Re: radius behavior when DB is down
Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: Can anybody explain me the scenario of rlm_sql_... module actions while DB is inaccessible? I mean what happens whith daemon when 1) it starts and encounters that its sql store is down. Have you tried checking this yourself? It's not hard. If i have, i wouldn't ask this. Sometimes the question has a reason to be asked. I do not have an available test environment right now. 2) the db goes down while radius daemon is running. Similarly, this isn't hard to do in a test environment. Does it make an attempt to reconnect or it dies too? It tries to reconnect. Is the scenario the same for oracle and mysql? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf mysql
Hi,
Is there someone who can point me in the direction of achieving this?,
I have searched google to find some posts that it is possible.
the scheme for mySQL creates a table nas, its columns are quite
self-explaining. Then in sql.conf at the very end there is a section
# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = ...
Set it to yes.
If you want to completely disable clients.conf, i.e. delete the file and make
the server not die because there is no client {} stanza, you will need a
little patch that ignores the non-existence of such stanzas. It is in the bug
database under http://bugs.freeradius.org/show_bug.cgi?id=203 where Aland
DeKok considers it for inclusion into a later release.
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingénieur réseau et système
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] tél.: +352 424409-33
http://www.restena.lu fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP attributes problem
Hello all,
My server is running in PEAP mschapv2 and I've a problem when I want
to authenticate a user with a ldap database (all is ok without the
ldap). My version of freeradius is 1.0.2
apparently, the ldap can't find the User-Name attribute Could it
be because of mschapv2
I try to change the filter of LDAP in radiusd.conf (warn me if it's false :) ):
filter = ((SAM-Account-Name=%{User-Name}))
//log radius
rad_recv: Access-Request packet from host 10.74.1.110:2062, id=0, length=125
User-Name = radius
NAS-IP-Address = 10.74.1.110
Called-Station-Id = 000f66d9f098
Calling-Station-Id = 000e35be0159
NAS-Identifier = 000f66d9f098
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000b01726164697573
Message-Authenticator = 0x004b720255d8a13c938cdc392ba0cd91
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module preprocess returns ok for request 4
modcall[authorize]: module chap returns noop for request 4
modcall[authorize]: module mschap returns noop for request 4
rlm_realm: No '@' in User-Name = radius, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 4
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 4
users: Matched entry DEFAULT at line 159
modcall[authorize]: module files returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 4
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Name is required for authentication.
modcall[authenticate]: module ldap returns invalid for request 4
modcall: group Auth-Type returns invalid for request 4
auth: Failed to validate the user.
Login incorrect: [radius/no User-Password attribute] (from client
10.74.1.110 port 38 cli 000e35be0159)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to 10.74.1.110:2062
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
divide ppp radius authentication for pptp AND l2tp/ipsec
Hi guys! I know it's a bit OT, it would better fit in a ppp mailing list, but I think this ml is worth a try! :-) I have following problem: I am using a Debian Woody VPN Server with PPTP and L2TP/IPSEC. Currently I authenticate users via the ppp radius-plugin, it works fine. But I have to divide PPTP AND L2TP/IPSEC-users, is there a possibility to tell the radiusplugin that it should only authenticate users which have a special attribut in their radius account in the users file? I want to create users which are only allowed to use PPTP and other users which are only allowed to use L2TP/IPSEC. A possibility would be a special attribut as argument for the radiusplugin, is this possible? E.g. pptp-options: plugin radius.so pptpaccess=TRUE l2tp-options plugin radius.so l2tpaccess=TRUE Does anyone have ideas? regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WLAN auth problem
Hi, I have set up hotspot with radius authentication (AP connected to freeradius server) and everything works fine with clients that connect with wlan cards (PCI od PCMCIA). Problem is when client connecting with AP in client mode. How can such user be authenticated with freeradius? Thanks, Troky __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN auth problem
I have that problem... Now I set MACAUTH feature in chillispot and auth my clients using MAC but I dont know what about WPA sequrity in this feature... I just haven't test it yet. Dnia 12-04-2005, wto o godzinie 03:26 -0700, silvia troselj napisa(a): Hi, I have set up hotspot with radius authentication (AP connected to freeradius server) and everything works fine with clients that connect with wlan cards (PCI od PCMCIA). Problem is when client connecting with AP in client mode. How can such user be authenticated with freeradius? Thanks, Troky __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- EW - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSAs in 3COM accounting
Hi, I have some 3COM access points AP 7250. In the accounting packets I get things like: Tue Apr 12 13:11:59 2005 Acct-Status-Type = Alive Acct-Session-Id = 000e356a0cfa-000e6ad5defe-0344 NAS-IP-Address = 192.168.36.3 Acct-Input-Octets = 32733 Acct-Output-Octets = 26338 Acct-Input-Packets = 221 Acct-Output-Packets = 186 Vendor-Specific = 0x45415020557365726e616d652069733a203337303740636572747966696b6174792e756d6b2e706c Vendor-Specific = 0x564c414e2049442069733a2031 Vendor-Specific = 0x4553534944203d20656475726f616d Vendor-Specific = 0x45415020547970652069733a204541502d544c53 Acct-Session-Time = 11229 Client-IP-Address = 192.168.36.3 Acct-Unique-Session-Id = 70ab7f6a7a0a3309 Timestamp = 1113304319 I have looked through the mail archives and from what I have found there I would guess that the first 4 bytes of the Vendor-Specific value should be the Vendor-Id. But this seems strange that these Ids should be so high and that they should be different. Am I missinterpreting something? Tomasz -- Tomasz Wolniewicz [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NT domain names and SQL authentication
Thank you Jim! Interesting thread. Although it doesnt enterely solves my problem, I think Im getting near. -- Diego. On Monday 11 April 2005 23:34, Jim Seymour wrote: Diego M. Vadell [EMAIL PROTECTED] wrote: Hi, I've been fighting my ignorance for a week now. I'm trying to setup FreeRadius with a Windows XP SP2 supplicant with mschap2 thru an Orinocco access point. I would like to use the username and password of the NT domain, but the only way I can get logged in is making XP ask me for the credentials. So to make it work, I add a line un users: [snip] Go to this link: http://lists.freeradius.org/archives/freeradius-users/2005/03/frm00948.htm l And follow the thread by clicking Next under Thread Links in the upper left. That may get you what you want. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius installation problem.
Hi guys I am trying to install freeradius freeradius-0.9.0-2 , radiusclient-0.4.8 i checked everything like it explained in this HOW-TO http://www.iptel.org/ser/doc/ser_radius/ser_radius.html when i am trying to check my radius installation with : radclient -f digest localhost auth secret i am receiving next error : radclient:No token read where we expected an attribute name i believe the installation of freeradius 1.02 will solve that , but i want to understand what's the problem here. Thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Samba] Time to give back, Samba LDAP with FreeRadius
First you are clearly off topic for
the samba list this is clearly a radius config issue.
Second in order to use ldap.attrmap
you must have the file ldap.attrmap in /etc/raddb for Suse Linux
This information is available in the
radius ldap documentation.
example
#
# Mapping of RADIUS dictionary attributes
to LDAP directory attributes
# to be used by LDAP authentication
and authorization module (rlm_ldap)
#
# Format:
# ItemType
RADIUS-Attribute-Name
ldapAttributeName
#
# Where:
# ItemType
= checkItem or replyItem
# RADIUS-Attribute-Name = attribute
name in RADIUS dictionary
# ldapAttributeName
= attribute name in LDAP schema
#
# If $GENERIC$ is specified as RADIUS-Attribute-Name,
the line specifies
# a LDAP attribute which can be used
to store any RADIUS
# attribute/value-pair in LDAP directory.
#
# You should edit this file to suit
it to your needs.
#
checkItem$GENERIC$
radiusCheckItem
replyItem$GENERIC$
radiusReplyItem
checkItemAuth-Type
radiusAuthType
checkItemSimultaneous-Use
radiusSimultaneousUse
checkItemCalled-Station-Id
radiusCalledStationId
checkItemCalling-Station-Id
radiusCallingStationId
checkItemLM-Password
lmPassword
checkItemNT-Password
ntPassword
checkItemSMB-Account-CTRL-TEXT
acctFlags
checkItemExpiration
radiusExpiration
replyItemService-Type
radiusServiceType
replyItemFramed-Protocol
radiusFramedProtocol
replyItemFramed-IP-Address
radiusFramedIPAddress
replyItemFramed-IP-Netmask
radiusFramedIPNetmask
replyItemFramed-Route
radiusFramedRoute
replyItemFramed-Routing
radiusFramedRouting
replyItemFilter-Id
radiusFilterId
replyItemFramed-MTU
radiusFramedMTU
replyItemFramed-Compression
radiusFramedCompression
replyItemLogin-IP-Host
radiusLoginIPHost
replyItemLogin-Service
radiusLoginService
replyItemLogin-TCP-Port
radiusLoginTCPPort
replyItemCallback-Number
radiusCallbackNumber
replyItemCallback-Id
radiusCallbackId
replyItemFramed-IPX-Network
radiusFramedIPXNetwork
replyItemClass
radiusClass
replyItemSession-Timeout
radiusSessionTimeout
replyItemIdle-Timeout
radiusIdleTimeout
replyItemTermination-Action
radiusTerminationAction
replyItemLogin-LAT-Service
radiusLoginLATService
replyItemLogin-LAT-Node
radiusLoginLATNode
replyItemLogin-LAT-Group
radiusLoginLATGroup
replyItemFramed-AppleTalk-Link
radiusFramedAppleTalkLink
replyItemFramed-AppleTalk-Network
radiusFramedAppleTalkNetwork
replyItemFramed-AppleTalk-Zone
radiusFramedAppleTalkZone
replyItemPort-Limit
radiusPortLimit
replyItemLogin-LAT-Port
radiusLoginLATPort
Douglas Sterner
Network Analyst
Adi Nugraha [EMAIL PROTECTED]
04/11/2005 11:44 PM
To:
freeradius-users@lists.freeradius.org,
Douglas Sterner [EMAIL PROTECTED]
cc:
samba@lists.samba.org, [EMAIL PROTECTED]
Fax
to:
Subject:
Re: [Samba] Time to give back, Samba
LDAP with FreeRadius
Hi
I'd like toask about the conf fiel you posted here is there aby mistake
in
it because I tried to use it but it failed with the following message
Tue Apr 12 10:11:59 2005 : Info: Starting - reading configuration files
...
Tue Apr 12 10:11:59 2005 : Error: config: No such entry raddbdir for string
${raddbdir}/ldap.attrmap
Tue Apr 12 10:11:59 2005 : Error: Errors reading radiusd.conf
I'm trying to setup a wireless authentication using the LDAP backend
containing samba user as well can you help me with this
Thanks
- Original Message -
From: Douglas Sterner [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Cc: samba@lists.samba.org; [EMAIL PROTECTED]
Sent: Thursday, April 07, 2005 7:13 AM
Subject: [Samba] Time to give back, Samba LDAP with FreeRadius
If this is off topic I apologize in advance. Using Samba 3.0.13 with
an
LDAP back-end and FreeRadius I was trying to add the Radius schema
and
kept getting object class violations. It's my limited understanding
of
LDAP that you can not have more than one structural objectclass. I'm
no
ldap expert so no email telling me how wrong I am. So I came up with
a
another solution. Using the Windows NT user manager in samba you can
grant
dialin permission to a user and authenticate against Radius on the
back-end. We currently already depend on User Manager for other things
so
this helped to centralize our management of our VPN users. All you
have to
do is select the user / Dialin / Grant Dialin permission to user and
apply. Using a working Samba LDAP configuration there is nothing
in samba
or LDAP to configure it's automatic. I've included the changes
necessary
in a working radius server to complete it. We have
RADIUS attributes
Hi guys and girls! I was wondering if RADIUS attributes show when I run the server in debug mode. It spits out a lot of things, is the configured attributes there between? In other words, does one see the attributes configured just by looking at the output from the debugger? Thanks all! Peace Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP
Hi, I've been thinking about this and have another question: I noticed that in the authorize sections there are a lot of SQL activity, but in the authenticate section, none. That's where mschap should compare the password from the network with the password in the SQL . Where can I tell mschap go read the sql for the password? I planned to use dialupadmin to store everything in mysql, so shouldnt mschap ask for the password from it? I looked at rlm_mschap.c and found in mschap_authenticate() : * We will try to find out password in configuration * or in configured passwd file. So it seems I will have to store the password in the users file. But what's the point of dialupadmin storing User-Password := password in Mysql? What's the idea of dialupadmin? How do I have to setup FreeRADIUS in order to use dialupadmin to create the users? Or was it thought to make only one part of the users' creation? Sorry for my english. Thanks in advance, -- Diego -- Forwarded Message -- Subject: NT domain names and SQL authentication Date: Monday 11 April 2005 22:59 From: Diego M. Vadell [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Hi, I've been fighting my ignorance for a week now. I'm trying to setup FreeRadius with a Windows XP SP2 supplicant with mschap2 thru an Orinocco access point. I would like to use the username and password of the NT domain, but the only way I can get logged in is making XP ask me for the credentials. So to make it work, I add a line un users: --8---8-- pirulo User-Password == chicos --8---8-- I also edited radiusd.conf and uncommented the sql lines. User pirulo does not exists in SQL. With this setup, I can get authenticated/authorized. But, If I add a line like my NT username in users, I cant log in. The line looks like this: --8---8-- DOMAIN\\username User-Password == my_nt_domain_password --8---8-- I write down, exactly as I did with user pirulo, DOMAIN\\username and then the password, and it doesnt work! Also I tried asking windows to send my login credentials automatically, but It didnt work. Running radiusd in debug mode (-X) I get: Processing the authorize section of radiusd.conf (all the modules return either noop or ok) Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 19 modcall: group authenticate returns handled for request 19 (everything looks fine) Processing the authorize section of radiusd.conf (again - everyting ok ) And so it goes, processing authorize and authenticate sections, untill it gives this error: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 25 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 25 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for DOMAIN\username with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 25 modcall: group Auth-Type returns reject for request 25 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 25 modcall: group authenticate returns reject for request 25 auth: Failed to validate the user. Login incorrect: [DOMAIN\\username] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE And thus ends. So, my question is: should I set an NT-Password attribute in the users file? Thanks, -- Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.0.2 startup issue
Hello all. I'm not sure what's up here, but 'check-radiusd-config' reports that /etc/raddb/huntgroups is not readable. I looked at the permissions (even tried changing them to 666), but that did not fix it. The file was blank, but at least present, and with the right permissions. So then I tried commenting out any mention of the huntgroups file in the /etc/raddb/radiusd.conf, but it still tries to load it. Anyway, here is the error: # check-radiusd-config snip rlm_preprocess: Error reading /etc/raddb/huntgroups radiusd.conf[819]: preprocess: Module instantiation failed. snip # ls -la /etc/raddb/huntgroups -rw-rw-rw- 1 root root 0 Apr 12 08:30 /etc/raddb/huntgroups Anyone have any ideas? Please help. Thanks, Bryce Porter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary file - rfc compilant or not - Authen::Radius?
Hello, Can someone tell me if the syntax of the dictionary file(s) is documented somewhere in an RFC or not? (And if freeradius implements that RFC or not?) I'm asking this because the 'ecnrypt=1' after User-Password in the dictionary file is breaking the perl module Authen::Radius, I mailed the author of this module (informing him about it) and he found the used syntax strange... So can anyone confirm wheter this is a fault of freeradius or one of Authen::Radius? Regards, Bram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dictionary file - rfc compilant or not - Authen::Radius?
The format of the dictionary file is implementation specific (see the query a few days ago regarding a dictionary supplied in SBR format, to which I replied). Several implementers have chosen to use the same format but it's not mandated in any RFC AFAIK. Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bram Sent: 12 April 2005 15:08 To: freeradius-users@lists.freeradius.org Subject: dictionary file - rfc compilant or not - Authen::Radius? Hello, Can someone tell me if the syntax of the dictionary file(s) is documented somewhere in an RFC or not? (And if freeradius implements that RFC or not?) I'm asking this because the 'ecnrypt=1' after User-Password in the dictionary file is breaking the perl module Authen::Radius, I mailed the author of this module (informing him about it) and he found the used syntax strange... So can anyone confirm wheter this is a fault of freeradius or one of Authen::Radius? Regards, Bram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and authenticating machine account
I have been using 802.1x with PEAP/Windows XP/AD for a while. We now have some walkup stations in place that are giving me trouble. Since the machine does not have cached credentials of the user logging in, it cannot get past the login screen to start the EAP auth and activate the port on my switch. I enabled the checkbox to use the machine credentials, so now I see the request come in (host/machine.mydomain.corp.com). Is there a way I can auth the machine? Could I do this via the users file? Maybe use the realm file to modify the request to auth the machine against AD properly? Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hardware radius proxy
hi - is anyone aware of a hardware device which can do radius proxying, chosing targets according to the username domains? the advantages of a hardware device are: 1. fast reboot times 2. possibly faster packet processing 3. lower maintenance and support compared to a general purpose OS it seem silly to run a full OS on general purpose hardware when proxyign is essentially something that a switch/router/load balancer class device can do. we already have layer 7 devices which do deep inspection of packets. google didn't return any useful results. tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and authenticating machine account
Take a look at pGina. josh. --On Tuesday, April 12, 2005 09:14:31 -0500 [EMAIL PROTECTED] wrote: I have been using 802.1x with PEAP/Windows XP/AD for a while. We now have some walkup stations in place that are giving me trouble. Since the machine does not have cached credentials of the user logging in, it cannot get past the login screen to start the EAP auth and activate the port on my switch. I enabled the checkbox to use the machine credentials, so now I see the request come in (host/machine.mydomain.corp.com). Is there a way I can auth the machine? Could I do this via the users file? Maybe use the realm file to modify the request to auth the machine against AD properly? Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius behavior when DB is down
Alexander Serkin [EMAIL PROTECTED] wrote: Have you tried checking this yourself? It's not hard. If i have, i wouldn't ask this. Sometimes the question has a reason to be asked. I do not have an available test environment right now. I strongly recommend setting up a test system. It's the fastest way to figure out what the server's doing, and to test configurations that might break your deployed systems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.2 startup issue
[EMAIL PROTECTED] wrote: Hello all. I'm not sure what's up here, but 'check-radiusd-config' ... doesn't work in 1.0.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
any gotchas - certs/eap-tls and mysql
hello, I was wondering about setting up radius for eap-tls with certificates and the issue of using mysql for everything. Are there any gotchas with regards to this? What would go in the users section of the database, if anything? Has anyone done this? I have a fully functioning setup with certs and both user and machine authentication using eap-tls with certificates, but want to convert everything to use sql, at least so other people can maintain the NAS list in the database and more. Also, with regards to CA's, has anyone used ejbca or would you recommend something else? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary file - rfc compilant or not - Authen::Radius?
Bram [EMAIL PROTECTED] wrote: I'm asking this because the 'ecnrypt=1' after User-Password in the dictionary file is breaking the perl module Authen::Radius, I mailed the author of this module (informing him about it) and he found the used syntax strange... There are *much* stranger dictionary file formats. So can anyone confirm wheter this is a fault of freeradius or one of Authen::Radius? The FreeRADIUS dictionary files are meant to be used by FreeRADIUS. I have no idea what, if any, dictionary files are supplied by Authen::Radius. But I'm not surprised that a non-FreeRADIUS program has issues reading the FreeRADIUS dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attributes problem
clerc sylvain [EMAIL PROTECTED] wrote: My server is running in PEAP mschapv2 and I've a problem when I want to authenticate a user with a ldap database No, you don't. LDAP is NOT an authentication server. apparently, the ldap can't find the User-Name attribute Could it be because of mschapv2 LDAP doesn't understand PEAP, or MS-CHAP. You have edited the configuration files to set Auth-Type = LDAP. DON'T DO THAT. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSAs in 3COM accounting
Tomasz Wolniewicz [EMAIL PROTECTED] wrote: I have some 3COM access points AP 7250. In the accounting packets I get things like: ... Vendor-Specific = 0x45415020557365726e616d652069733a203337303740636572747966696b6174792e756d6b2e706c Vendor-Specific = 0x564c414e2049442069733a2031 Vendor-Specific = 0x4553534944203d20656475726f616d Vendor-Specific = 0x45415020547970652069733a204541502d544c53 Wild. I have looked through the mail archives and from what I have found there I would guess that the first 4 bytes of the Vendor-Specific value should be the Vendor-Id. But this seems strange that these Ids should be so high and that they should be different. Am I missinterpreting something? Nope. The NAS is seriously broken. I suggest complaining to 3com that their AP doesn't do RADIUS properly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes
vicky [EMAIL PROTECTED] wrote: I was wondering if RADIUS attributes show when I run the server in debug mode. It spits out a lot of things, is the configured attributes there between? In other words, does one see the attributes configured just by looking at the output from the debugger? For some attributes, yes. The debug mode generally prints out what module did what, which enables you to read your configuration files, to discover which attributes are matched. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.0.2 startup issue
Thank you for your response, but how do I make it stop trying to use huntgroups? I figured commenting them out of the configuration file would take care of it, but apparently not. Please advise. Bryce Porter . Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria, IL 61611 p. 309.427.7282 f. 309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, April 12, 2005 12:03 PM To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius 1.0.2 startup issue [EMAIL PROTECTED] wrote: Hello all. I'm not sure what's up here, but 'check-radiusd-config' ... doesn't work in 1.0.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with Gentoo Linux
Hi, Is anyone using freeradius with Gentoo Linux? Also, is anyone using freeradius-dialupadmin and mysql? Sincerely, Don James Henderson, Texas USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP
Diego M. Vadell [EMAIL PROTECTED] wrote: I've been thinking about this and have another question: I noticed that in the authorize sections there are a lot of SQL activity, but in the authenticate section, none. SQL servers don't authenticate anyone. That's where mschap should compare the password from the network with the password in the SQL . Where can I tell mschap go read the sql for the password? You don't. You list sql in the authorize section. It supplies a password to FreeRADIUS, and the mschap module uses that password to perform authentication. So it seems I will have to store the password in the users file. But what's the point of dialupadmin storing User-Password := password in Mysql? So you don't have to put the password in the users file. What's the idea of dialupadmin? So you can edit the user information in SQL through a nice GUI. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: any gotchas - certs/eap-tls and mysql
kat [EMAIL PROTECTED] wrote: I was wondering about setting up radius for eap-tls with certificates and the issue of using mysql for everything. Are there any gotchas with regards to this? What would go in the users section of the database, if anything? Whatever RADIUS attributes you want to return when a user is authenticated. But not passwords, because the TLS certificate checking takes care of authenticating users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.2 startup issue
Bryce Porter [EMAIL PROTECTED] wrote: Thank you for your response, but how do I make it stop trying to use huntgroups? I figured commenting them out of the configuration file would take care of it, but apparently not. Please advise. It's difficult to do in 1.0.2. I suggest just making the file readable, but empty. Is there a problem when you run *radiusd*? If not, don't worry about it. check-radius-config doesn't work. Any error messages it produces are worthless. Ignore them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.0.2 startup issue
Yes, there is an issue starting 'radiusd' as well, even though /etc/raddb/huntgroups exists (empty, but readable by everyone), it complains about not being able to read it. Bryce Porter . Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria, IL 61611 p. 309.427.7282 f. 309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, April 12, 2005 12:25 PM To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius 1.0.2 startup issue Bryce Porter [EMAIL PROTECTED] wrote: Thank you for your response, but how do I make it stop trying to use huntgroups? I figured commenting them out of the configuration file would take care of it, but apparently not. Please advise. It's difficult to do in 1.0.2. I suggest just making the file readable, but empty. Is there a problem when you run *radiusd*? If not, don't worry about it. check-radius-config doesn't work. Any error messages it produces are worthless. Ignore them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius with Gentoo Linux
I'm trying to, but it's being a PITA. If you get it to work, please let me know how. I had to force it to use 1.0.2-r2, even though it was masked, because 1.0.1 would not even compile. Bryce Porter . Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria, IL 61611 p. 309.427.7282 f. 309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of don Sent: Tuesday, April 12, 2005 12:16 PM To: freeradius-users@lists.freeradius.org Subject: freeradius with Gentoo Linux Hi, Is anyone using freeradius with Gentoo Linux? Also, is anyone using freeradius-dialupadmin and mysql? Sincerely, Don James Henderson, Texas USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.2 startup issue
Bryce Porter [EMAIL PROTECTED] wrote: Yes, there is an issue starting 'radiusd' as well, even though /etc/raddb/huntgroups exists (empty, but readable by everyone), it complains about not being able to read it. Hmm... I think that's a bug in the module. Put some empty nonsense into the file, and the complaint should go away. e.g. DEFAULT Client-IP-Address == 127.0.0.1 Huntgroup-Name = stuffillneveruse Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with Gentoo Linux
I've been using it on Gentoo since 0.9.3, using the ebuilds. I have our accounting info stored in MySQL and use LDAP for auth. What problems are you having? -Matt Bryce Porter wrote: I'm trying to, but it's being a PITA. If you get it to work, please let me know how. I had to force it to use 1.0.2-r2, even though it was masked, because 1.0.1 would not even compile. Bryce Porter . Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria, IL 61611 p. 309.427.7282 f. 309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of don Sent: Tuesday, April 12, 2005 12:16 PM To: freeradius-users@lists.freeradius.org Subject: freeradius with Gentoo Linux Hi, Is anyone using freeradius with Gentoo Linux? Also, is anyone using freeradius-dialupadmin and mysql? Sincerely, Don James Henderson, Texas USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with Gentoo Linux
I have it working as well. 802.1x, Gentoo to LDAP. Post any specific problems. - joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attributes problem
clerc sylvain [EMAIL PROTECTED] wrote: In reality, I must link my freeradius server with an Active Directory and not a real ldap database and someone tells me that active directory understand only PEAP ( I believe it was in this mailing list but I don't remember exactly). No. Active directory doesn't understand anything. You MUST configure FreeRADIUS to use ntlm_auth. See radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary file - rfc compilant or not - Authen::Radius?
Bram wrote: I'm asking this because the 'ecnrypt=1' after User-Password in the dictionary file is breaking the perl module Authen::Radius, I mailed the author of this module (informing him about it) and he found the used syntax strange... Found on http://search.cpan.org/~manowar/RadiusPerl-0.12/Radius.pm ... load_dictionary ( [ DICTIONARY ] ) Loads the definitions in the specified Radius dictionary file (standard Livingston radiusd format). Tries to load '/etc/raddb/dictionary' when no argument is specified, or dies. NOTE: you need to load valid dictionary if you plan to send Radius requests with other attributes than just User-Name/Password. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.0.2 startup issue (with Gentoo)
Ok, added that to the file, permissions on the /etc/raddb/huntgroups file are still 666, and I still get the same error: Permission denied (rlm_preprocess: Error reading /etc/raddb/huntgroups). Any more ideas? Bryce Porter . Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria, IL 61611 p. 309.427.7282 f. 309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, April 12, 2005 1:21 PM To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius 1.0.2 startup issue Bryce Porter [EMAIL PROTECTED] wrote: Yes, there is an issue starting 'radiusd' as well, even though /etc/raddb/huntgroups exists (empty, but readable by everyone), it complains about not being able to read it. Hmm... I think that's a bug in the module. Put some empty nonsense into the file, and the complaint should go away. e.g. DEFAULT Client-IP-Address == 127.0.0.1 Huntgroup-Name = stuffillneveruse Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Proxy-Type + rlm_rewrite + rlm_ippool does not work
On Wed, Apr 06, 2005 at 03:30:34PM +0300, Pasi Kärkkäinen wrote:
Hi!
I've tried to get this working for a long time, trying almost every kind of
possible solution.. with no luck yet :(
Alan,
Could you please comment on this..
If I'm trying to do something that won't work, please tell me.. :)
Thanks!
- Pasi Kärkkäinen
Scenario: NAS uses freeradius-server (proxy) for authentication. Proxy needs
to also supply Framed-IP-Address back to NAS.
Proxy proxies authentication requests to home servers based on realm.
Now, I _need_ to assign IP-addresses in the _Proxy_ based on realm.
I set up rlm_ippool for each realm. Now, I need to assign Pool-Name
attribute for all requests based on realm. I do this:
users-file:
DEFAULT Realm == foo.com, Post-Proxy-Type := post.proxy.foo
Fall-Through = 1
radiusd.conf:
post-proxy {
Post-Proxy-Type post.proxy.foo {
rewrite_add_foo_ippool
}
}
attr_rewrite rewrite_add_foo_ippool {
attribute = Pool-Name
searchin = proxy_reply
searchfor =
replacewith = foo_ippool
new_attribute = yes
}
post-auth {
foo_ippool
}
Freeradius debug messages when proxy receives authentication request:
Module: Instantiated attr_rewrite (rewrite_add_foo_ippool)
Module: Instantiated ippool (foo_ippool)
rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm foo.com
rlm_realm: Proxying request from user test to realm foo.com
users: Matched entry DEFAULT at line 154 (this is the Post-Proxy-Type line)
rad_recv: Access-Accept packet from host 1.2.3.4:1812, id=0, length=235
Found Post-Proxy-Type post.proxy.foo
modcall: entering group Post-Proxy-Type for request 0
rlm_attr_rewrite: Illegal value for searchin. Changing to packet.
rlm_attr_rewrite: Added attribute Pool-Name with value 'foo_ippool'
modcall[post-proxy]: module rewrite_add_foo_ippool returns ok for request 0
modcall: group Post-Proxy-Type returns ok for request 0
authorize: Skipping authorize in post-proxy stage
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [EMAIL PROTECTED] (from client client01 port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute
modcall[post-auth]: module foo_ippool returns noop for request 0
modcall: group post-auth returns noop for request 0
Finished request 0
I'm using freeradius patch by Nicolas Baradakis [EMAIL PROTECTED] which
enables freeradius (1.02) to run modules in post-proxy {} section. The above
Post-Proxy-Type foo {} thing does not work without that patch.
But the problem is now how to get the Pool-Name variable set so that
rlm_ippool works..
Thanks for your help/ideas!
-- Pasi Kärkkäinen
^
. .
Linux
/-\
Choice.of.the
.Next.Generation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary file - rfc compilant or not - Authen::Radius?
Found on http://search.cpan.org/~manowar/RadiusPerl-0.12/Radius.pm ... load_dictionary ( [ DICTIONARY ] ) Loads the definitions in the specified Radius dictionary file (standard Livingston radiusd format). Tries to load '/etc/raddb/dictionary' when no argument is specified, or dies. NOTE: you need to load valid dictionary if you plan to send Radius requests with other attributes than just User-Name/Password. From http://www.portmasters.com/downloads.html ( http://www.portmasters.com/www.livingston.com/ ): 'This is Livingston's original Radius server ... This program is no longer updated but it is still quite functional. We recommend Free Radius, Cistron Radius or Yard, all based on this version.' Early version of the module Authen::Radius seems to be based on the dictionary file of Linvingston's Radius (ftp://ftp.portmasters.com/pub/le/radius/dictionary ). But that dictionary file does not have the $include-syntax, for which support has been added in 2003, so the documentation of that Authen::Radius is simply wrong. This brings me back to my question: is there an agreement between different radius-servers (or an rfc) on the syntax for dictionary files (maybe between the one that are based on the Linvingtons's Radius server?)? or what syntax matches all lines in the freeradius-dictionary? (ofcourse a syntax that allows the addition of new elements (in the future that is) would be desired) In my opinion it would make sense if there is one, since this would make it easier for the ones writing modules and/or clients to connect to a Radius server... Any knows? Or would it be a better idea to re-post this at the devloppers mailinglist? Bram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some freeradius question
Hi guys,
I would like to know how i can enable digest authentication in
freeradius. This what i understand i need in order to authenticate sip
clients.
inside radiusd.conf i have digest { } and i have unchecked the digest
value under authorize and under authenticate.
what i need to do in order to enable digest authentication.
thanks for any help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius PEAP/MS-CHAPv2 and aegis client
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module eap returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module files returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type EAP Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = supplicant_cts State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module preprocess retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module chap returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module mschap returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = supplica nt_cts, looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm NULL Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 Tue Apr 12
freeradius PEAP/MS-CHAPv2 and aegis client setup
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module eap returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module files returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type EAP Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = supplicant_cts State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module preprocess retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module chap returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module mschap returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = supplica nt_cts, looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm NULL Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 Tue Apr 12 15:21:36 2005 : Debug:
Re: dictionary file - rfc compilant or not - Authen::Radius?
Bram [EMAIL PROTECTED] wrote: This brings me back to my question: is there an agreement between different radius-servers (or an rfc) on the syntax for dictionary files No. Many dictionary formats are *similar*, but not identical. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some freeradius question
Alex [EMAIL PROTECTED] wrote: I would like to know how i can enable digest authentication in freeradius. This what i understand i need in order to authenticate sip clients. Just tell the server a sample username password, and digest authentication should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.0.2 startup issue (with Gentoo)
Maybe someone else would know, as this is a fresh install (less than a week old) of Gentoo 2005.0 and Freeradius 1.0.2. Bryce Porter . Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria, IL 61611 p. 309.427.7282 f. 309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, April 12, 2005 4:01 PM To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius 1.0.2 startup issue (with Gentoo) Bryce Porter [EMAIL PROTECTED] wrote: Ok, added that to the file, permissions on the /etc/raddb/huntgroups file are still 666, and I still get the same error: Permission denied (rlm_preprocess: Error reading /etc/raddb/huntgroups). Any more ideas? shrug It works in the default install. If it doesn't work on your system, it's something that was changed locally. I have no idea what that is, or how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Proxy-Type + rlm_rewrite + rlm_ippool does not work
Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?= [EMAIL PROTECTED] wrote: If I'm trying to do something that won't work, please tell me.. :) I have no idea why you're using attr_rewrite to search for nothing, and add Pool-Name. Why not just add the Pool-Name attribute in the authorize section? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to limit pptp connections
I am trying to limit each entry in chap-secrets to one simultaneous connection per user/pass. In other words, no more than one person can be using the same user/pass in any given time. Some information... [EMAIL PROTECTED] root]# pptpd --version Poptop v1.2.1 [EMAIL PROTECTED] root]# radiusd -v radiusd: FreeRADIUS Version 1.0.1, for host , built on Oct 28 2004 at 09:38:42 I am pretty sure it requires freeradius, I read somewhere. As far as the config options in what files I'm still pretty confused... can someone help? Please be as specific as possible, I've been working on this project for weeks now and finally decided to mail the mailing list. Thanks guys, Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check_crl (Radius with LDAP/EAP-TLS)
Helo Radiususers,
I have just setup a radius server with a LDAP backend for user auth for our
WLAN.
It auths pretty good with certs for client/server.
I was wondering, to let Radius to check if cert has not expired. So I do next
copy server.public.pem to /etc/ssl
copy server.privatekey.pem to /etc/ssl
copy cacert.pem to /etc/ssl
copy ca.crl to /etc/ssl
into /etc/ssl there are more files for other services.
I run c_rehash /etc/ssl
and put into .conf file at tls section this
private_key_file = /etc/ssl/serverprivatekey.pem
private_key_password =
# server cert was make with -nodes option to not need crypt
certificate_file = /etc/ssl/server.public.pem
CA_file = /etc/ssl/cacert.pem
CA_path = /etc/ssl
check_crl = yes
check_cert_cn = %{User-Name}
It fails with a error message, that CRL could no be found, is there any more
thing I coudl do?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to limit pptp connections
ob Mancker [EMAIL PROTECTED] wrote: I am pretty sure it requires freeradius, I read somewhere. As far as the config options in what files I'm still pretty confused... can someone help? doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
