Activation of LDAP module
Hi guys: I'm trying to activate ldap authentication part at config files. But when I uncomment next lines: Auth-Type LDAP { ldap } I get next error when service starts up Module: Checking authenticate {...} for more modules to load /opt/csw/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': ld.so.1: radiusd: fatal: relocation error: file /opt/csw/lib/rlm_ldap-2.1.6.so: symbol ber_pvt_opt_on: referenced symbol not found /opt/csw/etc/raddb/sites-enabled/default[284]: Failed to find module ldap. /opt/csw/etc/raddb/sites-enabled/default[284]: Failed to parse ldap entry. I don't know what does it mean symbol demanded: 'ber_pvt_opt_on' Thanks a lot in advance for your reply. Best regards, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding Attributes in Access-Accept
Hi All, I have a set up where in user is Proxyed to home server for authentication, things are working fine. In the response Access-Accept I see the following: rad_recv: Access-Accept packet from host 192.168.7.40 port 1812, id=195, length=68 Proxy-State = 0x3530 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x47cc04de01370001c0a8072801cb483d266256d80006 I do not have any access to the home server but I still want the Access-Accept to carry User-Name in it. Can we do it by tweaking the proxy server ? Please guide me to some pointers/links if it can be done. -- Chidanand Gangur Pune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activation of LDAP module
Looks like you need to recompile openldap as symbol is missing from the shared library. Then recompile freeradius against that newer version of openldap On Tue, Aug 31, 2010 at 6:52 PM, Fernando Calvelo Vazquez fernando.calv...@esrf.fr wrote: Hi guys: I'm trying to activate ldap authentication part at config files. But when I uncomment next lines: Auth-Type LDAP { ldap } I get next error when service starts up Module: Checking authenticate {...} for more modules to load /opt/csw/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': ld.so.1: radiusd: fatal: relocation error: file /opt/csw/lib/ rlm_ldap-2.1.6.so: symbol ber_pvt_opt_on: referenced symbol not found /opt/csw/etc/raddb/sites-enabled/default[284]: Failed to find module ldap. /opt/csw/etc/raddb/sites-enabled/default[284]: Failed to parse ldap entry. I don't know what does it mean symbol demanded: 'ber_pvt_opt_on' Thanks a lot in advance for your reply. Best regards, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
its worked after changing the NAS type to other instead of cisco , On Mon, Aug 30, 2010 at 11:19 PM, ziko emobux...@yahoo.com wrote: Go to /etc/raddb/sql/mysql/dialup.conf file and find Simultaneous Use Checking Queries and there uncomment needed lines. then add simultaneous-use attribute to user. It worked for me. -- *From:* Student University studen...@gmail.com *To:* FreeRadius users mailing list freeradius-users@lists.freeradius.org *Sent:* Mon, August 30, 2010 11:31:03 PM *Subject:* Simultaneous-Use Dears , anyone has been successfully configured Simultaneous-Use:=1 if so please share this experience . Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl error
JUND, Aurélien aurelien.j...@sfr.com writes: example.pl: sub authorize { if ($RAD_REQUEST{'Service-Type'} = Framed-User){ This isn't a perl boolean expression... $RAD_CHECK{'Cleartext-Password'} = 1; $RAD_REPLY{'Callback-Number'} = Number; return RLM_MODULE_OK } But it will always be true, so these should be evaluated anyway. However, I don't see you defining RLM_MODULE_OK anywhere which means that we either don't see the complet script or that the script will fail. Please see the example.pl script in freeradius. Adding items to these lists *does* work. Example: This script: use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request, so stop. */ use constantRLM_MODULE_INVALID= 4;# /* the module considers the request invalid. */ use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is locked out) */ use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */ use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing anything */ use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are */ sub authorize { print Here\n; $RAD_CHECK{'Cleartext-Password'} = foo; return RLM_MODULE_UPDATED; } results in: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 55297, id=90, length=44 User-Name = test User-Password = foo +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop GOT CLONE 1554668288 0x267ae10 Here rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = foo rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Cleartext-Password = foo ++[perl] returns updated ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password foo [pap] Using clear text password foo [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 90 to 127.0.0.1 port 55297 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 90 with timestamp +4 Ready to process requests. Do also note that you can add print's while debugging the script. This is very useful when trying to figure out what happens while the server run the script. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS with mschapv2 inner authentication issue
Hello all, I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner authentication against an OpenLDAP server with crypt password encryption scheme. the following is my eap.conf relevant part eap { default_eap_type = ttls ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes } } rad_recv: Access-Request packet from host 156.148.67.1 port 2051, id=3, length=161 User-Name = mat...@crs4.it NAS-IP-Address = 156.148.67.1 NAS-Port = 0 Called-Station-Id = 00-1E-E5-28-99-F8 Calling-Station-Id = 00-13-CE-3C-7E-17 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02010013016d617474656f40637273342e6974 Message-Authenticator = 0x310153774fd7a4c1fdc46eaf761b9d12 Tue Aug 31 11:12:04 2010 : Info: +- entering group authorize {...} Tue Aug 31 11:12:04 2010 : Info: ++[preprocess] returns ok Tue Aug 31 11:12:04 2010 : Info: ++[chap] returns noop Tue Aug 31 11:12:04 2010 : Info: ++[mschap] returns noop Tue Aug 31 11:12:04 2010 : Info: [suffix] Looking up realm crs4.it for User-Name = mat...@crs4.it Tue Aug 31 11:12:04 2010 : Info: [suffix] Found realm crs4.it Tue Aug 31 11:12:04 2010 : Info: [suffix] Adding Stripped-User-Name = matteo Tue Aug 31 11:12:04 2010 : Info: [suffix] Adding Realm = crs4.it Tue Aug 31 11:12:04 2010 : Info: [suffix] Authentication realm is LOCAL. Tue Aug 31 11:12:04 2010 : Info: ++[suffix] returns ok Tue Aug 31 11:12:04 2010 : Info: [eap] EAP packet type response id 1 length 19 Tue Aug 31 11:12:04 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Aug 31 11:12:04 2010 : Info: ++[eap] returns updated Tue Aug 31 11:12:04 2010 : Info: ++[unix] returns notfound Tue Aug 31 11:12:04 2010 : Info: ++[files] returns noop Tue Aug 31 11:12:04 2010 : Info: [ldap] performing user authorization for matteo Tue Aug 31 11:12:04 2010 : Info: [ldap] expand: %{Stripped-User-Name} - matteo Tue Aug 31 11:12:04 2010 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=matteo) Tue Aug 31 11:12:04 2010 : Info: [ldap] expand: ou=people,dc=crs4 - ou=people,dc=crs4 Tue Aug 31 11:12:04 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 31 11:12:04 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 31 11:12:04 2010 : Debug: [ldap] attempting LDAP reconnection Tue Aug 31 11:12:04 2010 : Debug: [ldap] (re)connect to opmanager.crs4.it:389, authentication 0 Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS CACert File to /etc/raddb/certs/ca.crt Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS CACert Directory to /etc/raddb/certs Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS Cert File to /etc/raddb/certs/cheope.crs4.it.crt Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS Key File to /etc/raddb/certs/cheope.crs4.it.key Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS Key File to /etc/raddb/certs/random Tue Aug 31 11:12:04 2010 : Debug: [ldap] bind as / to opmanager.crs4.it:389 Tue Aug 31 11:12:04 2010 : Debug: [ldap] waiting for bind result ... Tue Aug 31 11:12:04 2010 : Debug: [ldap] Bind was successful Tue Aug 31 11:12:04 2010 : Debug: [ldap] performing search in ou=people,dc=crs4, with filter (uid=matteo) Tue Aug 31 11:12:04 2010 : Info: [ldap] checking if remote access for matteo is allowed by uid Tue Aug 31 11:12:04 2010 : Info: [ldap] looking for check items in directory... Tue Aug 31 11:12:04 2010 : Info: [ldap] looking for reply items in directory... Tue Aug 31 11:12:04 2010 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Tue Aug 31 11:12:04 2010 : Info: [ldap] user matteo authorized to use remote access Tue Aug 31 11:12:04 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 31 11:12:04 2010 : Info: ++[ldap] returns ok Tue Aug 31 11:12:04 2010 : Info: ++[expiration] returns noop Tue Aug 31 11:12:04 2010 : Info: ++[logintime] returns noop Tue Aug 31 11:12:04 2010 : Info: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Tue Aug 31 11:12:04 2010 : Info: ++[pap] returns noop Tue Aug 31 11:12:04 2010 : Info: Found Auth-Type = EAP Tue Aug 31 11:12:04 2010 : Info: +- entering group authenticate {...} Tue Aug 31 11:12:04 2010 : Info: [eap] EAP Identity Tue Aug 31 11:12:04 2010 : Info: [eap] processing type tls Tue Aug 31 11:12:04 2010 : Info: [tls] Initiate Tue Aug 31 11:12:04 2010 : Info: [tls] Start returned 1 Tue Aug 31 11:12:04 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 3 to 156.148.67.1 port 2051 EAP-Message = 0x010200061520 Message-Authenticator = 0x
Re: EAP-TTLS with mschapv2 inner authentication issue
On 08/31/2010 10:23 AM, mat...@crs4.it wrote: Hello all, I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner authentication against an OpenLDAP server with crypt password encryption scheme. That is not possible I'm afraid. MS-CHAP requires access to the NT/LM hashes (or plaintext password), or access to a machine which does (domain controller) via the ntlm_auth helper binary. As you can see: Tue Aug 31 11:12:04 2010 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Then: Tue Aug 31 11:12:04 2010 : Info: +- entering group MS-CHAP {...} Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] Told to do MS-CHAPv2 for mat...@crs4.it with NT-Password Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect To emphasise this is IMPOSSIBLE; you will either need to store a different password hash, or use a different inner EAP method - probably PAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) found
Hi Alan, I 've found the reason why le rlm_ldap module was not loaded. Now it's a little better i.e., but now the LDAP can't authenticate my account: Below the new output when running radtest: /usr/bin/radtest/ -d /etc/freeradius ldap 127.0.0.1:1812 10 testing123: r/ad_recv: Access-Request packet from host 127.0.0.1 port 36154, id=158, length=56 User-Name = ldap User-Password = NAS-IP-Address = 192.168.55.150 NAS-Port = 10 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = ldap, looking up realm NULL rlm_realm: No such realm NULL ++[IPASS] returns noop rlm_realm: No '@' in User-Name = ldap, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop ++[files] returns noop ++[unix] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for ldap expand: (sAMAccountName=%u) - (sAMAccountName=ldap) expand: dc=privee,dc=enssib,dc=fr - dc=privee,dc=enssib,dc=fr rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to servcdom.privee.enssib.fr:389, authentication 0 rlm_ldap: bind as cn=ldap,cn=users,dc=privee,dc=enssib,dc=fr/ to servcdom.privee.enssib.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=privee,dc=enssib,dc=fr, with filter (sAMAccountName=ldap) rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [ldap/toti] (from client localhost port 10) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - ldap attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 158 to 127.0.0.1 port 36154 Waking up in 4.9 seconds. Cleaning up request 0 ID 158 with timestamp +206 Ready to process requests./ I've noticed that the account 'ldap' binds successfully the LDAP, but the connecting step fails. Thanks for any answer. Isabelle RECH LE RECIS Enssib Département informatique 17-21 Bd du 11 Novembre 1918 69623 Villeurbanne Cedex Tel : 04 72 44 43 34 http://www.enssib.fr/ __ Le 24/08/2010 16:09, Alan DeKok a écrit : Isabelle RECH wrote: Hi frree-radius users ! I'm running a freeradius 2.0.4 on a DEBIAN 5.0.5 We want to access an LDAP / windows base , wich is declared in radiusd.conf file Below is the output produced by the radiusd -X debugging mode when I run the radtest : ... Obviously, it's the authenticate method which is missing . I've add this entry it in the /etc/freeradius/sites-available/default: - The entries ldap pap are uncommented in Authorize { } section Read the debug output again. You did *not* uncomment the ldap line in the authorize section. Alan DeKok. -- __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with mschapv2 inner authentication issue
On Tue, Aug 31, 2010 at 4:23 PM, mat...@crs4.it wrote: Hello all, I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner authentication against an OpenLDAP server with crypt password encryption scheme. Short answer: you can't. MSCHAPv2 needs clear text password. You can't use MSCHAPv2 with crypt-ed password. ... which the logs says quite clearly btw: Tue Aug 31 11:12:04 2010 : Info: [ldap] looking for reply items in directory... Tue Aug 31 11:12:04 2010 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] Told to do MS-CHAPv2 for mat...@crs4.it with NT-Password Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Hey Alan, you suggested: Fix is so that nothing is blocking the server. Call me dump, but I have no idea what to look for. One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, or can I somehow log what program had which PID? Best, Jan Alan DeKok al...@deployingradius.com hat am 30. August 2010 um 22:22 geschrieben: Jan Zacharias wrote: I did more tests (now with two winXP clients and one OSX client), the problem is still unsolved: shrug The solution is still the same. The strange thing: freeradius is started with the no childs option: freeradius 60384 0.0 0.4 11560 9240 4 S 11:57AM 0:49.13 /usr/local/sbin/radiusd -s Well... something is inconsistent. The error messages you posted are produced *only* when the server has child threads. So why does it complain about childs that take to long?! For the same reason as before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) found
Isabelle RECH wrote: Hi Alan, Don't CC me on messages to the list. I *do* read the list. rlm_ldap: ldap_search() failed: Operations error Install 2.1.7 or later, and see chase_referrals and rebind in raddb/modules/ldap Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: Call me dump, but I have no idea what to look for. Neither do I. It's your system... One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, Possibly, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attributes in Access-Accept
Hi Alan, Thank you for your quick response. I will definitely explore unlang. Right now I tried working with attr_rewrite module things worked as expected. Thanks Regards, Chidanand On Tue, Aug 31, 2010 at 4:44 PM, Alan DeKok al...@deployingradius.comwrote: Chidanand Gangur wrote: I do not have any access to the home server but I still want the Access-Accept to carry User-Name in it. Can we do it by tweaking the proxy server ? Yes. Update the reply to include the User-Name. $ man unlang You can add *any* attribute to *anything*. Request, response, proxied request, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chidanand Gangur Pune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN Assignment of Wifi-Clients
Alan DeKok schrieb: Marten Pape wrote: Now my goal is to tell the NAS to assign every wifi-packet to a certain VLAN. I don't need to have a dynamic assignment of VLAN based on usernames or something else. One VLAN would be sufficient. You can assign the vlan in the post-auth section. Now, I did it in the sites-available/default files / post-auth section: update reply { Tunnel-Type := 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID = 123 } But it seems, that the access point does not assign the traffic to a certain VLAN and, as far as I know, this access point is able to do that. Do you see anything else, going wrong? The debug log of a new connection try is attached below. The solution I found was to insert the following lines into the radgroupreply table (splitted up into the correct columns...): Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-Id = 10 After I've done this entry, I hoped that it would work, but it didn't. From the debug log you posted, it's clear that you didn't enable the sql module in the authorize section. mhmm it is enabled (=listed) in sites-available/default and sites-available/inner-tunnel. Do you want to see these files? Thanks Marten Pape Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=2, length=135 User-Name = marpap Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000 Calling-Station-Id = 00-60-b3-63-4e-03 EAP-Message = 0x0201000b016d6172706170 NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0x4c68db4ae1e988fdc7b61ccd1375f3b7 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} - marpap [sql] sql_set_user escaped user -- 'marpap' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = '%{SQL-User-Name}' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id - SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = '%{SQL-User-Name}' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id - SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id =
Re: VLAN Assignment of Wifi-Clients
Alan DeKok schrieb: Marten Pape wrote: Now my goal is to tell the NAS to assign every wifi-packet to a certain VLAN. I don't need to have a dynamic assignment of VLAN based on usernames or something else. One VLAN would be sufficient. You can assign the vlan in the post-auth section. Now, I added this answer to the sites-available/default - post-auth section: update reply { Tunnel-Type := 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID = 123 } But the access point doesn't seem to tag this traffic with the vlan-ID 123. As far as I know, this access point is able to do that. Do you see anything else going wrong? The debug log of a new connection try is attached below. The solution I found was to insert the following lines into the radgroupreply table (splitted up into the correct columns...): Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-Id = 10 After I've done this entry, I hoped that it would work, but it didn't. From the debug log you posted, it's clear that you didn't enable the sql module in the authorize section. Well, the thing is, that is is enabled in both files - default and inner-tunnel (virtual servers) Thanks, Marten Pape Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ==debug log rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=2, length=135 User-Name = marpap Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000 Calling-Station-Id = 00-60-b3-63-4e-03 EAP-Message = 0x0201000b016d6172706170 NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0x4c68db4ae1e988fdc7b61ccd1375f3b7 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} - marpap [sql] sql_set_user escaped user -- 'marpap' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = '%{SQL-User-Name}' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id - SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = '%{SQL-User-Name}' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id - SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND(SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND
Re: VLAN Assignment of Wifi-Clients
On Aug 31, 2010, at 8:48 AM, Marten Pape wrote: Alan DeKok schrieb: Marten Pape wrote: Now my goal is to tell the NAS to assign every wifi-packet to a certain VLAN. I don't need to have a dynamic assignment of VLAN based on usernames or something else. One VLAN would be sufficient. You can assign the vlan in the post-auth section. Now, I added this answer to the sites-available/default - post-auth section: update reply { Tunnel-Type := 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID = 123 } But the access point doesn't seem to tag this traffic with the vlan-ID 123. As far as I know, this access point is able to do that. Do you see anything else going wrong? The debug log of a new connection try is attached below. rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 11 to 172.20.160.171 port 1812 MS-MPPE-Recv-Key = 0x35b16df4a592e9da418da46ab5164210166ad66293fd8831c5dec7d2f7eb1a8d MS-MPPE-Send-Key = 0x0709cee111f7985f495c7208fe4ceb3b57b1657f9fc10762578ba41ba9727b85 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = marpap Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 123 Server is sending back the attributes. Check whether the VLAN must be pre-configured on the NAS in order to be assigned. Else check that the NAS supports dynamic assignment, or that it uses VSAs instead of the RFC attributes. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA_file vs. CA_path
David Mitchell wrote: Alan DeKok wrote: David Mitchell wrote: I now have 2.1.10 compiled and running. It seems to work fine. I did have to make one change to my configuration. I had been using CA_path to refer to the certificates which can authenticate clients for EAP-TLS authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I specify a single file via CA_file that works fine. I can manage either way I think since the file referenced in CA_file can contain multiple certificates. I did verify that I had run 'c_rehash' in my CA_path directory. I'm not sure why CA_path doesn't work since the OpenSSL docs indicate that they are largely interchangable. Is it an intentional change? Nope. It's not an intentional change. I don't know why it would be different. I did change OpenSSL versions as well so I can't say for sure that it has anything to do with FreeRadius. I'll try and poke around some and see if I can figure out what's going on. Thanks for confirming it wasn't meant to change. I've done some recompiling and I believe that the new behavior is due to the new version of OpenSSL. If I compile FreeRadius using the default Debian OpenSSL (0.9.8g) I can use CA_path as expected. Compiling FreeRadius and specifying the locally installed OpenSSL 1.0.0a results in CA_path not working. In both cases I was compiling FR 2.1.9. I have not dug into the OpenSSL code. I've looked in there before and it scares me ;-) -David -David Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ask for help on WiMAX + Freeradius + Disconnect
Hello, friends, As I met some problems when using Freeradius to send Disconnect Request. Hope you can give me any suggestions. Please let me describe my issue. First I created a packete.txt for radclinet.exe. The content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 WiMAX-Session-ID=XXX WiMAX-DM-Action-Code= After packet.txt was sent to AGW, radclinet debug window said: Unknown WiMAX-Session -ID or Unknown WiMAX-DM-Action-Code WiMAX NWG 1.3 says: 5.4.1.7 RADIUS Disconnect Request Message isconnect Request message should be defined as per [28] with the following: Attribute TYPE Description DR DR-ACK DR-NAK User-Name 1 The NAI of the MS as received during Access-Authentication. 1 0 0 Calling-Station-Id 31 The MAC address in binary format of the MS. 1 0 0 WiMAX-Session-ID 26/4 The NAI contained in the User-Name and the WiMAX-Session-ID forms a unique identifier of the session at the NAS. 1 0 0 WiMAX-DM-Action-Code 26/60 Carries the deregistration action code from AAA to the NAS. If the WiMAX-DM-Action-Code is not present in the RADIUS Disconnect message then the result will be to the same as if the action code 0x was included. The end result should be that the BS sends the RES-CMD to the MS. 0-1 0 0 So I must add and make WiMAX-Session-ID and WiMAX-DM-Action-Code sent by Freeradius. Could you please give me any suggestions on how to add the attribute of WiMAX-Session-ID and WiMAX-DM-Action-Code into the sent message ? Thanks a lot for your help in advance! Xiaochen Chen @ WiMAX Test Lab Beiing , China - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ask for help on WiMAX + Freeradius + Disconnect
Hello, friends, As I met some problems when using Freeradius to send Disconnect Request. Hope you can give me any suggestions. Please let me describe my issue. First I created a packete.txt for radclinet.exe. The content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 WiMAX-Session-ID=”XXX” WiMAX-DM-Action-Code=”” After packet.txt was sent to AGW, radclinet debug window said: “Unknown WiMAX-Session �CID or Unknown WiMAX-DM-Action-Code ” WiMAX NWG 1.3 says: 5.4.1.7 RADIUS Disconnect Request Message isconnect Request message should be defined with the following: User-Name、Calling-Station-Id、 WiMAX-Session-ID、 WiMAX-DM-Action-Code So I must add and make WiMAX-Session-ID and WiMAX-DM-Action-Code sent by Freeradius. Could you please give me any suggestions on how to add the attribute of WiMAX-Session-ID and WiMAX-DM-Action-Code into the sent message ? Thanks a lot for your help in advance! Xiaochen Chen @ WiMAX Test Lab Beiing , China - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html