Activation of LDAP module
Hi guys:
I'm trying to activate ldap authentication part at config files.
But when I uncomment next lines:
Auth-Type LDAP {
ldap
}
I get next error when service starts up
Module: Checking authenticate {...} for more modules to load
/opt/csw/etc/raddb/modules/ldap[29]: Failed to link to module
'rlm_ldap': ld.so.1: radiusd: fatal: relocation error: file
/opt/csw/lib/rlm_ldap-2.1.6.so: symbol ber_pvt_opt_on: referenced symbol
not found
/opt/csw/etc/raddb/sites-enabled/default[284]: Failed to find module ldap.
/opt/csw/etc/raddb/sites-enabled/default[284]: Failed to parse ldap entry.
I don't know what does it mean symbol demanded: 'ber_pvt_opt_on'
Thanks a lot in advance for your reply.
Best regards,
Fernando.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding Attributes in Access-Accept
Hi All, I have a set up where in user is Proxyed to home server for authentication, things are working fine. In the response Access-Accept I see the following: rad_recv: Access-Accept packet from host 192.168.7.40 port 1812, id=195, length=68 Proxy-State = 0x3530 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x47cc04de01370001c0a8072801cb483d266256d80006 I do not have any access to the home server but I still want the Access-Accept to carry User-Name in it. Can we do it by tweaking the proxy server ? Please guide me to some pointers/links if it can be done. -- Chidanand Gangur Pune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activation of LDAP module
Looks like you need to recompile openldap as symbol is missing from the
shared library.
Then recompile freeradius against that newer version of openldap
On Tue, Aug 31, 2010 at 6:52 PM, Fernando Calvelo Vazquez
fernando.calv...@esrf.fr wrote:
Hi guys:
I'm trying to activate ldap authentication part at config files.
But when I uncomment next lines:
Auth-Type LDAP {
ldap
}
I get next error when service starts up
Module: Checking authenticate {...} for more modules to load
/opt/csw/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap':
ld.so.1: radiusd: fatal: relocation error: file /opt/csw/lib/
rlm_ldap-2.1.6.so: symbol ber_pvt_opt_on: referenced symbol not found
/opt/csw/etc/raddb/sites-enabled/default[284]: Failed to find module
ldap.
/opt/csw/etc/raddb/sites-enabled/default[284]: Failed to parse ldap
entry.
I don't know what does it mean symbol demanded: 'ber_pvt_opt_on'
Thanks a lot in advance for your reply.
Best regards,
Fernando.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
its worked after changing the NAS type to other instead of cisco , On Mon, Aug 30, 2010 at 11:19 PM, ziko emobux...@yahoo.com wrote: Go to /etc/raddb/sql/mysql/dialup.conf file and find Simultaneous Use Checking Queries and there uncomment needed lines. then add simultaneous-use attribute to user. It worked for me. -- *From:* Student University studen...@gmail.com *To:* FreeRadius users mailing list freeradius-users@lists.freeradius.org *Sent:* Mon, August 30, 2010 11:31:03 PM *Subject:* Simultaneous-Use Dears , anyone has been successfully configured Simultaneous-Use:=1 if so please share this experience . Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl error
JUND, Aurélien aurelien.j...@sfr.com writes:
example.pl:
sub authorize {
if ($RAD_REQUEST{'Service-Type'} = Framed-User){
This isn't a perl boolean expression...
$RAD_CHECK{'Cleartext-Password'} = 1;
$RAD_REPLY{'Callback-Number'} = Number;
return RLM_MODULE_OK }
But it will always be true, so these should be evaluated anyway.
However, I don't see you defining RLM_MODULE_OK anywhere which means
that we either don't see the complet script or that the script will
fail. Please see the example.pl script in freeradius.
Adding items to these lists *does* work. Example:
This script:
use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request,
so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module considers the request
invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is
locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing
anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are
*/
sub authorize {
print Here\n;
$RAD_CHECK{'Cleartext-Password'} = foo;
return RLM_MODULE_UPDATED;
}
results in:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 55297, id=90, length=44
User-Name = test
User-Password = foo
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
GOT CLONE 1554668288 0x267ae10
Here
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = foo
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Cleartext-Password = foo
++[perl] returns updated
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password foo
[pap] Using clear text password foo
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 90 to 127.0.0.1 port 55297
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 90 with timestamp +4
Ready to process requests.
Do also note that you can add print's while debugging the script. This
is very useful when trying to figure out what happens while the server
run the script.
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS with mschapv2 inner authentication issue
Hello all,
I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner
authentication against an OpenLDAP server with crypt password
encryption scheme.
the following is my eap.conf relevant part
eap {
default_eap_type = ttls
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
rad_recv: Access-Request packet from host 156.148.67.1 port 2051,
id=3, length=161
User-Name = mat...@crs4.it
NAS-IP-Address = 156.148.67.1
NAS-Port = 0
Called-Station-Id = 00-1E-E5-28-99-F8
Calling-Station-Id = 00-13-CE-3C-7E-17
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x02010013016d617474656f40637273342e6974
Message-Authenticator = 0x310153774fd7a4c1fdc46eaf761b9d12
Tue Aug 31 11:12:04 2010 : Info: +- entering group authorize {...}
Tue Aug 31 11:12:04 2010 : Info: ++[preprocess] returns ok
Tue Aug 31 11:12:04 2010 : Info: ++[chap] returns noop
Tue Aug 31 11:12:04 2010 : Info: ++[mschap] returns noop
Tue Aug 31 11:12:04 2010 : Info: [suffix] Looking up realm crs4.it
for User-Name = mat...@crs4.it
Tue Aug 31 11:12:04 2010 : Info: [suffix] Found realm crs4.it
Tue Aug 31 11:12:04 2010 : Info: [suffix] Adding Stripped-User-Name = matteo
Tue Aug 31 11:12:04 2010 : Info: [suffix] Adding Realm = crs4.it
Tue Aug 31 11:12:04 2010 : Info: [suffix] Authentication realm is LOCAL.
Tue Aug 31 11:12:04 2010 : Info: ++[suffix] returns ok
Tue Aug 31 11:12:04 2010 : Info: [eap] EAP packet type response id 1 length 19
Tue Aug 31 11:12:04 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Tue Aug 31 11:12:04 2010 : Info: ++[eap] returns updated
Tue Aug 31 11:12:04 2010 : Info: ++[unix] returns notfound
Tue Aug 31 11:12:04 2010 : Info: ++[files] returns noop
Tue Aug 31 11:12:04 2010 : Info: [ldap] performing user authorization
for matteo
Tue Aug 31 11:12:04 2010 : Info: [ldap] expand: %{Stripped-User-Name}
- matteo
Tue Aug 31 11:12:04 2010 : Info: [ldap] expand:
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=matteo)
Tue Aug 31 11:12:04 2010 : Info: [ldap] expand: ou=people,dc=crs4 -
ou=people,dc=crs4
Tue Aug 31 11:12:04 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 31 11:12:04 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 31 11:12:04 2010 : Debug: [ldap] attempting LDAP reconnection
Tue Aug 31 11:12:04 2010 : Debug: [ldap] (re)connect to
opmanager.crs4.it:389, authentication 0
Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS CACert File to
/etc/raddb/certs/ca.crt
Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS CACert
Directory to /etc/raddb/certs
Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS Cert File to
/etc/raddb/certs/cheope.crs4.it.crt
Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS Key File to
/etc/raddb/certs/cheope.crs4.it.key
Tue Aug 31 11:12:04 2010 : Debug: [ldap] setting TLS Key File to
/etc/raddb/certs/random
Tue Aug 31 11:12:04 2010 : Debug: [ldap] bind as / to opmanager.crs4.it:389
Tue Aug 31 11:12:04 2010 : Debug: [ldap] waiting for bind result ...
Tue Aug 31 11:12:04 2010 : Debug: [ldap] Bind was successful
Tue Aug 31 11:12:04 2010 : Debug: [ldap] performing search in
ou=people,dc=crs4, with filter (uid=matteo)
Tue Aug 31 11:12:04 2010 : Info: [ldap] checking if remote access for
matteo is allowed by uid
Tue Aug 31 11:12:04 2010 : Info: [ldap] looking for check items in
directory...
Tue Aug 31 11:12:04 2010 : Info: [ldap] looking for reply items in
directory...
Tue Aug 31 11:12:04 2010 : Debug: WARNING: No known good password
was found in LDAP. Are you sure that the user is configured correctly?
Tue Aug 31 11:12:04 2010 : Info: [ldap] user matteo authorized to use
remote access
Tue Aug 31 11:12:04 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 31 11:12:04 2010 : Info: ++[ldap] returns ok
Tue Aug 31 11:12:04 2010 : Info: ++[expiration] returns noop
Tue Aug 31 11:12:04 2010 : Info: ++[logintime] returns noop
Tue Aug 31 11:12:04 2010 : Info: [pap] WARNING! No known good
password found for the user. Authentication may fail because of this.
Tue Aug 31 11:12:04 2010 : Info: ++[pap] returns noop
Tue Aug 31 11:12:04 2010 : Info: Found Auth-Type = EAP
Tue Aug 31 11:12:04 2010 : Info: +- entering group authenticate {...}
Tue Aug 31 11:12:04 2010 : Info: [eap] EAP Identity
Tue Aug 31 11:12:04 2010 : Info: [eap] processing type tls
Tue Aug 31 11:12:04 2010 : Info: [tls] Initiate
Tue Aug 31 11:12:04 2010 : Info: [tls] Start returned 1
Tue Aug 31 11:12:04 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 3 to 156.148.67.1 port 2051
EAP-Message = 0x010200061520
Message-Authenticator = 0x
Re: EAP-TTLS with mschapv2 inner authentication issue
On 08/31/2010 10:23 AM, mat...@crs4.it wrote:
Hello all,
I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner
authentication against an OpenLDAP server with crypt password
encryption scheme.
That is not possible I'm afraid. MS-CHAP requires access to the NT/LM
hashes (or plaintext password), or access to a machine which does
(domain controller) via the ntlm_auth helper binary.
As you can see:
Tue Aug 31 11:12:04 2010 : Debug: WARNING: No known good password
was found in LDAP. Are you sure that the user is configured correctly?
Then:
Tue Aug 31 11:12:04 2010 : Info: +- entering group MS-CHAP {...}
Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password
configured. Cannot create LM-Password.
Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password
configured. Cannot create NT-Password.
Tue Aug 31 11:12:04 2010 : Info: [mschap] Told to do MS-CHAPv2 for
mat...@crs4.it with NT-Password
Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: No NT/LM-Password.
Cannot perform authentication.
Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
To emphasise this is IMPOSSIBLE; you will either need to store a
different password hash, or use a different inner EAP method - probably PAP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) found
Hi Alan,
I 've found the reason why le rlm_ldap module
was not loaded.
Now it's a little better i.e., but now the LDAP
can't authenticate my account:
Below the new output when running
radtest: /usr/bin/radtest/ -d /etc/freeradius ldap
127.0.0.1:1812 10 testing123:
r/ad_recv: Access-Request packet from host 127.0.0.1 port 36154, id=158,
length=56
User-Name = ldap
User-Password =
NAS-IP-Address = 192.168.55.150
NAS-Port = 10
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '/' in User-Name = ldap, looking up realm NULL
rlm_realm: No such realm NULL
++[IPASS] returns noop
rlm_realm: No '@' in User-Name = ldap, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
++[files] returns noop
++[unix] returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldap
expand: (sAMAccountName=%u) - (sAMAccountName=ldap)
expand: dc=privee,dc=enssib,dc=fr - dc=privee,dc=enssib,dc=fr
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to servcdom.privee.enssib.fr:389, authentication 0
rlm_ldap: bind as cn=ldap,cn=users,dc=privee,dc=enssib,dc=fr/ to
servcdom.privee.enssib.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=privee,dc=enssib,dc=fr, with filter
(sAMAccountName=ldap)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [ldap/toti] (from client localhost port 10)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - ldap
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 158 to 127.0.0.1 port 36154
Waking up in 4.9 seconds.
Cleaning up request 0 ID 158 with timestamp +206
Ready to process requests./
I've noticed that the account 'ldap' binds successfully the LDAP,
but the connecting step fails.
Thanks for any answer.
Isabelle RECH LE RECIS
Enssib
Département informatique
17-21 Bd du 11 Novembre 1918
69623 Villeurbanne Cedex
Tel : 04 72 44 43 34
http://www.enssib.fr/
__
Le 24/08/2010 16:09, Alan DeKok a écrit :
Isabelle RECH wrote:
Hi frree-radius users !
I'm running a freeradius 2.0.4 on a DEBIAN 5.0.5
We want to access an LDAP / windows base , wich is declared
in radiusd.conf file
Below is the output produced by the radiusd -X debugging mode
when I run the radtest :
...
Obviously, it's the authenticate method which
is missing . I've add this entry it in the
/etc/freeradius/sites-available/default:
- The entries ldap pap are uncommented in Authorize { } section
Read the debug output again. You did *not* uncomment the ldap line
in the authorize section.
Alan DeKok.
--
__
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with mschapv2 inner authentication issue
On Tue, Aug 31, 2010 at 4:23 PM, mat...@crs4.it wrote: Hello all, I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner authentication against an OpenLDAP server with crypt password encryption scheme. Short answer: you can't. MSCHAPv2 needs clear text password. You can't use MSCHAPv2 with crypt-ed password. ... which the logs says quite clearly btw: Tue Aug 31 11:12:04 2010 : Info: [ldap] looking for reply items in directory... Tue Aug 31 11:12:04 2010 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Tue Aug 31 11:12:04 2010 : Info: [mschap] Told to do MS-CHAPv2 for mat...@crs4.it with NT-Password Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Hey Alan, you suggested: Fix is so that nothing is blocking the server. Call me dump, but I have no idea what to look for. One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, or can I somehow log what program had which PID? Best, Jan Alan DeKok al...@deployingradius.com hat am 30. August 2010 um 22:22 geschrieben: Jan Zacharias wrote: I did more tests (now with two winXP clients and one OSX client), the problem is still unsolved: shrug The solution is still the same. The strange thing: freeradius is started with the no childs option: freeradius 60384 0.0 0.4 11560 9240 4 S 11:57AM 0:49.13 /usr/local/sbin/radiusd -s Well... something is inconsistent. The error messages you posted are produced *only* when the server has child threads. So why does it complain about childs that take to long?! For the same reason as before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) found
Isabelle RECH wrote: Hi Alan, Don't CC me on messages to the list. I *do* read the list. rlm_ldap: ldap_search() failed: Operations error Install 2.1.7 or later, and see chase_referrals and rebind in raddb/modules/ldap Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: Call me dump, but I have no idea what to look for. Neither do I. It's your system... One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, Possibly, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attributes in Access-Accept
Hi Alan, Thank you for your quick response. I will definitely explore unlang. Right now I tried working with attr_rewrite module things worked as expected. Thanks Regards, Chidanand On Tue, Aug 31, 2010 at 4:44 PM, Alan DeKok al...@deployingradius.comwrote: Chidanand Gangur wrote: I do not have any access to the home server but I still want the Access-Accept to carry User-Name in it. Can we do it by tweaking the proxy server ? Yes. Update the reply to include the User-Name. $ man unlang You can add *any* attribute to *anything*. Request, response, proxied request, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chidanand Gangur Pune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN Assignment of Wifi-Clients
Alan DeKok schrieb:
Marten Pape wrote:
Now my goal is to tell the NAS to assign every wifi-packet to a certain
VLAN. I don't need to have a dynamic assignment of VLAN based on
usernames or something else. One VLAN would be sufficient.
You can assign the vlan in the post-auth section.
Now, I did it in the sites-available/default files / post-auth section:
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-ID = 123
}
But it seems, that the access point does not assign the traffic to a
certain VLAN and, as far as I know, this access point is able to do
that. Do you see anything else, going wrong? The debug log of a new
connection try is attached below.
The solution I found was to insert the following lines into the
radgroupreply table (splitted up into the correct columns...):
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = 10
After I've done this entry, I hoped that it would work, but it didn't.
From the debug log you posted, it's clear that you didn't enable the
sql module in the authorize section.
mhmm it is enabled (=listed) in sites-available/default and
sites-available/inner-tunnel. Do you want to see these files?
Thanks
Marten Pape
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rad_recv: Access-Request packet from host 172.20.160.171 port 1812,
id=2, length=135
User-Name = marpap
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
NAS-Identifier =
default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Calling-Station-Id = 00-60-b3-63-4e-03
EAP-Message = 0x0201000b016d6172706170
NAS-IP-Address = 172.20.160.171
Message-Authenticator = 0x4c68db4ae1e988fdc7b61ccd1375f3b7
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} - marpap
[sql] sql_set_user escaped user -- 'marpap'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT logins.id, logins.username, radcheck.attribute,
logins.pass_lm, radcheck.op FROM radcheck,
logins WHERE logins.username = '%{SQL-User-Name}' AND
radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='%{SQL-User-Name}' AND logins.account_id =
internet_accounts.account_id) = 'yes' ORDER
BY id - SELECT logins.id, logins.username, radcheck.attribute,
logins.pass_lm, radcheck.op FROM radcheck,
logins WHERE logins.username = 'marpap' AND
radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND logins.account_id =
internet_accounts.account_id) = 'yes'
ORDER BY id
rlm_sql_mysql: query: SELECT logins.id, logins.username,
radcheck.attribute, logins.pass_lm, radcheck.op FROM
radcheck, logins WHERE logins.username = 'marpap' AND
radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND logins.account_id =
internet_accounts.account_id) = 'yes'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT logins.id, logins.username, radreply.attribute,
logins.pass_lm, radreply.op FROM radreply,
logins WHERE logins.username = '%{SQL-User-Name}' AND
radreply.id='1' AND (SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='%{SQL-User-Name}' AND logins.account_id =
internet_accounts.account_id) = 'yes' ORDER
BY id - SELECT logins.id, logins.username, radreply.attribute,
logins.pass_lm, radreply.op FROM radreply,
logins WHERE logins.username = 'marpap' AND
radreply.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND logins.account_id =
internet_accounts.account_id) = 'yes'
ORDER BY id
rlm_sql_mysql: query: SELECT logins.id, logins.username,
radreply.attribute, logins.pass_lm, radreply.op FROM
radreply, logins WHERE logins.username = 'marpap' AND
radreply.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND logins.account_id =
Re: VLAN Assignment of Wifi-Clients
Alan DeKok schrieb:
Marten Pape wrote:
Now my goal is to tell the NAS to assign every wifi-packet to a certain
VLAN. I don't need to have a dynamic assignment of VLAN based on
usernames or something else. One VLAN would be sufficient.
You can assign the vlan in the post-auth section.
Now, I added this answer to the sites-available/default - post-auth
section:
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-ID = 123
}
But the access point doesn't seem to tag this traffic with the vlan-ID
123. As far as I know, this access point is able to do that. Do you see
anything else going wrong? The debug log of a new connection try is
attached below.
The solution I found was to insert the following lines into the
radgroupreply table (splitted up into the correct columns...):
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = 10
After I've done this entry, I hoped that it would work, but it didn't.
From the debug log you posted, it's clear that you didn't enable the
sql module in the authorize section.
Well, the thing is, that is is enabled in both files - default and
inner-tunnel (virtual servers)
Thanks,
Marten Pape
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
==debug log
rad_recv: Access-Request packet from host 172.20.160.171 port 1812,
id=2, length=135
User-Name = marpap
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
NAS-Identifier =
default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Calling-Station-Id = 00-60-b3-63-4e-03
EAP-Message = 0x0201000b016d6172706170
NAS-IP-Address = 172.20.160.171
Message-Authenticator = 0x4c68db4ae1e988fdc7b61ccd1375f3b7
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} - marpap
[sql] sql_set_user escaped user -- 'marpap'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT logins.id, logins.username, radcheck.attribute,
logins.pass_lm, radcheck.op FROM radcheck,
logins WHERE logins.username = '%{SQL-User-Name}' AND
radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='%{SQL-User-Name}' AND logins.account_id =
internet_accounts.account_id) = 'yes' ORDER
BY id - SELECT logins.id, logins.username, radcheck.attribute,
logins.pass_lm, radcheck.op FROM radcheck,
logins WHERE logins.username = 'marpap' AND
radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND logins.account_id =
internet_accounts.account_id) = 'yes'
ORDER BY id
rlm_sql_mysql: query: SELECT logins.id, logins.username,
radcheck.attribute, logins.pass_lm, radcheck.op FROM
radcheck, logins WHERE logins.username = 'marpap' AND
radcheck.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND logins.account_id =
internet_accounts.account_id) = 'yes'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT logins.id, logins.username, radreply.attribute,
logins.pass_lm, radreply.op FROM radreply,
logins WHERE logins.username = '%{SQL-User-Name}' AND
radreply.id='1' AND (SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='%{SQL-User-Name}' AND logins.account_id =
internet_accounts.account_id) = 'yes' ORDER
BY id - SELECT logins.id, logins.username, radreply.attribute,
logins.pass_lm, radreply.op FROM radreply,
logins WHERE logins.username = 'marpap' AND
radreply.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND logins.account_id =
internet_accounts.account_id) = 'yes'
ORDER BY id
rlm_sql_mysql: query: SELECT logins.id, logins.username,
radreply.attribute, logins.pass_lm, radreply.op FROM
radreply, logins WHERE logins.username = 'marpap' AND
radreply.id='1' AND(SELECT internet_accounts.aktiv FROM
internet_accounts, logins WHERE
logins.username='marpap' AND
Re: VLAN Assignment of Wifi-Clients
On Aug 31, 2010, at 8:48 AM, Marten Pape wrote:
Alan DeKok schrieb:
Marten Pape wrote:
Now my goal is to tell the NAS to assign every wifi-packet to a certain
VLAN. I don't need to have a dynamic assignment of VLAN based on
usernames or something else. One VLAN would be sufficient.
You can assign the vlan in the post-auth section.
Now, I added this answer to the sites-available/default - post-auth
section:
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-ID = 123
}
But the access point doesn't seem to tag this traffic with the vlan-ID
123. As far as I know, this access point is able to do that. Do you see
anything else going wrong? The debug log of a new connection try is
attached below.
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 11 to 172.20.160.171 port 1812
MS-MPPE-Recv-Key =
0x35b16df4a592e9da418da46ab5164210166ad66293fd8831c5dec7d2f7eb1a8d
MS-MPPE-Send-Key =
0x0709cee111f7985f495c7208fe4ceb3b57b1657f9fc10762578ba41ba9727b85
EAP-Message = 0x030a0004
Message-Authenticator = 0x
User-Name = marpap
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 123
Server is sending back the attributes. Check whether the VLAN must be
pre-configured on the NAS in order to be assigned. Else check that the NAS
supports dynamic assignment, or that it uses VSAs instead of the RFC attributes.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA_file vs. CA_path
David Mitchell wrote: Alan DeKok wrote: David Mitchell wrote: I now have 2.1.10 compiled and running. It seems to work fine. I did have to make one change to my configuration. I had been using CA_path to refer to the certificates which can authenticate clients for EAP-TLS authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I specify a single file via CA_file that works fine. I can manage either way I think since the file referenced in CA_file can contain multiple certificates. I did verify that I had run 'c_rehash' in my CA_path directory. I'm not sure why CA_path doesn't work since the OpenSSL docs indicate that they are largely interchangable. Is it an intentional change? Nope. It's not an intentional change. I don't know why it would be different. I did change OpenSSL versions as well so I can't say for sure that it has anything to do with FreeRadius. I'll try and poke around some and see if I can figure out what's going on. Thanks for confirming it wasn't meant to change. I've done some recompiling and I believe that the new behavior is due to the new version of OpenSSL. If I compile FreeRadius using the default Debian OpenSSL (0.9.8g) I can use CA_path as expected. Compiling FreeRadius and specifying the locally installed OpenSSL 1.0.0a results in CA_path not working. In both cases I was compiling FR 2.1.9. I have not dug into the OpenSSL code. I've looked in there before and it scares me ;-) -David -David Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ask for help on WiMAX + Freeradius + Disconnect
Hello, friends, As I met some problems when using Freeradius to send Disconnect Request. Hope you can give me any suggestions. Please let me describe my issue. First I created a packete.txt for radclinet.exe. The content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 WiMAX-Session-ID=XXX WiMAX-DM-Action-Code= After packet.txt was sent to AGW, radclinet debug window said: Unknown WiMAX-Session -ID or Unknown WiMAX-DM-Action-Code WiMAX NWG 1.3 says: 5.4.1.7 RADIUS Disconnect Request Message isconnect Request message should be defined as per [28] with the following: Attribute TYPE Description DR DR-ACK DR-NAK User-Name 1 The NAI of the MS as received during Access-Authentication. 1 0 0 Calling-Station-Id 31 The MAC address in binary format of the MS. 1 0 0 WiMAX-Session-ID 26/4 The NAI contained in the User-Name and the WiMAX-Session-ID forms a unique identifier of the session at the NAS. 1 0 0 WiMAX-DM-Action-Code 26/60 Carries the deregistration action code from AAA to the NAS. If the WiMAX-DM-Action-Code is not present in the RADIUS Disconnect message then the result will be to the same as if the action code 0x was included. The end result should be that the BS sends the RES-CMD to the MS. 0-1 0 0 So I must add and make WiMAX-Session-ID and WiMAX-DM-Action-Code sent by Freeradius. Could you please give me any suggestions on how to add the attribute of WiMAX-Session-ID and WiMAX-DM-Action-Code into the sent message ? Thanks a lot for your help in advance! Xiaochen Chen @ WiMAX Test Lab Beiing , China - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ask for help on WiMAX + Freeradius + Disconnect
Hello, friends, As I met some problems when using Freeradius to send Disconnect Request. Hope you can give me any suggestions. Please let me describe my issue. First I created a packete.txt for radclinet.exe. The content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 WiMAX-Session-ID=”XXX” WiMAX-DM-Action-Code=”” After packet.txt was sent to AGW, radclinet debug window said: “Unknown WiMAX-Session �CID or Unknown WiMAX-DM-Action-Code ” WiMAX NWG 1.3 says: 5.4.1.7 RADIUS Disconnect Request Message isconnect Request message should be defined with the following: User-Name、Calling-Station-Id、 WiMAX-Session-ID、 WiMAX-DM-Action-Code So I must add and make WiMAX-Session-ID and WiMAX-DM-Action-Code sent by Freeradius. Could you please give me any suggestions on how to add the attribute of WiMAX-Session-ID and WiMAX-DM-Action-Code into the sent message ? Thanks a lot for your help in advance! Xiaochen Chen @ WiMAX Test Lab Beiing , China - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
