Re: Error: Dropping conflicting packet due to unfinished request
El mar, 17-05-2005 a las 10:19 -0400, Dustin Doris escribió: Perhaps your ldap server might be running a little slow. Are you using openldap? If so, what version? Also, do you have the attributes you are searching with indexed? Finally, if you are using a BDB backend, what does your DB_CONFIG file show? Yes, I have OpenLDAP, version 2.2.13, and I have all the attributes radius uses indexed. It may be a problem with my ldap server, but it run without any problem last 3 months. Problems appeared a week ago. Trying to solve the problem yesterday I increased the max_request_time, timeout and timelimit options. Since then, there isn't any problem (it's the first time in last week that radius is running more than 12 hours without problems) Another problem I have when the problem appears is that databases are corrupted. When the problem crash radius daemon, I have, not just, to restart it, but also I have to delete the db.ippool and db.ipindex files. If I restart it without deleting these files, radius runs with problem and dies after a little while. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type perl script
Hello, I want put the Auth-Type in my perl script in the mySQL radgroupcheck table. I tried with the following data configuration, but it is not working id GroupName Attribute op Value 4 sipExec-Program-Wait =/usr/au.pl Here is my auth.pl script # #!/usr/bin/perl print Auth-Type:= Accept; #== But if i am trying direct without any script it is working like the following information: id GroupName Attribute op Value 4 sip Auth-Type := Accept Any idea please? Thank You Abdul Lateef __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp attribute
Ok. RFC says exactly that The Value field is four octets encoding an unsigned integer with the number of seconds since January 1, 1970 00:00 UTC. I did not think radiusd rewrites unix timestamp into date. Just because previous radius i was using used to put the timestamp into accounting as an integer. Moreover i did not notice this helpful trick in variables.txt: %S request timestamp in SQL format Does it mean that %S takes the timestamp from the Event-Timestamp field of the accounting packet? -- SY, Alexander Alan DeKok wrote: Alexander [EMAIL PROTECTED] wrote: This RFC says the attribute to be unsigned integer. Why is it date in dictionary.rfc2869? Because it's a date. See RFC 2866 for a definition of the time type. It's the same as date, and is stored as a 32-bit integer. If we name the file with rfc number, then why didn't we follow it ? It's not difficult to change the attribute every time i upgrade, but ... Why the heck are you changing the attribute? It's a date. It gets printed and parsed like a date. What goes into the RADIUS packet is a 32-bit integer, because that's how dates are represented in the protocol. Do you really want to see and type in all dates in your system as 32-bit integers? That's how they're represented internally in Unix. I'm at a complete loss for why you would want to change the type of the attribute. What do you hope to gain by it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Revocation List (EAP/TLS)
Have no one a solution of this problem? thanks for help Alain Hi, I work with freeradius 1.0.2 If I configure in the TLS section of eap.conf (without this entries the autentification process works fine) CA_path = /path check_crl = yes crl_dir = /path crl = file Not any certificate is accepted (I generate the certificates and the crl with tinyca). How can I configure the eap.conf that the autentification process would work correctly? Does anyone have a working EAP/TLS autentification where the CRL works? Thanks for help Alain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ACCT_USERS don't work
I have FreeBSD 4.10 FreeRADIUS 1.0.2 with Postgres SQL 7.4.7. The problem is following: I wrote DEFAULT Acct-Status-Type == Start, Huntgroup-Name == vpn Exec-Program = /usr/local/4net/vpn_acct.pl start DEFAULT Acct-Status-Type == Stop, Huntgroup-Name == vpn Exec-Program = /usr/local/4net/vpn_acct.pl stop (Huntgroups are OK - it was tested on auth stage.) But when acct packets come on then this script don't start up. It looks like radius don't use this acct_users file during its work. There are no logs concerning this error in radius.log. Can anybody prompt where to search the cause of this problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: token card strong authentication
Hi I am currently doing some research into how I can make FreeRADIUS support other token card methods. Novell eDirectory already provides support for various Token Authentication Vendors. I intend to leverage that funtionality to provide the same features to FreeRADIUS. Please get back to me if you have any suggestions or comments on this. Regards -Sayantan [EMAIL PROTECTED] 05/12/05 5:36 pm HiI wish to use One Time Passwords with the freeradius server.Im tryingto find the best way to do this.Unfortunately there are not many ofthe token card manafacturers that support the freeradius server.At themoment it looks as if Cryptocard are the best bet.I would be very interested to hear from anyone who has implemented anyOTP solution with freeradius.Thanks-List info/subscribe/unsubscribe See http://www.freeradius.org/list/users.html
Re: Event-Timestamp attribute
Alexander Serkin wrote: Ok. RFC says exactly that The Value field is four octets encoding an unsigned integer with the number of seconds since January 1, 1970 00:00 UTC. I did not think radiusd rewrites unix timestamp into date. Just because previous radius i was using used to put the timestamp into accounting as an integer. Moreover i did not notice this helpful trick in variables.txt: %S request timestamp in SQL format Does it mean that %S takes the timestamp from the Event-Timestamp field of the accounting packet? Hm. That's not a trick. And not good at all. %S takes time at which the request comes to radius. I've pushed a pack of accounting records to the radius with radrelay. When using %S i have a session as this one: id: D4776040004F9475 start - 18-MAY-05 12.25.15, stop - 18-MAY-05 12.25.15 and actual values are: id: D4776040004F9475 start: 18/05/2005 12:03:46, stop: 18/05/2005 12:07:34 does not seem like a valid relay. Now who can give me a hint of pushing Event-Timestamp like May 18 2005 12:08:18 MSD into oracle TIMESTAMP WITH TIME ZONE field? -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Ldap servers
How do I get freeradius to check both ldap servers for a user. I have ldap configured already for redundency but I want it to look at the first ldap server and if the user is not found then check the second ldap server. Matt Hunter Network Analyst Waukesha County Technical College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Revocation List (EAP/TLS)
There are no crl_dir and crl configuration options recognized by the server. You must have added those. The correct way to do this is to add the PEM encoded CRL to the end of your PEM encoded CA certificate, referenced by the CA_file configuation option, then set check_crl = yes. --Mike [EMAIL PROTECTED] wrote: Have no one a solution of this problem? thanks for help Alain Hi, I work with freeradius 1.0.2 If I configure in the TLS section of eap.conf (without this entries the autentification process works fine) CA_path = /path check_crl = yes crl_dir = /path crl = file Not any certificate is accepted (I generate the certificates and the crl with tinyca). How can I configure the eap.conf that the autentification process would work correctly? Does anyone have a working EAP/TLS autentification where the CRL works? Thanks for help Alain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Per-user authorization and Wifi ? Not Possible ?
Hello, here is my question: In theory, it is possible for a NAS to honore and send a lot of RADIUS and VSA attributes, to permit precise per-user authorization tunning (for exemple per-user ACL, with Filter-Id or VSA...). But in the case where the NAS is an Access-Point, is it possible to manage authorization like this too ? I'm working on a Cisco Aironet 1200, and in the doc they said that it's possible to use per-user authorization for Administrative users of the access-point, but they say nothing about normal users (ie: Wifi users), and the listed supported Radius attributes are not including the ones needed to do that. Is there AAA limitations about Wifi ? Is it impossible to use the RADIUS authorization features in Wireless domain (maybe the problem is that an AP is more a 2-layer equipement) ? Maybe some Access-Point can do that and some others can't ? Thanks in advance -- Mafioo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Per-user authorization and Wifi ? Not Possible ?
Hi, This is entirely dependent upon the NAS. Some vendors' NASes provide great flexibility in per-user authorization while others provide very limited functionality beyond a simple permit/reject. IIRC, the Cisco Aironet 1200 relies (or at least used to rely) on the SSID selected by the user to identify the VLAN to which the user should be connected. Also, Cisco's VSAs use a totally bizarre format that provides them with extensibility beyond the 255 attributes per VendorID. They are usually of the form Cisco-VSA=Sub-Attribute=value. Other vendors use VSAs to specify the VLAN in the RADIUS-response. There are no inherent limitations associated with WiFi, that I know of. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu Benard Sent: 18 May 2005 15:00 To: freeradius-users@lists.freeradius.org Subject: Per-user authorization and Wifi ? Not Possible ? Hello, here is my question: In theory, it is possible for a NAS to honore and send a lot of RADIUS and VSA attributes, to permit precise per-user authorization tunning (for exemple per-user ACL, with Filter-Id or VSA...). But in the case where the NAS is an Access-Point, is it possible to manage authorization like this too ? I'm working on a Cisco Aironet 1200, and in the doc they said that it's possible to use per-user authorization for Administrative users of the access-point, but they say nothing about normal users (ie: Wifi users), and the listed supported Radius attributes are not including the ones needed to do that. Is there AAA limitations about Wifi ? Is it impossible to use the RADIUS authorization features in Wireless domain (maybe the problem is that an AP is more a 2-layer equipement) ? Maybe some Access-Point can do that and some others can't ? Thanks in advance -- Mafioo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VPN3005 group auth
I have a Cisco VPN concentrator and am trying to get group authentication working with the FreeRadius server. User authentication works fine but the radius server doesn't seem to care what group the user logs in with. Does anyone have a similar working setup? If I configure the group on the concentrator to be external then the radius server is asked to authenticate the group but not the user. If I configure the group on the concentator to be internal then the group is authenticated on the concentrator and the user is passed to the radius server but there is no matchup between the group and the user. John Sorel Network Engineer Upromise, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Cisco VPN3005 group auth
Just configure the group on the concetrator as external. Then on the freeradius create a user with the same name. IMPORTANT: Use the attribute VPN IPSec-Authentication == 1 if you like to authenticate them through radius. Here are the other possible values: 0=None 1=Radius 2=Ldap 3=NT Domain 4=SDI 5=Internal (on the vpn concentrator) 7=Kerberos/Activedirectory best rgds -Karel -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von John Sorel Gesendet: Mittwoch, 18. Mai 2005 16:19 An: freeradius-users@lists.freeradius.org Betreff: Cisco VPN3005 group auth I have a Cisco VPN concentrator and am trying to get group authentication working with the FreeRadius server. User authentication works fine but the radius server doesn't seem to care what group the user logs in with. Does anyone have a similar working setup? If I configure the group on the concentrator to be external then the radius server is asked to authenticate the group but not the user. If I configure the group on the concentator to be internal then the group is authenticated on the concentrator and the user is passed to the radius server but there is no matchup between the group and the user. John Sorel Network Engineer Upromise, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help in Working EAP-TTLS (TTS and MD5 working fine)
: usersfile = /usr/local/etc//raddb/users files: acctusersfile = /usr/local/etc//raddb/acct_users files: preproxy_usersfile = /usr/local/etc//raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1812, id=60, length=75 User-Name = futsoft EAP-Message = 0x0201000c01667574736f6674 Message-Authenticator = 0xdba241a0bf22259046efb275150c0713 NAS-Identifier = fsNas1 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-20050518' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-20050518 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_realm: No '@' in User-Name = futsoft, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched futsoft at 62 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 60 to 192.168.0.1:1812 Reply-Message = Futsoft request recieved EAP-Message = 0x010200061520 Message-Authenticator = 0x State = 0xc2b72c7219277248b0cdbf99bbe3b9fb Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.1:1812, id=61, length=179 User-Name = futsoft EAP-Message = 0x02020062158000581603010053014f0301428c836c2bf40f432995fd2ba0fb61677ee422214d37697336bf93deb790d1e32800160013000a006600050004006500640063006200610060001500120009001400110008000600030100 Message-Authenticator = 0x74c9649dcda6f1462af801217399a8da NAS-Identifier = fsNas1 NAS-Port = 2 State = 0xc2b72c7219277248b0cdbf99bbe3b9fb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-20050518' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-20050518 modcall[authorize]: module auth_log returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 rlm_realm: No '@' in User-Name = futsoft, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched futsoft at 62 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept
Re: Certificate Revocation List (EAP/TLS)
Luis Daniel Lucio Quiroz wrote: May do this with just a cat cacert.pem crl.pem ca.pem comand? Yes. Then set CA_file = ca.pem --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use SecureW2 to support Windows client for ldap bind authentication
I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. No this is not possible. Only way you can authenticate via LDAP bind is using TTLS with PAP as inner tunnel authentication. If you do need to use PEAP you will have to add NT/LM hashes in your LDAP directory. To do that extend the schema with Samba objects and download the smbldap-tools package. Of course this will involve users having to reset their passwords since you can't convert from MD5 to NT/LM. Vladimir Since modification to the LDAP is not an option and clear password is off limit, my only alternative is to seek a Windows EAP client that supports TTLS-PAP. The Open Source SecureW2 does just that. It supports TTLS-PAP and it integrates nicely with the Microsoft 802.1x client. http://www.securew2.com/uk/index.htm Thanks Cedric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp attribute
Alexander Serkin [EMAIL PROTECTED] wrote: I did not think radiusd rewrites unix timestamp into date. Just because previous radius i was using used to put the timestamp into accounting as an integer. Which I, for one, have a hard time understanding. Does it mean that %S takes the timestamp from the Event-Timestamp field of the accounting packet? No. It takes the time that the packet was received. The Event-Timestamp attribute MAY be a lie. Hm. That's not a trick. And not good at all. %S takes time at which the request comes to radius. Exactly. You can't trust the NAS. I've pushed a pack of accounting records to the radius with radrelay. When using %S i have a session as this one: id: D4776040004F9475 start - 18-MAY-05 12.25.15, stop - 18-MAY-05 12.25.15 and actual values are: id: D4776040004F9475 start: 18/05/2005 12:03:46, stop: 18/05/2005 12:07:34 does not seem like a valid relay. Since you're not going to explain why, I'm guessing it's not really a problem. Now who can give me a hint of pushing Event-Timestamp like May 18 2005 12:08:18 MSD into oracle TIMESTAMP WITH TIME ZONE field? Edit oraclesql.conf to use the query you want. That's why the queries are configurable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ACCT_USERS don't work
Oleg M. Golovanov [EMAIL PROTECTED] wrote: DEFAULT Acct-Status-Type == Start, Huntgroup-Name == vpn Exec-Program = /usr/local/4net/vpn_acct.pl start Huntgroups aren't used for accounting packets. I believe this is fixed in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Ldap servers
Matthew Hunter [EMAIL PROTECTED] wrote: How do I get freeradius to check both ldap servers for a user. I have ldap configured already for redundency but I want it to look at the first ldap server and if the user is not found then check the second ldap server. doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help in Working EAP-TTLS (TTS and MD5 working fine)
arun [EMAIL PROTECTED] wrote: I have successfully used Freeradius1.0.1 to authenticate my clients using EAP-MD5 and EAP-TLS. But i am not able to get EAP -TTLS working. The supplicant you're using is doing something bad: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request That indicated a broken supplicant. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN3005 group auth
I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3005 group auth
John Sorel wrote: I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? Sorry for jumping in late on this, but last information I have is that there is an open bug with Cisco for their VPN concentrators not obeying groups when RADIUS authentication is used. I don't have a TAC case # for this - we got this information at a recent technical summit. HTH, Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN3005 group auth
On Wed, 18 May 2005, John Sorel wrote: I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? I believe you can lock them into a group with the class attribute in your reply items. Such as. Class = OU=somegroup.com; I remember it being important that either the OU is in uppercase or the ; is between the s, so try it with both. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN3005 group auth
On Wed, 18 May 2005, Dustin Doris wrote: On Wed, 18 May 2005, John Sorel wrote: I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? I believe you can lock them into a group with the class attribute in your reply items. Such as. Class = OU=somegroup.com; I remember it being important that either the OU is in uppercase or the ; is between the s, so try it with both. Found my old link about it. http://www.cisco.com/warp/public/471/altigagroup.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED: OpenLDAP / FreeRADIUS / Cisco 5350 problem
On Wed, 2005-05-11 at 17:28 -0500, Douglas G. Phillips wrote: The problem is this: If I pass the radtest client a clear-text password, authentication is successful. If either I pass the client an encrypted password (copied from the logs) or point the 5350 at the radius server, it doesn't work. I verified that the shared secret is correctly matched with what is in the router. The problem was indeed that the shared secret was incorrect. The secret was stored in the configuration on the router as a HEX value. I had copied that directly into my configuration. When I realized that it was a HEX value, I got the clear-text version in the RADIUS config, and everything worked. Thanks everyone. -- Douglas G. Phillips Distributed Computing Information Technology Services Eastern Illinois University(217) 581-7631 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: reading reply-message with cisco
Hi all, This is not related to freeradius directly, but to Cisco. I thought somebody could have had the same problem. I'm willing to send a reply-message to Cisco ( which I'm allready sending using radius ) and, according to what string I'm sending along with reply-message, I'm willing to reproduce some IVR or other. Has anybody done this before ? I think it is using TCL ... could anybody read this atribute using TCL ? Yes, search for the tcl/ivr scripts on yhe cisco web site, I have implemented a full ivr system using cisco (h323) vsas and tcl scripts. thanx for answering. Have an idea on how to catch-up the h323-return-code attribute in the tcl ?? Thanx ! Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.11 - Release Date: 16/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WinXP 802.1X/Radius/eDir (LDAP)
Totally new to radius. I've installed freeradius 1.02 --with-edir on Suse 9. Attempting to use 802.1X auth from wireless user behind HP 420 AP using WinXP to an eDir tree via LDAP. When I use radtest the bind is successful. However when using the 802.1X supplicant I get the output below. Two things I've noticed are that the password appears to not be received (via PEAP) and that the bind password is being sent as aassword instead of password no matter what I enter on the supplicant. ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = nspmPassword ldap: access_attr = uid ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute test-ldap-Ldap-Group rlm_ldap: Registering ldap_groupcmp for test-ldap-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name test-ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP nspmPassword mapped to RADIUS User-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8151848 Module: Instantiated ldap (test-ldap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail
Re: WinXP 802.1X/Radius/eDir (LDAP)
Matt McFarlane [EMAIL PROTECTED] wrote: Two things I've noticed are that the password appears to not be received (via PEAP) That's how PEAP works. and that the bind password is being sent as aassword instead of password no matter what I enter on the supplicant. The aassword is what you entered into radiusd.conf, as the ldap password item. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configurable_failover and proxies
Hi folks, I'm writing on a publication deadline and hoping to show how FreeRADIUS can solve an intriguing problem. Unfortunately so far I can't seem to get it to do the job. My goal, ultimately, is to try to authorize users in both a local Samba PDC (with an LDAP back end) and in another NT domain, WITHOUT forcing the use of a domain name in the user name. For various reasons we (or our readers) need to have two separate domains on the back end, but are trying to move away from forcing users to be aware of them. When people dial into the VPN we want them to be able to authorize with just their username and their password, no domain name. (Yes, of course, we're aware of the possibility of name conflicts.) Now users are coming in with mschap2, so we pretty much need to use winbind and/or radius proxies for authenticating users in either domain. And we can do it -- for one or the other but not both. We have no trouble authenticating users on the Samba PDC with ldap-plus-winbind and we have no trouble authenticating users on the Windows domain with an IAS radius proxy. But we can't do both. A user does not exist response from either ends the whole ballgame. I thought configurable_failover was the ticket to solve this problem. But today I read this message from Alan DeKok: http://lists.cistron.nl/pipermail/freeradius-users/2004-April/030193.html Which says you can't proxy twice. And it sounds like you can't even try proxy when local gives a particular response or vice versa. I have three questions: 1. Is this still the state of affairs? configurable_failover makes it possible to try a different LOCAL method (for instance, ldap after winbind) when the first method responds that the user does not exist (not the same thing as failing), but you can't do that with proxies? 2. Is this true even if the two methods I want to try are a proxy and a local method? Is it still true if I don't mind trying the local method first? I had hoped that might do the job, but no luck so far. 3. If I'm stuck on both counts, can the ldap authentication module be convinced to do mschap2 authentication somehow without winbind? NOTE: I have radiusd 1.01 as currently obtainable from the Fedora Core 3 repositories. Thanks! -- Thomas Boutell Boutell.Com, Inc. http://www.boutell.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: reading reply-message with cisco
Lucas Aimaretto wrote: Hi all, This is not related to freeradius directly, but to Cisco. I thought somebody could have had the same problem. I'm willing to send a reply-message to Cisco ( which I'm allready sending using radius ) and, according to what string I'm sending along with reply-message, I'm willing to reproduce some IVR or other. Has anybody done this before ? I think it is using TCL ... could anybody read this atribute using TCL ? Yes, search for the tcl/ivr scripts on yhe cisco web site, I have implemented a full ivr system using cisco (h323) vsas and tcl scripts. thanx for answering. Have an idea on how to catch-up the h323-return-code attribute in the tcl ?? Thanx ! Regards, Lucas Yes, this is a small example, ...blablabla [snipped code] ...blablabla if { [infotag get aaa_avpair_exists h323-return-code] } { set returnCode [infotag get aaa_avpair h323-return-code] } else { #No return code from radius media play leg_incoming _no_aaa.au fsm setstate CALLDISCONNECT return } ...blablabla [snipped code] ...blablabla The function infotag get aaa_avpair x returns the value of the x atribute from the radius' reply attributes, you can use it for any attribute of the radius' reply string, they're defined by the tcl/ivr standard api from cisco, i mean, it's included in the IOS of the NAS, this example is taken directly from the cisco's examples. Again Lucas, go to www.cisco.com, search for the tcl/ivr scripts, they're free, well documented, please read them and try to understand them, i dont think this is going to be an easy task, you have to learn many details of the cisco's radius implementation and a moderated knowledge of tcl script language. Good Luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configurable_failover and proxies
Thomas Boutell [EMAIL PROTECTED] wrote: My goal, ultimately, is to try to authorize users in both a local Samba PDC (with an LDAP back end) and in another NT domain, WITHOUT forcing the use of a domain name in the user name. For various reasons we (or our readers) need to have two separate domains on the back end, but are trying to move away from forcing users to be aware of them. When people dial into the VPN we want them to be able to authorize with just their username and their password, no domain name. (Yes, of course, we're aware of the possibility of name conflicts.) i.e. check in one domain, and if that fails, use another. Now users are coming in with mschap2, so we pretty much need to use winbind and/or radius proxies for authenticating users in either domain. And we can do it -- for one or the other but not both. We have no trouble authenticating users on the Samba PDC with ldap-plus-winbind and we have no trouble authenticating users on the Windows domain with an IAS radius proxy. But we can't do both. A user does not exist response from either ends the whole ballgame. Pretty much. But today I read this message from Alan DeKok: http://lists.cistron.nl/pipermail/freeradius-users/2004-April/030193.html Which says you can't proxy twice. And it sounds like you can't even try proxy when local gives a particular response or vice versa. You can, but it's not generally recommended. I have three questions: 1. Is this still the state of affairs? configurable_failover makes it possible to try a different LOCAL method (for instance, ldap after winbind) when the first method responds that the user does not exist (not the same thing as failing), but you can't do that with proxies? Pretty much. There are ways of getting around it, but some involve minor source code hacks. You can always have a shell script do the authentication for you. It can run ntlm_auth, and if that returns notfound, it can then run radclient to send the request to another RADIUS server. It's ugly, but it will work. 2. Is this true even if the two methods I want to try are a proxy and a local method? Is it still true if I don't mind trying the local method first? I had hoped that might do the job, but no luck so far. The server treats proxying as special. That may not have been the best choice. In the future, we may want to have an rlm_proxy module for authentication, in which case configurable failover will just work for proxying. 3. If I'm stuck on both counts, can the ldap authentication module be convinced to do mschap2 authentication somehow without winbind? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WinXP 802.1X/Radius/eDir (LDAP)
Hi, FreeRADIUS is trying to do LDAP authentication and not PEAP authentication. This is probably because you have not configured the peap module. Please read eap.conf on how to configure the peap module. Rest of the comments inline. On Wed, 2005-05-18 at 16:49 -0500, Matt McFarlane wrote: Totally new to radius. I've installed freeradius 1.02 --with-edir on Suse 9. Attempting to use 802.1X auth from wireless user behind HP 420 AP using WinXP to an eDir tree via LDAP. When I use radtest the bind is successful. However when using the 802.1X supplicant I get the output below. Two things I've noticed are that the password appears to not be received (via PEAP) and that the bind password is being sent as aassword instead of password no matter what I enter on the supplicant. ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = nspmPassword ldap: access_attr = uid ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute test-ldap-Ldap-Group rlm_ldap: Registering ldap_groupcmp for test-ldap-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name test-ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP nspmPassword mapped to RADIUS User-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x8151848 Module: Instantiated ldap (test-ldap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files