
original config for this.

Each time I made any changes I restarted radiusd by killing the process and 
restarting.  I could not service radiusd stop or radiusd stop to stop the 
application.  I tried pasting the debug txt into the debug form on the other 
site and received a 405Forbidden when I accepted the policy.


I've put my debug from testing with just the change to the users file below.  
Would appreciate any insight into what could be wrong.

PJ


# Debug text ##


FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct  2 
2012 at 23:16:43
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/eap.conf
including configuration file

Re: 2.x.x and radtest: no IPv6?

[Phil Mayers]

a.l.m.bu...@lboro.ac.uk wrote:
Hi,

 My guess is dual-stack NAS-RADIUS is going to be rare.

ummm. take a hold on that assertion.  the joy of dual-stack deployment
is that you need to ensure your servers are ready on IPv4 and IPv6 - 
and as part of that, you need to ensure that your using both methods
in case either your IPv4 goes...or your IPv6 goes.  we use both
IPv4 and IPv6 on our kit...and our servers are configured for both..as
are our NAS kit that can do IPv6 for RADIUS (we had some discussion
about the best fall-over order to use..which in itself is interesting)

my personal view is that network/sys admins who are avoiding IPv6 as
much
as they can are just storing themselves up for a whole lot of pain
later
when its forced onto them by internet evolution...embrace the IPv6 now
whilst you can do it in your own time. it not like you havent been
given over 15 years of advance notice ;-)

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Sorry, I've been unclear. What I meant was that I strongly suspect nas-radius 
comms will either be v4 or v6 for a given pairing at any one time, for periods 
of minutes or hours. Hence treating the addresses as separately should be fine
-- 
Sent from my phone with, please excuse brevity and typos-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[A . L . M . Buxey]

Hi,

Sorry, I've been unclear. What I meant was that I strongly suspect
nas-radius comms will either be v4 or v6 for a given pairing at any one
time, for periods of minutes or hours. Hence treating the addresses as
separately should be fine

hmm, yes, we treat each as a seperate entity i'll have to check if cisco even
let you define the same instance to have a v4 and v6 address...its doubtful
but you never know.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2.x.x and radtest: no IPv6?

[Stefan Winter]

Hi,

while using radtest, I got some strange results:

# ./radtest swinter testpwd [::1] 123 testing123
radclient: Failed to find IP address for host ::1: Success

# ./radtest swinter testpwd ipv6-localhost 123 testing123
radclient: Failed to find IP address for host ipv6-localhost: Success

ipv6-localhost is in my /etc/hosts. I'd expect both of these to work...
no brackets also doesn't work, but that was just my last straw and
doesn't have to work anyway.

Does radtest not support IPv6? I could have sworn it did IPv6 earlier,
but not totally sure.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[Alan DeKok]

Stefan Winter wrote:
 while using radtest, I got some strange results:
 
 # ./radtest swinter testpwd [::1] 123 testing123
 radclient: Failed to find IP address for host ::1: Success

  It defaults to IPv4.

 # ./radtest swinter testpwd ipv6-localhost 123 testing123
 radclient: Failed to find IP address for host ipv6-localhost: Success
 
 ipv6-localhost is in my /etc/hosts. I'd expect both of these to work...
 no brackets also doesn't work, but that was just my last straw and
 doesn't have to work anyway.
 
 Does radtest not support IPv6? I could have sworn it did IPv6 earlier,
 but not totally sure.

  ahem

$ radtest  -h
Usage: radtest [OPTIONS] user passwd radius-server[:port]
nas-port-number secret [ppphint] [nasname]
-d RADIUS_DIR   Set radius directory
-t type   Set authentication method
type can be pap, chap, mschap, or eap-md5
-x  Enable debug output
-4  Use IPv4 for the NAS address (default)
-6  Use IPv6 for the NAS address

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[Arran Cudbard-Bell]

On 22 Jul 2013, at 13:32, Stefan Winter stefan.win...@restena.lu wrote:

 Hi,
 
 Does radtest not support IPv6? I could have sworn it did IPv6 earlier,
 but not totally sure.
 
  ahem
 
-4  Use IPv4 for the NAS address (default)
-6  Use IPv6 for the NAS address
 
 Uh. Sorry.
 
 Still... maybe for a later version... if the input looks like an IP
 address, guessing the address family isn't all that hard.
 
 I see that such a -4 -6 option is required for hostnames, but even then
 only if they return addresses for both families.
 
 ipv6-localhost only returns ::1. And ::1 successfully parses neither as
 an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous
 and could be auto-detected.
 
 That would add a little user-friendliness for users who didn't have
 enough sleep :-)

I've mentally scheduled a pass through modules in master to fix any places 
where it's IPv4 only, so i'll be sure to add that.

It'd be nice to get some feedback from people though... do you think you'll 
ever need to record both your NAS IPv4 and IPv6 addresses?

I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and 
Framed-IPv6-Prefix, should they both be used to identify clients in areas like 
session management? It seems like the safest way of doing it to me.

But would it break things?
What if the NAS started just using the SRC IPv6 address in packets, and source 
IP protection was enabled?
Does this happen in the real world?

I don't have any experience managing an IPv6 enabled network.  Does anyone 
else? Or is it all too new?

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[Stefan Winter]

Hi,

 Does radtest not support IPv6? I could have sworn it did IPv6 earlier,
 but not totally sure.
 
   ahem

 -4  Use IPv4 for the NAS address (default)
 -6  Use IPv6 for the NAS address

Uh. Sorry.

Still... maybe for a later version... if the input looks like an IP
address, guessing the address family isn't all that hard.

I see that such a -4 -6 option is required for hostnames, but even then
only if they return addresses for both families.

ipv6-localhost only returns ::1. And ::1 successfully parses neither as
an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous
and could be auto-detected.

That would add a little user-friendliness for users who didn't have
enough sleep :-)

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[Phil Mayers]

On 22/07/13 13:47, Arran Cudbard-Bell wrote:


It'd be nice to get some feedback from people though... do you think
you'll ever need to record both your NAS IPv4 and IPv6 addresses?

I'm guessing for dual stacking it'd be nice to record
Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to
identify clients in areas like session management? It seems like the
safest way of doing it to me.


Yes. It's important to record them separately, and useful for the 
reasons you suggest.




But would it break things? What if the NAS started just using the SRC
IPv6 address in packets, and source IP protection was enabled? Does
this happen in the real world?


Not sure I follow here; can you expand on this?



I don't have any experience managing an IPv6 enabled network.  Does
anyone else? Or is it all too new?


It's complicated.

I've replied to your email on -devel.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[Arran Cudbard-Bell]

On 22 Jul 2013, at 14:15, Phil Mayers p.may...@imperial.ac.uk wrote:

 On 22/07/13 13:47, Arran Cudbard-Bell wrote:
 
 It'd be nice to get some feedback from people though... do you think
 you'll ever need to record both your NAS IPv4 and IPv6 addresses?
 
 I'm guessing for dual stacking it'd be nice to record
 Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to
 identify clients in areas like session management? It seems like the
 safest way of doing it to me.
 
 Yes. It's important to record them separately, and useful for the reasons you 
 suggest.

For the NAS too? Or would it be OK to have a single attribute?.

 
 But would it break things? What if the NAS started just using the SRC
 IPv6 address in packets, and source IP protection was enabled? Does
 this happen in the real world?
 
 Not sure I follow here; can you expand on this?

Envisaging use in session identification. If the NAS was dumb, and was just 
looking at packets coming from one of it's directly connected devices, and 
pulling off the SRC IP address and using it to enrich Accounting-Requests, you 
may have that IP change during the course of a session.

I doubt any NAS vendors are quite that stupid, but just wanted confirmation.

 I don't have any experience managing an IPv6 enabled network.  Does
 anyone else? Or is it all too new?
 
 It's complicated.
 
 I've replied to your email on -devel.

OK. Thanks.

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[Alan DeKok]

Stefan Winter wrote:
 Still... maybe for a later version... if the input looks like an IP
 address, guessing the address family isn't all that hard.

  Yeah patches?  :)

 I see that such a -4 -6 option is required for hostnames, but even then
 only if they return addresses for both families.
 
 ipv6-localhost only returns ::1. And ::1 successfully parses neither as
 an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous
 and could be auto-detected.

  Sure.

 That would add a little user-friendliness for users who didn't have
 enough sleep :-)

  Yes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[Phil Mayers]

On 22/07/13 14:32, Arran Cudbard-Bell wrote:


On 22 Jul 2013, at 14:15, Phil Mayers p.may...@imperial.ac.uk
wrote:


On 22/07/13 13:47, Arran Cudbard-Bell wrote:


It'd be nice to get some feedback from people though... do you
think you'll ever need to record both your NAS IPv4 and IPv6
addresses?

I'm guessing for dual stacking it'd be nice to record
Framed-IP-Address and Framed-IPv6-Prefix, should they both be
used to identify clients in areas like session management? It
seems like the safest way of doing it to me.


Yes. It's important to record them separately, and useful for the
reasons you suggest.


For the NAS too? Or would it be OK to have a single attribute?.


Good question. Not sure on that one - I think most NASes treat an IPv4 
and IPv6 RADIUS server as a separate server, so I guess treating it as a 
separate client is no big problem. OTOH two columns == less rows for 
dual-stack NAS.


My guess is dual-stack NAS-RADIUS is going to be rare.


But would it break things? What if the NAS started just using the
SRC IPv6 address in packets, and source IP protection was
enabled? Does this happen in the real world?


Not sure I follow here; can you expand on this?


Envisaging use in session identification. If the NAS was dumb, and
was just looking at packets coming from one of it's directly
connected devices, and pulling off the SRC IP address and using it to
enrich Accounting-Requests, you may have that IP change during the


Ah, gotcha.


course of a session.


Some NASes already do something similar with Framed-IP-Address only 
being present in some acct packets. We handle this with:


update radacct set
 ...
 framedipaddress=coalesce(nullif('%{..}', ''), framedipaddress)
 ...

...which is basically use the IP from the packet if set, or on the 
existing row if unset

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[A . L . M . Buxey]

Hi,

  Still... maybe for a later version... if the input looks like an IP
  address, guessing the address family isn't all that hard.

unlike your using IPv4 in its IPv6 incantation

 What if the NAS started just using the SRC IPv6 address in packets, and 
 source IP protection was enabled?

well, then things might be interesting. if the NAS was configured to talk
to an IPv6 RADIUS server then I'd expect it to be using its IPv6 source
address and if you have DAI/etc on the network then that would have
to be factored in

 I don't have any experience managing an IPv6 enabled network.  Does anyone 
 else? Or is it all too new?


new?  its been around for more than the lifetime of some people on this
list! ;-)  you'll probably have noticed that any stuff from us here has
the fallback if IPv6 isnt present - so the usual Framed-Address/NAS-IP-Address
assumptions all have to be checked in the server/config - I first started noting
these issues when we configured remote systems to talk to our IPv6 addresses -
finding top-level entries in /var/log/radiusd/ because the IPv4 stuff
was missing  oh yes, warning needed to ensure that the filesystem
you use likes : in filenames!  ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.x.x and radtest: no IPv6?

[A . L . M . Buxey]

Hi,

 My guess is dual-stack NAS-RADIUS is going to be rare.

ummm. take a hold on that assertion.  the joy of dual-stack deployment
is that you need to ensure your servers are ready on IPv4 and IPv6 - 
and as part of that, you need to ensure that your using both methods
in case either your IPv4 goes...or your IPv6 goes.  we use both
IPv4 and IPv6 on our kit...and our servers are configured for both..as
are our NAS kit that can do IPv6 for RADIUS (we had some discussion
about the best fall-over order to use..which in itself is interesting)

my personal view is that network/sys admins who are avoiding IPv6 as much
as they can are just storing themselves up for a whole lot of pain later
when its forced onto them by internet evolution...embrace the IPv6 now
whilst you can do it in your own time. it not like you havent been
given over 15 years of advance notice ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Andres]

Thank you all for your replays,

I used SLES 11 freeradius standard package and it was too old,
and it was my mistake and took a few days off my life.
Hopefully someone else does not make the same mistake


Andres



2013/4/27 Alan DeKok al...@deployingradius.com

 Andres wrote:
  FreeRADIUS  server Version: 2.1.1-7.16.1
  also installed freeradius-server-libs and utils

   Why?  That version is SEVEN YEARS old.

   Upgrade.  Really.

   And you're using a version of radclient which doesn't support mschap.
  So... why are you trying to use mschap?

   We presume that you're running a recent version of the server.  Also,
 that you read the documentation which comes with the server.  If
 radtest -h doesn't say it supports the -t parameter, then it doesn't
 support the -t parameter.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Fajar A. Nugraha]

On Sun, Apr 28, 2013 at 1:31 AM, Andres arvutihool...@gmail.com wrote:
 Thank you all for your replays,

 I used SLES 11 freeradius standard package and it was too old,
 and it was my mistake and took a few days off my life.
 Hopefully someone else does not make the same mistake

If all you need is mschap test function, IIRC 2.1.12 also has it, and
there are packages for SLE 11:
http://download.opensuse.org/repositories/network:/aaa/SLE_11/x86_64/

It will be even better if you can use 2.2.0. Search the list archive,
IIRC you must manually delete references to sqlite3 in spec file to
get it to build on SLE11.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Chitrang Srivastava]

Most likely your host file didnt have entry of your domain name,
dump your hostname and /etc/hosts file here and then we can comment better

On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote:

 Hello All,

 I'm trying to test mschap with radtest but it gives me strange error
 message.
 I've tried to solve it several days, but had no success.

 I'm using syntax like that:

 $ radtest -t mschap user password 127.0.0.1 0 secret

 radclient : Failed to find IP address for host user: Success


 radclient: $Id$ built on Jan 22 2013 at 23:55:37
 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22
 2013

 host file looks fine

 I would appreciate it if someone can help me
 ,

 Andres







 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Andres]

this way looks my hosts file:

# IP-Address  Full-Qualified-Hostname  Short-Hostname
#

127.0.0.1   localhost

# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
10.58.5.58  radius.mydomain.com radius

Andres



2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com

 Most likely your host file didnt have entry of your domain name,
 dump your hostname and /etc/hosts file here and then we can comment better

 On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote:

 Hello All,

 I'm trying to test mschap with radtest but it gives me strange error
 message.
 I've tried to solve it several days, but had no success.

 I'm using syntax like that:

 $ radtest -t mschap user password 127.0.0.1 0 secret

 radclient : Failed to find IP address for host user: Success


 radclient: $Id$ built on Jan 22 2013 at 23:55:37
 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22
 2013

 host file looks fine

 I would appreciate it if someone can help me
 ,

 Andres







 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Alan DeKok]

Andres wrote:
 this way looks my hosts file:

  Well... something is wrong with DNS on your system.

  The only advantage to using radtest is that it's simpler than
radclient.  But it's just a wrapper around radclient.  You can edit
radtest to remove the DNS lookups, or write your own wrapper which
doesn't do DNS lookups.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Chitrang Srivastava]

whats the hostname of ur system ?

On Fri, Apr 26, 2013 at 6:30 PM, Andres arvutihool...@gmail.com wrote:

 this way looks my hosts file:

 # IP-Address  Full-Qualified-Hostname  Short-Hostname
 #

 127.0.0.1   localhost

 # special IPv6 addresses
 ::1 localhost ipv6-localhost ipv6-loopback

 fe00::0 ipv6-localnet

 ff00::0 ipv6-mcastprefix
 ff02::1 ipv6-allnodes
 ff02::2 ipv6-allrouters
 ff02::3 ipv6-allhosts
 10.58.5.58  radius.mydomain.com radius

 Andres



 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com

 Most likely your host file didnt have entry of your domain name,
 dump your hostname and /etc/hosts file here and then we can comment better

 On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.com wrote:

 Hello All,

 I'm trying to test mschap with radtest but it gives me strange error
 message.
 I've tried to solve it several days, but had no success.

 I'm using syntax like that:

 $ radtest -t mschap user password 127.0.0.1 0 secret

 radclient : Failed to find IP address for host user: Success


 radclient: $Id$ built on Jan 22 2013 at 23:55:37
 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan
 22 2013

 host file looks fine

 I would appreciate it if someone can help me
 ,

 Andres







 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Andres]

host name is radius
ip 10.58.5.58
Full Domain  host name:  radius.mydomain.com  radius

..
resolv.conf

search mydomain.com
nameserver 10.58.5.39
nameserver 10.58.5.45



/etc/hosts

127.0.0.1   localhost

# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
10.58.5.58  radius.dpd.ee radius



radius:/etc # ping mydomain.com
PING mydomain.com (10.58.5.39) 56(84) bytes of data.
64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=1 ttl=128 time=0.301 ms
64 bytes from fs.mydomain.com (10.58.5.39): icmp_seq=2 ttl=128 time=0.414 ms


radius:/etc # ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.039 ms

radius:/etc # ping6  localhost
PING localhost(localhost) 56 data bytes
64 bytes from localhost: icmp_seq=1 ttl=64 time=0.080 ms
64 bytes from localhost: icmp_seq=2 ttl=64 time=0.054 ms

.

radius:/etc # radtest -t mschap testing passme 127.0.0.1 0 testing123456
radclient: Failed to find IP address for host testing: Success

.
radius:/etc # radtest testing passme 127.0.0.1 0 testing123456
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = testing
User-Password = passme
NAS-IP-Address = 10.58.5.58
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=177,
length=20


Yast2 network settings  Hostname/DNS


Network Settings
  ┌Global
Options──Overview──Hostname/DNS──Routing───┐
  │┌Hostname and Domain
Name┐│
  ││Hostname   Domain Name
 ││
  ││radius mydomain.com
▒▒▒││
  ││[x] Change Hostname via DHCPNo interface with dhcp
 ││
  ││[ ] Assign Hostname to Loopback IP
 ││

│└┘│
  │Modify DNS configuration Custom Policy Rule
  │
  │Use Default Policy▒↓ ▒↓
  │
  │┌Name Servers and Domain Search
List─┐│
  ││Name Server 1   ┌Domain Search┐
││
  ││10.58.5.45▒ │mydomain.com
   │ ││
  ││Name Server 2   │ │
││
  ││10.58.5.39▒ │ │
││
  ││Name Server 3   │ │
││
  ││▒▒▒ └─┘
││
  │└

I cannot figure out what is the cause of it, that radtest -t mschap dont
work.
Is it related to DNS or IPv6?  Did I something wrong...

I'm using( as Windows 2008 domain member):
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2

FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22
2013 at 23:55:29



I'd be very grateful if someone would care to assist me with this problem

Andres















2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com

 whats the hostname of ur system ?


 On Fri, Apr 26, 2013 at 6:30 PM, Andres arvutihool...@gmail.com wrote:

 this way looks my hosts file:

 # IP-Address  Full-Qualified-Hostname  Short-Hostname
 #

 127.0.0.1   localhost

 # special IPv6 addresses
 ::1 localhost ipv6-localhost ipv6-loopback

 fe00::0 ipv6-localnet

 ff00::0 ipv6-mcastprefix
 ff02::1 ipv6-allnodes
 ff02::2 ipv6-allrouters
 ff02::3 ipv6-allhosts
 10.58.5.58  radius.mydomain.com radius

 Andres



 2013/4/26 Chitrang Srivastava chitrang.srivast...@gmail.com

 Most likely your host file didnt have entry of your domain name,
 dump your hostname and /etc/hosts file here and then we can comment
 better

 On Thu, Apr 25, 2013 at 10:52 PM, Andres arvutihool...@gmail.comwrote:

 Hello All,

 I'm trying to test mschap with radtest but it gives me strange error
 message.
 I've tried to solve it several days, but had no success.

 I'm using syntax like that:

 $ radtest -t mschap user password 127.0.0.1 0 secret

 radclient : Failed to find IP address for host user: Success


 radclient: $Id$ built on Jan 22 2013 at 23:55:37
 FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan
 22 2013

 host file looks fine

 I would appreciate it if someone can help me
 ,

 Andres







 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[A . L . M . Buxey]

Hi,

what version of FreeRADIUS? are you sure you arent running old copies of 
radclient/radtest

ie you THINK you can do -t mschap but the wrapper or binary doesnt


radclient -v   ?

which radtest
then cat the resulting file.


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[A . L . M . Buxey]

Hi,

FreeRADIUS  server Version: 2.1.1-7.16.1 
also installed freeradius-server-libs and utils
FreeRADIUS server and libs and utils was installed via Yast.
radius:/etc # radclient -v
radclient: $Id$ built on Jan 22 2013 at 23:55:37
#
# Version:  $Id$
#
prefix=/usr
exec_prefix=/usr
bindir=/usr/bin
usage() {
echo Usage: radtest user passwd radius-server[:port]
nas-port-number secret [ppphint] [nasname] 2

yes. thats your problem. OLD

the current one says this:

usage() {
echo Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port
-number secret [ppphint] [nasname] 2
echo -d RADIUS_DIR   Set radius directory 2
echo -t type   Set authentication method 2
echo type can be pap, chap, mschap, or eap-
md5 2
echo -x  Enable debug output 2

etc etc etc


note, the tool has OPTIONS. yours doesnt. and because yours doesnt, it thinks
-t is the username and mschap is the password and therefore testing 
is the hostname
and you have no such host!

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] radtest mschap problem

[Alan DeKok]

Andres wrote:
 FreeRADIUS  server Version: 2.1.1-7.16.1 
 also installed freeradius-server-libs and utils

  Why?  That version is SEVEN YEARS old.

  Upgrade.  Really.

  And you're using a version of radclient which doesn't support mschap.
 So... why are you trying to use mschap?

  We presume that you're running a recent version of the server.  Also,
that you read the documentation which comes with the server.  If
radtest -h doesn't say it supports the -t parameter, then it doesn't
support the -t parameter.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Help] radtest mschap problem

[Andres]

Hello All,

I'm trying to test mschap with radtest but it gives me strange error
message.
I've tried to solve it several days, but had no success.

I'm using syntax like that:

$ radtest -t mschap user password 127.0.0.1 0 secret

radclient : Failed to find IP address for host user: Success


radclient: $Id$ built on Jan 22 2013 at 23:55:37
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Jan 22
2013

host file looks fine

I would appreciate it if someone can help me
,

Andres
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radtest failed; IP not found

[Staffan Meijer]

Hi,

I am using
FreeRadius Version 2.1.12 on OpenSuse 12.2.

I have looked at several posting about the same type of problem without
finding the answer to my failure.
Problem described below.

First use of radiusd -X resulted in /var/run/radiusd not found.

Created : mkdir /var/run/radiusd
Now radiusd -X seems to work; see attachment radiusd.txt for the output.

First line in /etc/raddb/users is: testing Cleartext-Password :=
password

Using radtest failed:

linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123
radclient:: Failed to find IP address for linux-vdis.site
radclient: Nothing to send.

Pinging localhost works:

linux-vdis:/etc/raddb # ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.065 ms


Is the missing /var/run/radiusd an indication that the installation is
incorrect?
FreeRadius was installed using Yast2 software manager.

/Staffan
FreeRADIUS Version 2.1.12, for host i586-suse-linux-gnu, built on Jan  9 2013 
at 12:21
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket-bu
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log

Re: radtest failed; IP not found

[Olivier Beytrison]

On 12.03.2013 17:05, Staffan Meijer wrote:
 Listening on authentication interface eth0 address * port 1812
 Listening on accounting address * port 1813
 Listening on command file /var/run/radiusd/radiusd.sock
 Listening on authentication address 127.0.0.1 port 18120 as server 
 inner-tunnel
 Listening on proxy address * port 1814

freeradius is listening on eth0 port 1812, not on all interfaces. so
sending packets to localhost won't work.

netstat -puln | grep radius will show exactly where freeradius is
listening if really.

Fix your listen section and it should work

Olivier

-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest failed; IP not found

[Staffan Meijer]

I uncommented the eth0 line in the configuration file when radtest did not
work with the original.

Using the original configuration file I get;
Listening on authentication address * port 1812

and

linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123
radclient:: Failed to find IP address for linux-vdis.site
radclient: Nothing to send.

/Staffan





 --

  Olivier Beytrison
  Network  Security Engineer, HES-SO Fribourg
  Mail: oliv...@heliosnet.org
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest failed; IP not found

[Fred MAISON]

Le mardi 12 mars 2013 à 18:08 +0100, Staffan Meijer a écrit :
 I uncommented the eth0 line in the configuration file when radtest did
 not work with the original.
 
 Using the original configuration file I get;
 Listening on authentication address * port 1812
 
 
 and 
 
 
 linux-vdis:/etc/raddb # radtest testing password localhost 0
 testing123
 radclient:: Failed to find IP address for linux-vdis.site

That's a DNS issue, not a Freeradius issue.

 radclient: Nothing to send.
 
 
 
 /Staffan
 
 
 
 
 --
 
  Olivier Beytrison
  Network  Security Engineer, HES-SO Fribourg
  Mail: oliv...@heliosnet.org
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest failed; IP not found

[Olivier Beytrison]

On 12.03.2013 18:08, Staffan Meijer wrote:
 I uncommented the eth0 line in the configuration file when radtest did
 not work with the original.
 
 Using the original configuration file I get;
 Listening on authentication address * port 1812
 
 and 
 
 linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123
 radclient:: Failed to find IP address for linux-vdis.site
 radclient: Nothing to send.

your server's name resolution configuration is somewhere wrong.
if you replace localhost by 127.0.0.1 it should work.

fix your /etc/host, but this is beyond the scope of this list.

Olivier
-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest failed; IP not found

[Staffan Meijer]

Thanks!

Added line to /etc/hosts:
192.168.1.106 linux-vdis.site linux-vdis
and then radtest works.

/Staffan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server exits without warning on radtest?

[Alan DeKok]

Adrien Morvan wrote:
 So i ran it with gdb.
 There is a seg fault but i don't understand what is happening.

  That's OK.  What is *not* OK is refusing to follow the instructions in
doc/bugs.  We need that information to help solve the problem.

  By refusing to follow the documentation, you're refusing to let us
help you.

  Follow the documentation, or stop asking questions.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ntlm_auth works but not radtest

[Scott McLane Gardner]

I'm attempting to follow the guide at http://deployingradius.com/ Things
were going very well until I tried to set up Active Directory
authentication. Testing with ntlm_auth, I get a success:

$ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=myuname
--password=mypass
NT_STATUS_OK: Success (0x0)


But when I test with radtest it fails. I'm not sure I understand all of
the debug output, but I thnk maybe it has to do with it thinking the realm
is NULL. I have set it up in both smb.conf and krb5.conf as well as in the
mschap module of freeradius. I am using freeradius version 2.1.10 on
Ubuntu 11.10. Here's the output from the command line as well as the debug
output:

$ radtest -t mschap myuname mypass localhost 0 testing123
Sending Access-Request of id 99 to 127.0.0.1 port 1812
User-Name = myuname
NAS-IP-Address = mynasip
NAS-Port = 0
MS-CHAP-Challenge = 0xb89b59d41385c67c
MS-CHAP-Response =
0x00013edd0cff110926a15d402
f5204078f2d78d908e773c3a9c6
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=99,
length=20







rad_recv: Access-Request packet from host 127.0.0.1 port 42379, id=209,
length=115
User-Name = myuname
NAS-IP-Address = mynasip
NAS-Port = 0
MS-CHAP-Challenge = 0x09d5dfb63fba5357
MS-CHAP-Response =
0x00010704b6897326b27adb243
658c300fcd922f008014ee7e25b
Mon Mar  5 14:45:54 2012 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Mon Mar  5 14:45:54 2012 : Info: +- entering group authorize {...}
Mon Mar  5 14:45:54 2012 : Info: ++[preprocess] returns ok
Mon Mar  5 14:45:54 2012 : Info: ++[chap] returns noop
Mon Mar  5 14:45:54 2012 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type  = mschap'
Mon Mar  5 14:45:54 2012 : Info: ++[mschap] returns ok
Mon Mar  5 14:45:54 2012 : Info: ++[digest] returns noop
Mon Mar  5 14:45:54 2012 : Info: [suffix] No '@' in User-Name = myuname,
looking up realm NULL
Mon Mar  5 14:45:54 2012 : Info: [suffix] No such realm NULL
Mon Mar  5 14:45:54 2012 : Info: ++[suffix] returns noop
Mon Mar  5 14:45:54 2012 : Info: [eap] No EAP-Message, not doing EAP
Mon Mar  5 14:45:54 2012 : Info: ++[eap] returns noop
Mon Mar  5 14:45:54 2012 : Info: ++[files] returns noop
Mon Mar  5 14:45:54 2012 : Info: ++[expiration] returns noop
Mon Mar  5 14:45:54 2012 : Info: ++[logintime] returns noop
Mon Mar  5 14:45:54 2012 : Info: [pap] WARNING! No known good password
found for the user.  Authentication may fail because of this.
Mon Mar  5 14:45:54 2012 : Info: ++[pap] returns noop
Mon Mar  5 14:45:54 2012 : Info: Found Auth-Type = MSCHAP
Mon Mar  5 14:45:54 2012 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Mar  5 14:45:54 2012 : Info: +- entering group MS-CHAP {...}
Mon Mar  5 14:45:54 2012 : Info: [mschap] Told to do MS-CHAPv1 with
NT-Password
Mon Mar  5 14:45:54 2012 : Info: [mschap]   expand: %{Stripped-User-Name}
- 
Mon Mar  5 14:45:54 2012 : Info: [mschap]   ... expanding second conditional
Mon Mar  5 14:45:54 2012 : Info: [mschap] WARNING: Deprecated conditional
expansion :-.  See man unlang for details
Mon Mar  5 14:45:54 2012 : Info: [mschap]   expand: %{User-Name:-None} -
myuname
Mon Mar  5 14:45:54 2012 : Info: [mschap]   expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=myuname
Mon Mar  5 14:45:54 2012 : Info: [mschap] No NT-Domain was found in the
User-Name.
Mon Mar  5 14:45:54 2012 : Info: [mschap]   expand: %{mschap:NT-DOMAIN} -
Mon Mar  5 14:45:54 2012 : Info: [mschap]   ... expanding second conditional
Mon Mar  5 14:45:54 2012 : Info: [mschap]   expand:
--domain=%{%{mschap:NT-DOMAIN}:-MYDOMAIN} - --domain=MYDOMAIN
Mon Mar  5 14:45:54 2012 : Info: [mschap]  mschap1: 09
Mon Mar  5 14:45:54 2012 : Info: [mschap]   expand:
--challenge=%{mschap:Challenge:-00} - --challenge=09d5dfb63fba5357
Mon Mar  5 14:45:54 2012 : Info: [mschap]   expand:
--nt-response=%{mschap:NT-Response:-00} -
--nt-response=0704b6897326b27adb243658c300fcd922f008014ee7e25b
Mon Mar  5 14:45:55 2012 : Debug: Exec-Program output: winbind client not
authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/run/samba/winbindd_privileged are set correctly. (0xc022)
Mon Mar  5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/run/samba/winbindd_privileged are set correctly. (0xc022)
Mon Mar  5 14:45:55 2012 : Debug: Exec-Program: returned: 1
Mon Mar  5 14:45:55 2012 : Info: [mschap] External script failed.
Mon Mar  5 14:45:55 2012 : Info: [mschap] MS-CHAP-Response is incorrect.
Mon Mar  5 14:45:55 2012 : Info: ++[mschap] returns reject
Mon Mar  5 14:45:55 2012 : Info: Failed to authenticate the user.
Mon Mar  5 14:45:55 2012 : Info: Using Post-Auth-Type Reject
Mon Mar  5

Re: ntlm_auth works but not radtest

[Phil Mayers]

Mon Mar  5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions
on
/var/run/samba/winbindd_privileged are set correctly. (0xc022)

Did you spot this?
-- 
Sent from my phone. Please excuse brevity and typos.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ntlm_auth works but not radtest

[Alan Buxey]

Hi,


2 things

 Mon Mar  5 14:45:54 2012 : Info: [mschap] No NT-Domain was found in the
 User-Name.
 Mon Mar  5 14:45:54 2012 : Info: [mschap] expand: %{mschap:NT-DOMAIN} -
 Mon Mar  5 14:45:54 2012 : Info: [mschap] ... expanding second conditional
 Mon Mar  5 14:45:54 2012 : Info: [mschap] expand:
 --domain=%{%{mschap:NT-DOMAIN}:-MYDOMAIN} - --domain=MYDOMAIN

1 as the reqest didnt contain an NT-Domain entry, ensure your --domain option 
is set correct
(I assume you want MYDOMAIN but you never know..especially if you are just 
following
a document from somewhere on the internet)

 Mon Mar  5 14:45:55 2012 : Debug: Exec-Program output: winbind client not
 authorized to use winbindd_pam_auth_crap. Ensure permissions on
 /var/run/samba/winbindd_privileged are set correctly. (0xc022)

2 - this. did you not see this erro - the debug does try to tell you everything.
SHORT OF BEING WRITTEN IN SCREEN HIGH CAPITAL LETTERS ;-)

ensure that /var/run/samba/winbindd_privileged is set to same group as the user
that FreeRADIUS runs as. oh..and be aware that any time that you patch/pdate
samba package, that permission will be blatted back to wrong values.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ntlm_auth works but not radtest

[Scott McLane Gardner]

 Mon Mar  5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
 client not authorized to use winbindd_pam_auth_crap. Ensure permissions
 on
 /var/run/samba/winbindd_privileged are set correctly. (0xc022)
 
 Did you spot this?

This was definitely it. Thank you so much.

-Scott

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to test raduis is working.. can't find radtest

[Luke Hammond]

I have just installed FreeRADIUS 2.07 i think it is.. anyways. i 
followed a tutorial on how to install in with MySQL on Centos 5 and when 
i get to the part about testing the database using radtest.. it doesnt 
work. radtest is not where it should be, have looked on google to try 
and work out where esactly this 'radtest' lives, but all the locations 
it i supposed to be.. it isnt!


So, where should it be and why isnt it there? do i have to install it 
separately?  Also, how do i test that my radius is working and accepting 
logins without it?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to test raduis is working.. can't find radtest

[Phil Mayers]

On 05/25/2011 10:06 PM, Luke Hammond wrote:

I have just installed FreeRADIUS 2.07 i think it is.. anyways. i
followed a tutorial on how to install in with MySQL on Centos 5 and when
i get to the part about testing the database using radtest.. it doesnt
work. radtest is not where it should be, have looked on google to try
and work out where esactly this 'radtest' lives, but all the locations
it i supposed to be.. it isnt!

So, where should it be and why isnt it there? do i have to install it
separately? Also, how do i test that my radius is working and accepting
logins without it?


This isn't really a FreeRADIUS question; it's either a basic unix 
question, or one specific to the distribution of Linux you're using.


Anyway: How did you install FreeRADIUS. If you installed it from the 
RPM, are you sure you installed all the RPMs you needed? Perhaps the 
server and client tools are split into separate RPMs? I see Fedora has 
freeradius-utils RPM - maybe Centos has that too?


If you installed it from source - have you looked into the directory you 
installed it into (/usr/local usually)


Try: locate radtest
Or : find / | fgrep radtest

Try: yum provides '*/radtest'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to test raduis is working.. can't find radtest

[Luke Hammond]

Thanks for the reply, i installed it from the Package Manager in Gnome, 
centos 5.6.


Ill try what you suggested, thankyou.


On 25/05/2011 6:28 PM, Phil Mayers wrote:

On 05/25/2011 10:06 PM, Luke Hammond wrote:

I have just installed FreeRADIUS 2.07 i think it is.. anyways. i
followed a tutorial on how to install in with MySQL on Centos 5 and when
i get to the part about testing the database using radtest.. it doesnt
work. radtest is not where it should be, have looked on google to try
and work out where esactly this 'radtest' lives, but all the locations
it i supposed to be.. it isnt!

So, where should it be and why isnt it there? do i have to install it
separately? Also, how do i test that my radius is working and accepting
logins without it?


This isn't really a FreeRADIUS question; it's either a basic unix 
question, or one specific to the distribution of Linux you're using.


Anyway: How did you install FreeRADIUS. If you installed it from the 
RPM, are you sure you installed all the RPMs you needed? Perhaps the 
server and client tools are split into separate RPMs? I see Fedora has 
freeradius-utils RPM - maybe Centos has that too?


If you installed it from source - have you looked into the directory 
you installed it into (/usr/local usually)


Try: locate radtest
Or : find / | fgrep radtest

Try: yum provides '*/radtest'
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to radtest from another client

[徐宇]

I install freeradius in the server its ip is  192.168.1.1.
In the server  I have already do the radtest ,and the result is OK
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20

 I want to add a test authenticator host client. So I add something at
the end of my clients.conf and assign a shared-secret.
 client 192.168.1.100 {
     secret = testing123
     shortname = 192.168.1.100
  }
Should I do other things to finish it?  I need to do the radtest in
the client(192.168.1.100)  right? But there isn't a radtest command in
the client, Need I install some softwares in the client?

thank you for your help ,best regards.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to radtest from another client

[Alan DeKok]

徐宇 wrote:
 Should I do other things to finish it?  I need to do the radtest in
 the client(192.168.1.100)  right? But there isn't a radtest command in
 the client, Need I install some softwares in the client?

  Yes, that's how computers work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to radtest from another client

[徐宇]

I install freeradius in the server its ip is  192.168.1.1.
In the server  I have already do the radtest ,and the result is OK
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20

 I want to add a test authenticator host client. So I add something at
the end of my clients.conf and assign a shared-secret.
 client 192.168.1.100 {
     secret = testing123
     shortname = 192.168.1.100
  }
Should I do other things to finish it?  I need to do the radtest in
the client(192.168.1.100)  right? But there isn't a radtest command in
the client, Need I install some softwares in the client?

thank you for your help ,best regards.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to radtest from another client

[Fajar A. Nugraha]

On Sat, Apr 9, 2011 at 5:03 PM, 徐宇 xuyub...@gmail.com wrote:
 I install freeradius in the server its ip is  192.168.1.1.
 In the server  I have already do the radtest ,and the result is OK
 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20

  I want to add a test authenticator host client. So I add something at
 the end of my clients.conf and assign a shared-secret.
  client 192.168.1.100 {
      secret = testing123
      shortname = 192.168.1.100
   }
 Should I do other things to finish it?  I need to do the radtest in
 the client(192.168.1.100)  right? But there isn't a radtest command in
 the client, Need I install some softwares in the client?

 thank you for your help ,best regards.

Please don't send the same message over and over again. It's rude, and
will simply discourage others from helping you.

Yes, you need to install the software. radtest command is available if:
- you built your own freeradius from source
- you install a package from your distro containing radtest

If you need to know which package from your distro has the radtest
command, ask your distro forum/list/support. On Ubuntu, the package is
called freeradius-utils.

If you have absolutely no idea what I'm talking about, then ask
whoever sets up the server you're currently using, since you say that
server already has radtest available.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to radtest from another client

[徐宇]

I install freeradius in the server its ip is  192.168.1.1.
In the server  I have already do the radtest ,and the result is OK
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20

 I want to add a test authenticator host client. So I add something at
the end of my clients.conf and assign a shared-secret.
 client 192.168.1.100 {
     secret = testing123
     shortname = 192.168.1.100
  }
Should I do other things to finish it?  I need to do the radtest in
the client(192.168.1.100)  right? But there isn't a radtest command in
the client, Need I install some softwares in the client?

thank you for your help ,best regards.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to radtest from another client

[徐宇]

I install freeradius in the server its ip is  192.168.1.1.
In the server  I have already do the radtest ,and the result is OK
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20


the end of my clients.conf and assign a shared-secret.
  client 192.168.1.100 {
  secret = testing123
  shortname = 192.168.1.100
   }
Should I do other things to finish it?  I need to do the radtest in
the client(192.168.1.100)  right? But there isn't a radtest command in
the client, Need I install some softwares in the client?

thank you for your help ,best regards.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radtest issue

[Sujith Paily K]

I have installed freeradius2   freeradius2-utils on centos5.5 using yum. I
did the basic configuration and test with radtest
-
radtest testing password 127.0.0.1 10 testing123
Sending Access-Request of id 221 to 127.0.0.1 port 1812
User-Name = testing
User-Password = password
NAS-IP-Address = 216.34.94.184
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=221,
length=2
-
I dont understand NAS-IP-Address = 216.34.94.184 my hostname is
node3.localhost. So expected NAS-IP-Address is node3.localhos right?
What is wrong?I dont find an the ip 216.34.94.184 in my machine
-- 
Thanks and Regards,
Sujith Paily K

http://SparkSupport.comhttp://www.google.com/url?sa=Dq=http://SparkSupport.comusg=AFQjCNEs6_09BzHZlbxsPEEJA7u3m8FIQg|
http://migrate2cloud.comhttp://www.google.com/url?sa=Dq=http://migrate2cloud.comusg=AFQjCNHfkXv1LOsVi3L6UR_dP5cuf0w1qw
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest issue

[Ryan Garrett]

The NAS-IP-Address field should be set to whatever you are using as your
supplicant, most likely your switch.

On Fri, Oct 15, 2010 at 4:15 AM, Sujith Paily K suj...@sparksupport.comwrote:

 I have installed freeradius2   freeradius2-utils on centos5.5 using yum. I
 did the basic configuration and test with radtest
 -
 radtest testing password 127.0.0.1 10 testing123
 Sending Access-Request of id 221 to 127.0.0.1 port 1812
 User-Name = testing
 User-Password = password
 NAS-IP-Address = 216.34.94.184
 NAS-Port = 10
 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=221,
 length=2

 -
 I dont understand NAS-IP-Address = 216.34.94.184 my hostname is
 node3.localhost. So expected NAS-IP-Address is node3.localhos right?
 What is wrong?I dont find an the ip 216.34.94.184 in my machine
 --
 Thanks and Regards,
 Sujith Paily K

 http://SparkSupport.comhttp://www.google.com/url?sa=Dq=http://SparkSupport.comusg=AFQjCNEs6_09BzHZlbxsPEEJA7u3m8FIQg|
 http://migrate2cloud.comhttp://www.google.com/url?sa=Dq=http://migrate2cloud.comusg=AFQjCNHfkXv1LOsVi3L6UR_dP5cuf0w1qw




 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Getting Access-Reject when using radtest

[kartik dadwal]

Hi,

OS: Ubuntu 9.10
Freeradius 2.1.0 (Installed using synaptic packet manager)

I have installed FreeRadius server and now I am testing it with the
r...@kartik-laptop:/usr/local/etc/raddb# *radtest testing password 127.0.0.1
0 testing123*
OUTPUT:
Sending Access-Request of id 248 to 127.0.0.1 port 1812
User-Name = testing
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=248,
length=20


===

On the server terminal:
r...@kartik-laptop:/etc/freeradius# *radiusd -X*
FreeRADIUS Version 2.1.0, for host i686-pc-linux-gnu, built on Aug 17 2010
at 22:33:30
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 client localhost

Re: Getting Access-Reject when using radtest

[Alan DeKok]

kartik dadwal wrote:
 OS: Ubuntu 9.10
 Freeradius 2.1.0 (Installed using synaptic packet manager)

 On the server terminal:
 r...@kartik-laptop:/etc/freeradius# *radiusd -X*

  I would suggest reading the debug output.  The answer to your question
is in there.

  Also, try pasting the debug output into this form:

http://networkradius.com/freeradius.html

  And look for the highlighted text.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation Fault during running radtest and freeradius

[Alan DeKok]

Theresa wrote:
 Hello,
 
 I use Freeradius 2.1.10 (built from the git branch 2.1.x). I just
 configured it with one user (testing, password) and a shared secret
 (testing123) and didn't change anything else.
 I run freeradius -X (Ubuntu 10.04) and when it receives a request
 (radtest testing password 127.0.0.1 0 testing123) I get following crash
 (sorry for the long log).
 
 Any ideas how to fix it or where the problem is?

  See doc/bugs

 /etc/freeradius/sites-enabled/default
 +- entering group authorize {...}
 Segmentation fault

  If it crashes that quickly, it's usually because of a shared library
problem on the system.  i.e. you've built 2.1.10, but it's using
libraries from an older version of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Segmentation Fault during running radtest and freeradius

[Theresa]

Hello,

I use Freeradius 2.1.10 (built from the git branch 2.1.x). I just 
configured it with one user (testing, password) and a shared secret 
(testing123) and didn't change anything else.
I run freeradius -X (Ubuntu 10.04) and when it receives a request 
(radtest testing password 127.0.0.1 0 testing123) I get following crash 
(sorry for the long log).


Any ideas how to fix it or where the problem is?

Thanks in advance!

Log:

FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Aug 21 
2010 at 23:02:11

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/otp
including configuration file 
/etc/freeradius/modules/sqlcounter_expire_on_login

including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback

Re: MySQL works for radtest, not IRL - Users file always works

[Huckle Berry]

On Sun, Aug 15, 2010 at 3:43 AM, Alan DeKok al...@deployingradius.comwrote:

 Huckle Berry wrote:
  radtest for both users works on server, but from the windows 7 client
  only RadiusUser can log in. After looking at RadiusSQL's debug, it seems
  the sql module isn't ever consulted... Debugs for both users can be
  posted on request.

   What you didn't say is that the Windows system is using PEAP.  This
 means that you need to configure sql in the file
 raddb/sites-available/inner-tunnel.

  You've configured SQL in raddb/sites-available/default, which allows
 it to work for simple PAP / MS-CHAP requests.  But PEAP puts the
 password inside of the inner-tunnel, which hasn't been configured.


Is there a good reference for the various protocols, i.e. a diagram, or
flowchart, that could help me understand the process and therefore better
troubleshoot my situation? I'm more of a visual learner so illustrations
would be awesome.


  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL works for radtest, not IRL - Users file always works

[Alan DeKok]

Huckle Berry wrote:
 Is there a good reference for the various protocols, i.e. a diagram, or
 flowchart, that could help me understand the process and therefore
 better troubleshoot my situation? I'm more of a visual learner so
 illustrations would be awesome.

  There are no pictures.  The processing is documented in... various
places on the Wiki  in the doc/ directory.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL works for radtest, not IRL - Users file always works

[Alan DeKok]

Huckle Berry wrote:
 radtest for both users works on server, but from the windows 7 client
 only RadiusUser can log in. After looking at RadiusSQL's debug, it seems
 the sql module isn't ever consulted... Debugs for both users can be
 posted on request.

  What you didn't say is that the Windows system is using PEAP.  This
means that you need to configure sql in the file
raddb/sites-available/inner-tunnel.

  You've configured SQL in raddb/sites-available/default, which allows
it to work for simple PAP / MS-CHAP requests.  But PEAP puts the
password inside of the inner-tunnel, which hasn't been configured.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL works for radtest, not IRL - Users file always works

[Huckle Berry]

I'm in a bit of an odd situation here, I have a freeradius 2.1.8 server
(installed from the ubuntu 10.04 repo) that I'm using in conjunction with a
DD-WRT v24-SP2 (on wrt54g v5) NAS. I've generated certs for two users
RadiusUser and RadiusSQL and installed both on a windows 7 ultimate box
along with the CA.

RadiusUser is in the Users file with a bare-bones configuration:
RadiusUser Cleartext-Password: RadiusUser

RadiusSQL is in a MySQL database with a similiar configuration:
SELECT * FROM radcheck;
++---+++---+
| id | username  | attribute  | op | value |
++---+++---+
|  1 | RadiusSQL | Cleartext-Password | := | RadiusSQL |
++---+++---+

radtest for both users works on server, but from the windows 7 client only
RadiusUser can log in. After looking at RadiusSQL's debug, it seems the sql
module isn't ever consulted... Debugs for both users can be posted on
request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with radtest + dictionary + Authen::Radius (perl)

[Ana Gallardo]

   Which doesn't match the error message you showed above.  here is *no*
 ATTRIBUTE line having an option.


I'm sorry, I paste my actual dictionary...


$ cat /usr/share/freeradius/dictionary.rinuex

# -*- text -*-
#
# dictionary.rinuex
#
#
#   Mayo de 2010
#   Marco Jaraíz mjar...@unex.es
#   Ana Gallardo aigalla...@unex.es
#

VENDORRinuex35782

BEGIN-VENDORRinuex

# Código para indicar la causa del Access-Reject
ATTRIBUTECodigo-Reject8integerRinuex

VALUE   Codigo-RejectCredenciales-Erroneas3
VALUE   Codigo-RejectCuenta-Bloqueada-Intentos-Reject4
VALUE   Codigo-RejectImposible-Contactar-Backend5
VALUE   Codigo-RejectError-Dominio6
VALUE   Codigo-RejectCuenta-Expirada7
VALUE   Codigo-RejectCuenta-Inactiva8
VALUE   Codigo-RejectRadius-OK9

END-VENDORRinuex



  Please be *consistent*.


OK, sorry and thanks for your time.

Ana


 Ana Gallardo Gómez

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with radtest + dictionary + Authen::Radius (perl)

[Alan DeKok]

Ana Gallardo wrote:
 I'm sorry, I paste my actual dictionary...
 
 
 $ cat /usr/share/freeradius/dictionary.rinuex
...
 BEGIN-VENDORRinuex

  Which says all of the following attributes are for this vendor

 # Código para indicar la causa del Access-Reject   
 ATTRIBUTECodigo-Reject8integerRinuex

  Which *duplicates* the vendor name.  Do one of the following:

a) delete the vendor name from the ATTRIBUTE line

b) delete the BEGIN/END-VENDOR lines

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with radtest + dictionary + Authen::Radius (perl)

[Ana Gallardo]

  $ cat /usr/share/freeradius/dictionary.rinuex
 ...
  BEGIN-VENDORRinuex

  Which says all of the following attributes are for this vendor


OK



  # Código para indicar la causa del Access-Reject
  ATTRIBUTECodigo-Reject8integerRinuex

   Which *duplicates* the vendor name.  Do one of the following:

 a) delete the vendor name from the ATTRIBUTE line

 b) delete the BEGIN/END-VENDOR lines


I choose to delete the BEGIN/END-VENDOR lines for compatibility with
Authen::Radius perl package.

Thank you very much. Everything it's ok now.

-- 


 Ana Gallardo Gómez

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: radtest with MS-CHAPv2?

[Ben Wiechman]

Ntradping

http://www.novell.com/coolsolutions/tools/14377.html

I believe this is the tool you are looking for.

Ben

-Original Message-
From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Wednesday, June 09, 2010 3:21 PM
To: FreeRadius users mailing list
Subject: Re: radtest with MS-CHAPv2?

Andrew Chiarello wrote:
 Is there any cli tool I can use to send an MS-CHAPv2 test?

  No.

  There's a Windows tool, but I forget the name.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

problem with radtest + dictionary + Authen::Radius (perl)

[Ana Gallardo]

Hello,

I'm working with Freeradius 2.1.8 and I have created my vendor dictionary.

I need to use Authen::Radius (perl). This package needs 'vendor' declaration
in every 'ATTRIBUTE' line in vendor dictionaries.

Following man RADIUS dictionary file

http://freeradius.org/radiusd/man/dictionary.html

*ATTRIBUTE name number type [vendor|options]*

that is possible.

But when I use radtest, I have this problem:

$ radtest u...@realm pass radius 0 claveClient
radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown option
XXX

Thank you and sorry for my english



 Ana Gallardo Gómez

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with radtest + dictionary + Authen::Radius (perl)

[Alan DeKok]

Ana Gallardo wrote:
 $ radtest u...@realm pass radius 0 claveClient
 radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown
 option XXX

  You didn't define XXX as a vendor.

  And there's no reason to keep the vendor name a secret.  The
name/number for the vendor is available in public registries.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with radtest + dictionary + Authen::Radius (perl)

[Ana Gallardo]

Hello Alan,

 $ radtest u...@realm pass radius 0 claveClient
  radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown
  option XXX

   You didn't define XXX as a vendor.


I think I did...

$ cat /usr/share/freeradius/dictionary.rinuex

# -*- text -*-
#
# dictionary.rinuex
#
#
#   Mayo de 2010
#   Marco Jaraíz mjar...@unex.es
#   Ana Gallardo aigalla...@unex.es
#

VENDOR  Rinuex  35782

BEGIN-VENDORRinuex

# Código para indicar la causa del Access-Reject
ATTRIBUTE   Codigo-Reject   8   integer

VALUE   Codigo-Reject   Credenciales-Erroneas   3
VALUE   Codigo-Reject   Cuenta-Bloqueada-Intentos-Reject4
VALUE   Codigo-Reject   Imposible-Contactar-Backend 5
VALUE   Codigo-Reject   Error-Dominio   6
VALUE   Codigo-Reject   Cuenta-Expirada 7
VALUE   Codigo-Reject   Cuenta-Inactiva 8
VALUE   Codigo-Reject   Radius-OK   9

END-VENDORRinuex



  And there's no reason to keep the vendor name a secret.  The
 name/number for the vendor is available in public registries.


it's truth



  Alan DeKok.


Thanks again


-- 


 Ana Gallardo Gómez

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with radtest + dictionary + Authen::Radius (perl)

[Alan DeKok]

Ana Gallardo wrote:
 Hello Alan,
 
  $ radtest u...@realm pass radius 0 claveClient
  radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown
  option XXX
 
  You didn't define XXX as a vendor.

 I think I did...
 
 $ cat /usr/share/freeradius/dictionary.rinuex

  Which doesn't match the error message you showed above.  here is *no*
ATTRIBUTE line having an option.

  Please be *consistent*.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radtest with MS-CHAPv2?

[Andrew Chiarello]

I'm very new to freeradius, and I need to test whether my configuration is 
correctly accepting MS-CHAPv2 requests. I'm not sure exactly how to do this 
with radtest (or am I using the wrong tool?) 


Andrew J. Chiarello 
Network Engineer 
Bryn Mawr College 
610-526-7966 
achiare...@brynmawr.edu 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest with MS-CHAPv2?

[Alan DeKok]

Andrew Chiarello wrote:
 I'm very new to freeradius, and I need to test whether my configuration
 is correctly accepting MS-CHAPv2 requests. I'm not sure exactly how to
 do this with radtest (or am I using the wrong tool?)

  You can't use it with radtest.  Maybe in version 2.1.10.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest with MS-CHAPv2?

[Andrew Chiarello]

Is there any cli tool I can use to send an MS-CHAPv2 test? 

- Original Message - 
From: Alan DeKok al...@deployingradius.com 
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org 
Sent: Wednesday, June 9, 2010 11:33:30 AM 
Subject: Re: radtest with MS-CHAPv2? 

Andrew Chiarello wrote: 
 I'm very new to freeradius, and I need to test whether my configuration 
 is correctly accepting MS-CHAPv2 requests. I'm not sure exactly how to 
 do this with radtest (or am I using the wrong tool?) 

You can't use it with radtest. Maybe in version 2.1.10. 

Alan DeKok. 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest with MS-CHAPv2?

[Alan DeKok]

Andrew Chiarello wrote:
 Is there any cli tool I can use to send an MS-CHAPv2 test?

  No.

  There's a Windows tool, but I forget the name.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest and IPv6 support

[Alan DeKok]

John Dennis wrote:
 All you should need to do is create a bugzilla login, no different than
 the FreeRADIUS bugzilla, but no problem, I attached the patch to the the
 FreeRADIUS bug, should be easy to see now.

  Tried, still the same error.  Oh well.

From what I can tell, the issue is that ip_hton() does DNS lookups,
 and inet_pton() doesn't.
 
 yup, that's the primary issue, secondary issue is more informative error
 reporting.

  OK.  I've applied the patch.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: radtest and IPv6 support

[Panagiotis Georgopoulos]

Hello John, Alan, all,


 
 John Dennis wrote:
  We also just discovered a bug with IPv6 usage in radclient (and
  radtest), you may want to take a look at these two bugzilla's:
 
  https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=80
 
   The better fix is to take unknown options starting with -, and pass
 them directly to radclient.  This will make -4 work, -6, and a bunch of
 other options.
 

Thanks both for the reply. I will try using the radclient for my
testing from now on..

Cheers,
Panos

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: radtest and IPv6 support

[Panagiotis Georgopoulos]

Hello Alan, all 

See bellow...

 -Original Message-
 From: freeradius-users-
 bounces+panos=comp.lancs.ac...@lists.freeradius.org [mailto:freeradius-
 users-bounces+panos=comp.lancs.ac...@lists.freeradius.org] On Behalf Of
 Alan DeKok
 Sent: 06 June 2010 09:27
 To: FreeRadius users mailing list
 Subject: Re: radtest and IPv6 support
 
 Panagiotis Georgopoulos wrote:
  I am trying to use radtest to test my freeradius
  configuration over IPv6. I have configured IPv6 on my freeradius
 server
  and a client machine from which I am firing radtest. However when I
  issue radtest bob hello 2001:db95::100 100 testing123 on my client I
  get a
 
  radclient: socket: cannot initialize udpfromto: Function not
 implemented
 
   When building from source, do:
 
 $ ./configure --without-udpfromto
 
   It doesn't appear to work on your system.
 

How can I only build radtest from source? 

(recap: ) I have build freeRadius on my server and I want to run radtest on a 
client machine to test my configuration over IPv6. I installed radtest on my 
client machine by installing freeradius-utils...

Is there another way to test FreeRadius with another tool that supports IPV6?

Thanks,
Panos




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest and IPv6 support

[John Dennis]

On 06/03/2010 01:57 PM, Panagiotis Georgopoulos wrote:

Hello all,

I am trying to use radtest to test my freeradius configuration over
IPv6. I have configured IPv6 on my freeradius server and a client
machine from which I am firing radtest. However when I issue “radtest


We also just discovered a bug with IPv6 usage in radclient (and 
radtest), you may want to take a look at these two bugzilla's:


https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=80
https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=82

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest and IPv6 support

[Alan DeKok]

John Dennis wrote:
 We also just discovered a bug with IPv6 usage in radclient (and
 radtest), you may want to take a look at these two bugzilla's:
 
 https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=80

  The better fix is to take unknown options starting with -, and pass
them directly to radclient.  This will make -4 work, -6, and a bunch of
other options.

 https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=82

  Except I'm not allowed to see the redhat bugs.

  From what I can tell, the issue is that ip_hton() does DNS lookups,
and inet_pton() doesn't.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest and IPv6 support

[John Dennis]

On 06/07/2010 05:33 PM, Alan DeKok wrote:

John Dennis wrote:

We also just discovered a bug with IPv6 usage in radclient (and
radtest), you may want to take a look at these two bugzilla's:

https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=80


   The better fix is to take unknown options starting with -, and pass
them directly to radclient.  This will make -4 work, -6, and a bunch of
other options.


Hokey dokey, I didn't create the proposed fix in this instance, please 
update the bugzilla with the suggestion or the git commit. Thanks!





https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=82


   Except I'm not allowed to see the redhat bugs.


All you should need to do is create a bugzilla login, no different than 
the FreeRADIUS bugzilla, but no problem, I attached the patch to the the 
FreeRADIUS bug, should be easy to see now.




   From what I can tell, the issue is that ip_hton() does DNS lookups,
and inet_pton() doesn't.


yup, that's the primary issue, secondary issue is more informative error 
reporting.


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest and IPv6 support

[Alan DeKok]

Panagiotis Georgopoulos wrote:
 I am trying to use radtest to test my freeradius
 configuration over IPv6. I have configured IPv6 on my freeradius server
 and a client machine from which I am firing radtest. However when I
 issue “radtest bob hello 2001:db95::100 100 testing123” on my client I
 get a

 “radclient: socket: cannot initialize udpfromto: Function not implemented”

  When building from source, do:

$ ./configure --without-udpfromto

  It doesn't appear to work on your system.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radtest and IPv6 support

[Panagiotis Georgopoulos]

Hello all,

 

I am trying to use radtest to test my freeradius
configuration over IPv6. I have configured IPv6 on my freeradius server and
a client machine from which I am firing radtest. However when I issue
radtest bob hello 2001:db95::100 100 testing123 on my client I get a 

 

radclient: socket: cannot initialize udpfromto: Function not implemented

 

Google returns a few people reporting this, but answers are
related to changing how localhost is resolved when testing it from the
freeradius server. Is there a proper solution for using radtest over IPv6
from a remote machine? 

 

Btw radtest works fine over IPv4 on my current setup.

 

Thanks a lot,

Panos

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql wont pass radtest

[Alan DeKok]

Robert Wilkinson wrote:
 I have uncommented all the SQL lines to no avail. No module is loaded.

  The debug log *clearly* shows which files it is reading, and which
modules it is loading.  It reads the SQL configuration files, but does
*not* load the SQL module.

 Is it important to have a NAS installed at this stage?

  No.

 including configuration file /etc/freeradius/sites-enabled/default
 including configuration file /etc/freeradius/sites-enabled/inner-tunnel

  Did you edit these files?

  The answer is no.  None of the debug log shows it loading the sql
module.  You have been editing *different* files, which is why the
server isn't using SQL.

  So.. which files were you editing and why?

  Go back and edit the *real* files.  You will know you have succeeded
when it starts printing text like this:

  Module: Linked to module rlm_sql

  Until it prints that text, you are not editing the right files.

  Again, the *whole purpose* of debug mode is for people to *read* it.
It is *telling* you which files it is reading.  You have been editing
*different* files.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sql wont pass radtest

[Robert Wilkinson]

Hello.
After lots of reading and time testing I have been unable to get sql to
authenticate with using radtest. Am I having issues with the the DB
setup? I am having no problems with the users file. But there seems to
be nothing to pursue with the SQL issues. I am almost moved to tears..
and tearing my hair out.


I am using: 
Ubuntu 10.4 (Linode account)
Freeradius 2.1.8
MySql5

I want to setup a wireless hotspot. I have spent 4 days tring to get my
mind around this. I have uncommented the SQL lines where needed.
Is it my database or the options I have made. I have spent lots of time
on the wiki and mailing list, to the point that confusion now reigns.
There needs to be a way for simple setups
to be made easy.

here is my freeradius -X 

FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan  5
2010 at 02:49:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/linelog
including configuration
file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
 log {
stripped_names

Re: sql wont pass radtest

[Alan DeKok]

Robert Wilkinson wrote:
 Hello.
 After lots of reading and time testing I have been unable to get sql to
 authenticate with using radtest. Am I having issues with the the DB
 setup? I am having no problems with the users file. But there seems to
 be nothing to pursue with the SQL issues. I am almost moved to tears..
 and tearing my hair out.

  The Wiki contains good instructions for configuring SQL.

 I want to setup a wireless hotspot. I have spent 4 days tring to get my
 mind around this. I have uncommented the SQL lines where needed.

  The debug log doesn't show this.

  You need to edit raddb/sites-available/default, and look for sql.

 Is it my database or the options I have made. I have spent lots of time
 on the wiki and mailing list, to the point that confusion now reigns.
 There needs to be a way for simple setups
 to be made easy.

  http://wiki.freeradius.org/SQL_HOWTO

  It needs to be updated for 2.x, but the basic idea is there.

 here is my freeradius -X 

  Which shows it does not load the SQL module, and does not use the SQL
module when it receives a packet.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql wont pass radtest

[Alan Buxey]

hi,

your output doesnt show SQL being loaded up as the daemon startsits very
obvious when it does use SQL as there'll be a lot of SQL stuff shown in the 
startup
eg sockets connecting to the SQL etc.

check that you have the INCLUDE sql.conf in the radiusd.conf and chck that
you have uncommented the sql lines in the virtual servers that you want
to use (ie 'default' for plain stuff and 'inner-tunnel' for EAP stuff)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql wont pass radtest

[Robert Wilkinson]

On Wed, 2010-05-26 at 19:58 +0100, Alan Buxey wrote:
 hi,
 
 your output doesnt show SQL being loaded up as the daemon startsits very
 obvious when it does use SQL as there'll be a lot of SQL stuff shown in the 
 startup
 eg sockets connecting to the SQL etc.
 
Just realised that the server needs to be restarted after each change in
configuration. Important to know that.

 check that you have the INCLUDE sql.conf in the radiusd.conf and chck that
 you have uncommented the sql lines in the virtual servers that you want
 to use (ie 'default' for plain stuff and 'inner-tunnel' for EAP stuff)

I have uncommented all the SQL lines to no avail. No module is loaded.
Is it important to have a NAS installed at this stage?

Here is my radiusd -X output:

FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan  5
2010 at 02:49:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/linelog
including configuration
file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
 log {
stripped_names 

radtest

[dorra aa]

hi,after the addition of customers in the database sql, I assay to test a 
client in other computer by  using radtest.but i had those lignes in the 
shell:# radtestLe programme 'radtest' peut être trouvé dans les paquets 
suivants :(that's means The program 'radtest' can be found in the following 
packages) * radiusd-livingston * yardradius * xtradius * freeradius
all that a want that the client try to acced to the server.and all the document 
said that i may use radtest but it's just working only in serverthank you 
  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radtest

[Alan Buxey]

Hi,

 after the addition of customers in the database sql, I assay to test a client 
 in other computer by  using radtest.
 but i had those lignes in the shell:
 # radtest
 Le programme 'radtest' peut être trouvé dans les paquets suivants :(that's 
 means! nbsp;The program 'radtest' can be found in the following packages)
  * radiusd-livingston
  * yardradius
  * xtradius
  * freeradius

radtest is part of freeradius package. 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

format input to radclient (or radtest) for EAP-TTLS and EAP-PEAK (MSCHAPv2) test

[bslee (HKBU)]

Hi,

I am using v2.1.8 in SuSE 11.
 Question1:   I don't have the client and nas environment right now.  I want 
to input EAP-TTLS and EAP-PEAP (MSCHAPv2) respectively into radclient 
(or radtest) to test my freeradius configuration. What should be the input 
to radclient (or radtest)  (i.e. the red string in the example below)?

eg, echo User-Name=test,Password=mypass,Framed-Protocol=PPP  | 
/usr/local/bin/radclient localhost:1812 auth s3cr3t

Question 2:  When freeradius receives a authentication request of either one 
of those 2 types in question 1,  a script will be invoked to authenticate 
mysql (i.e. to replace corresponding rlm_eap_xxx module).
a. May I know related configurations for invoking the script?
b. some attributes should be sent to the script from freeradius. What are 
these attributes? How to get these attributes from PHP script?
c. After accessing MYSQL, PHP script should return some attributes back to 
freeradius, What are these attributes? How to allow freeradius to accept 
authentication result and those attributes?

---
Cheers,
Joe 



__ Information from ESET Smart Security, version of virus signature 
database 5080 (20100502) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: format input to radclient (or radtest) for EAP-TTLS and EAP-PEAK (MSCHAPv2) test

[Alan DeKok]

bslee (HKBU) wrote:
  Question1:   I don't have the client and nas environment right now.  I
 want to input EAP-TTLS and EAP-PEAP (MSCHAPv2) respectively into
 radclient (or radtest) to test my freeradius configuration. What should
 be the input to radclient (or radtest)  (i.e. the red string in the
 example below)?

  radclient does not do EAP.  You will need to use eapol_test.  See
http://deployingradius.com for complete instructions.

 Question 2:  When freeradius receives a authentication request of either
 one of those 2 types in question 1,  a script will be invoked to
 authenticate mysql (i.e. to replace corresponding rlm_eap_xxx module).

  Uh... no.  That is not at all how it works.

 a. May I know related configurations for invoking the script?

  See scripts/exec-program-wait, and man unlang

 b. some attributes should be sent to the script from freeradius. What
 are these attributes? How to get these attributes from PHP script?

  See above.

 c. After accessing MYSQL, PHP script should return some attributes back
 to freeradius, What are these attributes? How to allow freeradius to
 accept authentication result and those attributes?

  See above.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Alan Buxey]

Hi,

 Thanks this was fixed by commenting out the ::1 entry in /etc/hosts as 
 we don't intend to run IPv6 on the box

if you dont intend fo run IPv6 on that server then I'd suggest to
turn it off - otherwise you may have no ::1 in /etc/hosts but your IPv6 stack
is running and ALL daemons etc that can do IPv6 *will* do IPv6 - that'd
include FreeRADIUS if its set to use DNS names and they lookup nicely
to IPv6 addresses - eg the UK National JRS proxies.

heres some help

http://www.cyberciti.biz/tips/linux-how-to-disable-the-ipv6-protocol.html

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Alan Buxey]

Hi,

 rad_recv: Access-Request packet from host 127.0.0.1 port 46723, id=155, 
 length=56
  User-Name = test
  User-Password = test
  NAS-IP-Address = 127.0.0.1
  NAS-Port = 0
 +- entering group authorize {...}
 ++[preprocess] returns ok
 ++[chap] returns noop
 ++[mschap] returns noop
 [suffix] No '@' in User-Name = test, looking up realm NULL
 [suffix] No such realm NULL
 ++[suffix] returns noop
 [eap] No EAP-Message, not doing EAP
 ++[eap] returns noop
 ++[unix] returns notfound
 ++[files] returns noop
 ++[expiration] returns noop
 ++[logintime] returns noop

this means the user 'test' was not found - in either the passwd file,
the users file ('files' module default location) and it wasnt an EAP message
to the EAP module did nothing.

if you add

test Cleartext-Password := test

to the users file and restart, you'll have success...this is a very basic test

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Colin Byelong]

Hi Alan,

Thanks for the help we have turned IPv6 off

Thanks

Colin

Hi,

   

Thanks this was fixed by commenting out the ::1 entry in /etc/hosts as
we don't intend to run IPv6 on the box
 

if you dont intend fo run IPv6 on that server then I'd suggest to
turn it off - otherwise you may have no ::1 in /etc/hosts but your IPv6 stack
is running and ALL daemons etc that can do IPv6 *will* do IPv6 - that'd
include FreeRADIUS if its set to use DNS names and they lookup nicely
to IPv6 addresses - eg the UK National JRS proxies.

heres some help

http://www.cyberciti.biz/tips/linux-how-to-disable-the-ipv6-protocol.html

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   



--
---


Colin Byelong Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street  Phone: 020 7679-2572
London WC1E 6BT


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Colin Byelong]

Hi Alan,

I figured out that I would need to add a test user in the users file, 
thanks for looking at it though.
We are still testing in the lab, we hope to use this to replace our 
existing Orps thats running radiator, so we are trying to configure a 
server that will use EAP-TTLS with a PAP inner that talks to a LDAP 
backend for ucl.ac.uk users and sends everything else to the NRPS,  I 
expect i'll be sending another post soon.


Thanks

Colin


Hi,

   

rad_recv: Access-Request packet from host 127.0.0.1 port 46723, id=155,
length=56
  User-Name = test
  User-Password = test
  NAS-IP-Address = 127.0.0.1
  NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
 

this means the user 'test' was not found - in either the passwd file,
the users file ('files' module default location) and it wasnt an EAP message
to the EAP module did nothing.

if you add

test Cleartext-Password := test

to the users file and restart, you'll have success...this is a very basic test

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   



--
---


Colin Byelong Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street  Phone: 020 7679-2572
London WC1E 6BT


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Colin Byelong]

Alan,

Thanks this was fixed by commenting out the ::1 entry in /etc/hosts as 
we don't intend to run IPv6 on the box


Thanks again

Colin

Colin Byelong wrote:
   

radtest test test localhost 0 testing123
Sending Access-Request of id 253 to ::1 port 1812
 

   ::1 is IPv6.

...
   

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
 

   These are IPv4 sockets.

   Use '127.0.0.1' in radtest, rather than 'localhost'.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   



--
---


Colin Byelong Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street  Phone: 020 7679-2572
London WC1E 6BT


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Fajar A. Nugraha]

On Wed, Feb 10, 2010 at 11:45 PM, Colin Byelong c.byel...@ucl.ac.uk wrote:
 ++[unix] returns notfound

... so unix module is enabled

 [pap] WARNING! No known good password found for the user.  Authentication
 may fail because of this.

... but No known good password found for the user.

If you just want to test that freeradius works, you should be able to
add a new user to the OS (using useradd and passwd or other
tools), and then use that user/password for radtest.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd not responding to radtest

[Colin Byelong]

Hello,

Im very new to freeradius so apologies if this is a dumb question.
I installed freeradius2.1.8 on a Fedora 12 system today, when the 
install had finished I started radius with radiusd -X


Another window was opened to run radtest:


radtest test test localhost 0 testing123
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
radclient: no response from server for ID 253 socket 3

I expected to see a Access-Accept or Access-Reject.

The output from radiusd -X is below:

Thanks

Colin


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.02.10 14:58:54 
=~=~=~=~=~=~=~=~=~=~=~=
FreeRADIUS Version 2.1.8, for host x86_64-redhat-linux-gnu, built on 
Jan  8 2010 at 18:16:21

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass

Re: radiusd not responding to radtest

[John Dennis]

On 02/10/2010 10:30 AM, Colin Byelong wrote:

Hello,

Im very new to freeradius so apologies if this is a dumb question.
I installed freeradius2.1.8 on a Fedora 12 system today, when the
install had finished I started radius with radiusd -X

Another window was opened to run radtest:


radtest test test localhost 0 testing123
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
radclient: no response from server for ID 253 socket 3

I expected to see a Access-Accept or Access-Reject.


Did you open the port in your firewall?

hint: either use system-config-firewall to see if it's open and open it 
if it isn't or use service iptables status | grep 1812 to quickly 
verify if it's open or not.


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd not responding to radtest

[Colin Byelong]

Hello,

Im very new to freeradius so apologies if this is a dumb question.
I installed freeradius2.1.8 on a Fedora 12 system today, when the 
install had finished I started radius with radiusd -X


Another window was opened to run radtest:


radtest test test localhost 0 testing123
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sending Access-Request of id 253 to ::1 port 1812
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
radclient: no response from server for ID 253 socket 3

I expected to see a Access-Accept or Access-Reject.

The output from radiusd -X is below:

Thanks

Colin


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.02.10 14:58:54 
=~=~=~=~=~=~=~=~=~=~=~=
FreeRADIUS Version 2.1.8, for host x86_64-redhat-linux-gnu, built on Jan 
 8 2010 at 18:16:21

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass

Re: radiusd not responding to radtest

[Colin Byelong]

On 10/02/2010 15:54, John Dennis wrote:
Hello,




Did you open the port in your firewall?

hint: either use system-config-firewall to see if it's open and open 
it if it isn't or use service iptables status | grep 1812 to quickly 
verify if it's open or not.



Hi John,

Thanks for the respose.

[r...@orps3 ~]# service iptables status | grep 1812
7ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state 
NEW udp dpt:1812


I have tried it with the firewall disabled but got the same response.

Thanks

Colin





--
---


Colin Byelong Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street  Phone: 020 7679-2572
London WC1E 6BT


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Alan DeKok]

Colin Byelong wrote:
 radtest test test localhost 0 testing123
 Sending Access-Request of id 253 to ::1 port 1812

  ::1 is IPv6.

...
 Listening on authentication address * port 1812
 Listening on accounting address * port 1813
 Listening on command file /var/run/radiusd/radiusd.sock
 Listening on proxy address * port 1814

  These are IPv4 sockets.

  Use '127.0.0.1' in radtest, rather than 'localhost'.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd not responding to radtest

[Colin Byelong]

Alan,

Thanks I know have some output from the server:

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 46723, id=155, 
length=56

User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.  
Authentication may fail because of this.

++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 155 to 127.0.0.1 port 46723
Waking up in 4.9 seconds.
Cleaning up request 0 ID 155 with timestamp +2105


Its home time here so i'll look at this tomorrow :-)

Thanks

Colin





Colin Byelong wrote:
   

radtest test test localhost 0 testing123
Sending Access-Request of id 253 to ::1 port 1812
 

   ::1 is IPv6.

...
   

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
 

   These are IPv4 sockets.

   Use '127.0.0.1' in radtest, rather than 'localhost'.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   



--
---


Colin Byelong Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street  Phone: 020 7679-2572
London WC1E 6BT


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Duplicating results for radtest

[Alan Buxey]

Hi,
 Please see attached radiusd -X dump file as requested.

errr...ahhh...

 Ready to process requests.

..and then nothing - we need to see actual traffic passing through to see the 
logic
and decisions made on the packet.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Duplicating results for radtest

[Mark Smith]

Hello Alan,

Attached is a dump file with auth requests included.

Mark Smith
Systems Engineer
 
Abel Alarm Co Ltd
4 Vaughan Way
Leicester
LE1 4ST
web: www.abelalarm.co.uk
email: mark.sm...@abelalarm.co.uk

-Original Message-
From:
freeradius-users-bounces+mark.smith=abelalarm.co...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.smith=abelalarm.co...@lists.freeradius
.org] On Behalf Of James J J Hooper
Sent: 27 January 2010 17:20
To: FreeRadius users mailing list
Subject: RE: Duplicating results for radtest



--On Wednesday, January 27, 2010 05:11:26 PM + Mark Smith 
mark.sm...@abelalarm.co.uk wrote:

 Please see attached radiusd -X dump file as requested.

 Mark Smith
 Systems Engineer

 -Original Message-
 From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
 Sent: 27 January 2010 14:39
 To: mark.sm...@abelalarm.co.uk; FreeRadius users mailing list
 Subject: Re: Duplicating results for radtest

 radiusd -X

 then we can see what/where things are happening


Hi Mark,
  Your -X doesn't seem to include an auth request... Could you send one 
that does?

If you watch the -X during the auth request, you should be able to see when 
and why any attributes are added.

-James


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
 
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = /usr
 main: localstatedir = /var
 main: logdir = /var/log/radius
 main: libdir = /usr/lib
 main: radacctdir = /var/log/radius/radacct
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1645
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = /var/log/radius/radius.log
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = /var/run/radiusd/radiusd.pid
 main: bind_address = 100.1.1.133 IP address [100.1.1.133]
 main: user = radiusd
 main: group = radiusd
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/sbin/checkrad
 main: proxy_requests = no
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = yes
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = (null)
 mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded SQL
 sql: driver = rlm_sql_mysql
 sql: server = localhost
 sql: port = 
 sql: login = root
 sql: password = wsxedc
 sql: radius_db = radius
 sql: nas_table = nas
 sql: sqltrace = no
 sql: sqltracefile = /var/log/radius/sqltrace.sql
 sql: readclients = no
 sql: deletestalesessions = yes
 sql: num_sql_socks = 5
 sql: sql_user_name = %{User-Name}
 sql: default_user_profile = 
 sql: query_on_not_found = no
 sql: authorize_check_query = SELECT id, UserName, Attribute, Value, op
   FROM radcheck   WHERE Username = '%{SQL-User-Name}'   ORDER 
BY id
 sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, op
   FROM radreply   WHERE Username = '%{SQL-User-Name}'   ORDER 
BY id
 sql: authorize_group_check_query = SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' 
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
 sql: authorize_group_reply_query = SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' 
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
 sql: accounting_onoff_query