Calling-Station-Id in pam_radius_auth
Hi, a somewhat sophisticated problem: in a mail server, we'd like to record the IP address of the client that triggered the IMAP authentication request. The IMAP server uses PAM, specifically pam_radius_auth. Is there a way to tell pam_radius_auth to send a value in Calling-Station-Id? Is there a way at all to send variables to PAM at all, to be used for setting Calling-Station-Id within pam_radius_auth? We could also live with getting the value into PAM and then setting it into client_id= if Calling-Station-Id is not possible; string mangling on the server side would do nicely. Something like [EMAIL PROTECTED] as an option to pam_radius_auth? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: I've configured with the following options: ./configure --enable-debug --enable-developer and re-build, but still don't see the raw data. I've looked at the binary traces and can see that the EAP message contains encrypted application data and the size is less then 100bytes. Am I configuring with the wrong options? Hmm... try running with with -Xxx Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple NAS's and Mysql
Wayne Lee wrote: What I need to be able to do is send back different info based on the incoming request from a set of NAS's. In 2.0, just write the policy. See man unlang. Or, use virtual servers. client foo { ipaddr = 1.2.3.4 ... virtual_server = one # or two } See raddb/sites-available/README for more examples. Current versions are (running on Debian sarge at the mo) freeradius = 1.0.2-4sarge3 Ouch. Please upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2 - proxying inner tunnel
Dmitry Sergienko wrote: Situation gets more clear if eap module is being called in post-proxy section of proxy-inner-tunnel: I've updated the proxy-inner-tunnel example to work. It sends the MS-CHAP2-Success as part of the EAP session. And please don't CC me on messages to the list. I get enough messages already. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
In 2.0, much of the huntgroup functionality can be done with a little bit of magic: client foo { ipaddr = 127.0.0.1 secret = x huntgroup = foo # invent ANYTHING here! foo = bar, x = y, etc. } Then in unlang: ... if (%{client:huntgroup} == foo) { ... } i.e. you can use the configuration files to add arbitrary tags to a client, and then check them at run time. Woah, get that working with SQL and you have an insanely useful feature. Oooo what VLANS does this NAS support, hmm i'll just check the client VLAN tags. Where is this NAS located, hmm i'll just check the arbitrarily populated location tag. Who was meant to be updating the client list SQL features for 2.0 ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
That worked. thx. rad_recv: Access-Request packet from host 127.0.0.1:50067, id=101, length=79 User-Name = edwinvanzyl Called-Station-Id = internet EAP-Message = 0x021001656477696e76616e7a796c Message-Authenticator = 0xd649ab055e13bef1b25863bcab47f81e Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 0 length 16 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module eap returns updated for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 4 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module files returns ok for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type EAP Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP Identity Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: processing type tls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Initiate Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Start returned 1 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authenticate]: module eap returns handled for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 101 to 127.0.0.1 port 50067 EAP-Message = 0x010100061520 Message-Authenticator = 0x State = 0xad2f0e60790267d123b90ade481ecca5 Wed Feb 13 11:22:56 2008 : Debug: Finished request 4 Wed Feb 13 11:22:56 2008 : Debug: Going to the next request Wed Feb 13 11:22:56 2008 : Debug: --- Walking the entire request list --- Wed Feb 13 11:22:56 2008 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:50067, id=102, length=145 User-Name = edwinvanzyl Called-Station-Id = internet State = 0xad2f0e60790267d123b90ade481ecca5 EAP-Message = 0x020100401580003a1603010031012d030147b2b6f06db8377eae44af2b54c47b7c102f291a22bb62187200777ccdf6621606002f003300320100 Message-Authenticator = 0x21c075be78867ae66bd77f002e447701 Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 1 length 64 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module eap returns updated for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module files returns ok for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type EAP Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: Request found, released from the list Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP/ttls Wed Feb 13 11:22:56
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: That worked. thx. ... Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 01 0d 65 64 77 69 6e 76 61 6e 7a 79 6c 02 09 74 TTLS tunnel data in 0010: 65 73 74 69 6e 67 1e 0a 69 6e 74 65 72 6e 65 74 The supplicant is sending data inside the TTLS tunnel packed as *RADIUS* attributes. That's wrong. They attributes are supposed to be packed in the *Diameter* AVP format. Whatever supplicant you're using is broken, and WILL NOT work with *any* RADIUS server supporting TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
Ranner, Frank MR wrote: UNCLASSIFIED Config as requested - I did uncomment and configure the identity section - is this not required? ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = localhost identity = cn=Administrator,dc=dxi,dc=net password = trPic4n03 basedn = dc=dxi,dc=net filter = (uid=%{Stripped-User-Name:-%{User-Name}}) #base_filter = (objectclass=radiusprofile) # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile= /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: #never (don't even bother trying) #allow (try, but don't fail if the cerificate # can't be verified) #demand (fail if the certificate doesn't verify.) # # The default is allow # require_cert = demand } # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword Thanks for the tip - tried it and it didnt work Worth a try tho - so thanks David rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld) expand: dc=dxi,dc=net - dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Re: FR2 - proxying inner tunnel
Hi, Tue Feb 12 23:45:21 2008 : Error: Warning: Found 2 auth-types on request for user '[EMAIL PROTECTED]' Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Auth-Type = Accept, accepting the user whoah. WinXP is very fussy (as should all EAP clients) about getting a proper EAP return. you seem to have thrown an 'Accept' straight back to the challenge rather than let the EAP engine do its business. config file or startup debug output please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Phil Mayers wrote: I've never had cause to look at it before, but I discovered today that accouting doesn't support huntgroups; specifically, an attempt to match on Huntgroup-Name in acct_users Is this expected? The preprocess module doesn't do huntgroups for accounting requests. This should be relatively easy to fix. How does one normally specify Acct-Type based on a huntgroup, if (say) the Class attribute is already being used? In 2.0, much of the huntgroup functionality can be done with a little bit of magic: client foo { ipaddr = 127.0.0.1 secret = x huntgroup = foo # invent ANYTHING here! foo = bar, x = y, etc. } Then in unlang: ... if (%{client:huntgroup} == foo) { ... } i.e. you can use the configuration files to add arbitrary tags to a client, and then check them at run time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Arran Cudbard-Bell wrote: Woah, get that working with SQL and you have an insanely useful feature. Oooo what VLANS does this NAS support, hmm i'll just check the client VLAN tags. Where is this NAS located, hmm i'll just check the arbitrarily populated location tag. Err... why? You can do that already: if (%{sql: SELECT ... WHERE client = %{client:shortname} ...} Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send the Accounting to two servers
Ashraf Al-Basti wrote: Dear All, im using freeradius as a proxy radius and need to proxy the accounting to two different servers, can i do that? Yes and no. You can proxy it to another server, *and* log to a detail file. You can then have it read the detail file, and proxy that to another server. You may need CVS head (or 2.0.2, out this week) for that functionality to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Hi, Arran Cudbard-Bell wrote: Woah, get that working with SQL and you have an insanely useful feature. Oooo what VLANS does this NAS support, hmm i'll just check the client VLAN tags. Where is this NAS located, hmm i'll just check the arbitrarily populated location tag. Err... why? You can do that already: if (%{sql: SELECT ... WHERE client = %{client:shortname} ...} yep - but i think the default schema for clients didnt have these extra features added. at least someone mentioned synchronising them recently more importantly for other people - do these attributes get passed through the message structure for PERL and Python? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple NAS's and Mysql
Perhaps you mis-read my post, I have read the SQL howto (and the FAQ and Wiki) before posting to the list and the server it is currently working fine using SQL , I just did not understand how to reply to different NAS's with different info.like I said my SQl foo is rubbish. I guess what I'm really after is some pointers on what the SQL queries would look like or do I not need to edit the queries in sql.conf? I'll upgrade to the latest version and therefore included updated docs. Wayne On Feb 12, 2008 7:19 PM, [EMAIL PROTECTED] wrote: hi, a single FreeRADIUS server can do this. simply put each range of NASs into different groups and then use the group and groupreply tables in the SQL to do your return code work. if you cant google for SQL howto freeradius then http://wiki.freeradius.org/SQL_HOWTO#Configuring_FreeRadius_to_use_SQL if that document does help you enough, then please post to the list with its weaknesses so that it may be strenghtened that HOWTO link is posted each week on this list. how can we make it more obvious? (open question to others who struggle with the SQL and FReeRADIUS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap authentication and cpu utilization
Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? Or did someone some practical research on that issue? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could not link driver rlm_sql_mysql
Hi Alan, Thanks for helping me in configuring my freeradius with mysql. I've uncommented the sql in the file /usr/local/etc/raddb/sites-enabled/default . And now I've seen message trying to commucinate with mysql. But still there is a problem of not getting the mysql driver. I am using MySql 4.1.2. Please suggest to work out. Here is the piece of output emphasizing the errors. rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[123]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[33]: Errors parsing authorize section. With Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkval - Calling-Station-Id
Hi I use freeradius 1.1.7 (PLD Linux distribution). In default configuration freeradius work OK but I have problem checking Calling-Station-Id - for check mac adres client validation. My user file contains: Waldi User-Password == 12345, It's working. It also works when I add ip verification: Waldi User-Password == 12345, Client-IP-Address == 192.168.1.10 But after adding mac verification always got Access-Reject Waldi User-Password == 12345, Client-IP-Address == 192.168.1.10, Calling-Station-Id == - client mac adress. For test I use NTRadPing Test Utility 1.5. In radiusd.conf: checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } What is wrong or what did I forgot about? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help.. MD5 with PAP
Hi, I have configured freeradius 2.0.0 EAP-ttls and configured a mysql db to store the users. It was working fine until i recently decided to convert the database-stored passwords to md5 encryption. Since then, i am getting the below output, despite all my efforts. I tried all the things i could find on the internet with no result. Can anybody help? ( I am a beginner for freeradius server, so it may be very simple though) . Kind regards, I have authenticate { Auth-Type PAP { pap } Auth-Type md5 { pap } in the authenticate section, and pap { encryption_scheme = md5 authtype = md5 auto_header = yes } in the modules/radiusd.conf file. I have the following in my mysql - radcheck definition. ++--+++--+--+ | id | username | attribute | op | value| operator | ++--+++--+--+ | 90 | t1 | Crypt-Password | := | 83f1535f99ab0bf4e9d02dfd85d3e3f7 | cengiz | and the following in radgroupcheck table. ++---+--++-+ | id | groupname | attribute| op | value | ++---+--++-+ | 1 | dynamic | Auth-Type| := | MD5 | | 2 | dynamic | Service-Type | == | Framed-User | ++---+--++-+ radiusd -X radtest t1 t1 10.1.1.170 0 testing123 rad_recv: Access-Request packet from host 10.1.1.170 port 32878, id=131, length=54 User-Name = t1 User-Password = t1 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/10.1.1.170/auth-detail-20080213 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.1.1.170/auth-detail-20080213 expand: %t - Wed Feb 13 13:36:39 2008 ++[auth_log] returns ok rlm_realm: No '@' in User-Name = t1, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{User-Name} - t1 rlm_sql (sql): sql_set_user escaped user -- 't1' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 't1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 't1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password t1 rlm_pap: No password configured for the user. Cannot do authentication ++[pap] returns fail auth: Failed to validate the user. Login incorrect: [t1/t1] (from client testUserShortName port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - t1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 131 to 10.1.1.170 port 32878 Waking up in 4.9 seconds. Cleaning up request 0 ID 131 with timestamp +2 Ready to process requests. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list
RE: MLPPP - Maybe off topic
I've followed the Cisco docs as much possible, and believe I have done all that is required. My Cisco config now has the following: aaa new-model ! ! aaa authentication ppp default group radius aaa authorization network default group radius if-authenticated aaa accounting delay-start aaa accounting delay-start vrf default aaa accounting update periodic 60 aaa accounting network default start-stop group radius ! aaa nas port extended radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key 7 xx radius-server vsa send authentication ### Which are the parts it says to add. The radius profile for the user now has: Cisco-AVPair += preauth:ppp-multilink=1 Added. But the user just gets logged in twice like so: Vi2.519 [EMAIL PROTECTED] PPPoVPDN -10.0.0.88 Vi2.1560 [EMAIL PROTECTED] PPPoVPDN -10.0.0.88 With the same static IP, this is the IP address that is assigned to the user anyway. I would expect to see something like: ### Vi2.519 [EMAIL PROTECTED] PPPoVPDN 00:00:07 Vi2.1560 [EMAIL PROTECTED] MLP Bundle 00:00:13 10.0.0.88 ### We are using a Cisco 7304 as our NAS running IOS version 12.2(28)SB9 and Freeradius version 2.0.1 with a MySQL backend. If anyone has any suggestions or has this working I would appreciate any help. Here is some debug from the Cisco, debugging radius authentication when the user logged in. # *Feb 13 11:36:24.610 GMT: RADIUS/ENCODE: Best Local IP-Address 192.168.1.88 for Radius-Server 192.168.1.1 *Feb 13 11:36:24.610 GMT: RADIUS(00113478): Send Access-Request to 192.168.1.1:1645 id 1645/210, len 127 *Feb 13 11:36:24.610 GMT: RADIUS: authenticator 74 BF BC 30 CC 6A 29 01 - 30 74 A1 B8 EA E4 77 DF *Feb 13 11:36:24.610 GMT: RADIUS: Framed-Protocol [7] 6 PPP [1] *Feb 13 11:36:24.610 GMT: RADIUS: User-Name [1] 31 [EMAIL PROTECTED] *Feb 13 11:36:24.610 GMT: RADIUS: CHAP-Password [3] 19 * *Feb 13 11:36:24.610 GMT: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Feb 13 11:36:24.610 GMT: RADIUS: NAS-Port[5] 6 2440 *Feb 13 11:36:24.610 GMT: RADIUS: NAS-Port-Id [87] 18 Uniq-Sess-ID2440 *Feb 13 11:36:24.610 GMT: RADIUS: Connect-Info[77] 9 8083000 *Feb 13 11:36:24.610 GMT: RADIUS: Service-Type[6] 6 Framed [2] *Feb 13 11:36:24.610 GMT: RADIUS: NAS-IP-Address [4] 6 192.168.1.88 *Feb 13 11:36:24.614 GMT: RADIUS: Received from id 1645/210 192.168.1.1:1645, Access-Accept, len 142 *Feb 13 11:36:24.614 GMT: RADIUS: authenticator 22 AC 91 C8 A6 99 E6 01 - 55 C1 6C E6 7E DF 0F 6A *Feb 13 11:36:24.614 GMT: RADIUS: Framed-IP-Address [8] 6 10.0.0.88 *Feb 13 11:36:24.614 GMT: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 *Feb 13 11:36:24.614 GMT: RADIUS: Vendor, Cisco [26] 61 *Feb 13 11:36:24.618 GMT: RADIUS: Cisco AVpair [1] 55 ip:route= 192.168.3.0 255.255.255.248 10.0.0.88 *Feb 13 11:36:24.618 GMT: RADIUS: Acct-Interim-Interva[85] 6 7200 *Feb 13 11:36:24.618 GMT: RADIUS: Vendor, Cisco [26] 31 *Feb 13 11:36:24.618 GMT: RADIUS: Cisco AVpair [1] 25 preauth:ppp-multilink=1 *Feb 13 11:36:24.618 GMT: RADIUS: Service-Type[6] 6 Framed [2] *Feb 13 11:36:24.618 GMT: RADIUS: Framed-Protocol [7] 6 PPP [1] *Feb 13 11:36:24.618 GMT: RADIUS(00113478): Received from id 1645/210 ### Thanks in advance Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 09 February 2008 07:44 To: FreeRadius users mailing list Subject: Re: MLPPP - Maybe off topic Tony Spencer wrote: We are trying to bond 2 DSL lines for a customer who has 2 phone lines and 2 DSL circuits in his office. You may also need to set the standard RADIUS attributes for doing multilink. See the Cisco docs for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.4/1275 - Release Date: 12/02/2008 15:20 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
Alan DeKok wrote: Arran Cudbard-Bell wrote: Woah, get that working with SQL and you have an insanely useful feature. Oooo what VLANS does this NAS support, hmm i'll just check the client VLAN tags. Where is this NAS located, hmm i'll just check the arbitrarily populated location tag. Err... why? You can do that already: if (%{sql: SELECT ... WHERE client = %{client:shortname} ...} Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah ... I know. It's just with static information, you don't really want to be querying the database again and again for each query. Lodging the information against the client is far more efficient, especially with VLAN information which isn't going to be changing regularly. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd dying
Hi there ! After 1.1.7 had been running for about a month without any problems, radiusd has now died silently or completely stuck (it has to be kill -9ed) a couple of times. In either case, I get no logs about what's wrong. My platform is Solaris 10/x64 with quite current patches. Are there any known issues? TIA fw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients (SOLVED)
2008/1/10, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi, Hi, I can't still figure it out why I can't access from Linux clients. I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. what is the linux client config? i see the following in your debug rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 84 modcall: leaving group authenticate (returns invalid) for request 84 auth: Failed to validate the user. i would also advise that you upgrade to 2.0.0 - not only could this issue be resolves anyway - its a hell of a lof easier to debug - far less EAP messages! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, Finally I get the blessed Access-Accept for Linux clients too. How I did that? Well, I upgraded to radius 2.0.1. maybe it could be helpful for many people my settings, well I won't hide as alchemy secret ;) radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = xxx.qq.yyy.pp port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = no require_encryption = yes } ldap { server = ldap.cadorna.biz port = 636 identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz password = sambombas basedn = ou=people,dc=palermo,dc=edu filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_debug = 0x0028 tls_cacertfile = /etc/raddb/cacert.pem tls_randfile= /dev/urandom tls_require_cert= allow access_attr = radiusAllowed dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = / ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = % ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile =
Re: Could not link driver rlm_sql_mysql
johnson elangbam wrote: rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Read the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote: Ranner, Frank MR wrote: UNCLASSIFIED Config as requested - I did uncomment and configure the identity section - is this not required? ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = localhost identity = cn=Administrator,dc=dxi,dc=net password = trPic4n03 basedn = dc=dxi,dc=net filter = (uid=%{Stripped-User-Name:-%{User-Name}}) #base_filter = (objectclass=radiusprofile) # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile= /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: #never (don't even bother trying) #allow (try, but don't fail if the cerificate # can't be verified) #demand (fail if the certificate doesn't verify.) # # The default is allow # require_cert = demand } # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword Thanks for the tip - tried it and it didnt work Worth a try tho - so thanks David rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld) expand: dc=dxi,dc=net - dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Re: eap authentication and cpu utilization
Norbert Wegener wrote: Simple authentication with login/password can be handled in large numbers with a recent cpu and freeradius. . EAP authentication on the other hand requires a great amount of cpu processing. It's all in the SSL rsa keying setup. Therefore I have a simple(?) question: Did someone already calcute the theoretically maximum number of eap authentications per second, that a recent x86 cpu is able to handle? $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients (SOLVED)
Ooops, because of the emotion I pasted old config files. Well here are the fresh files: prefix = /usr/local2 exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd db_dir = $(raddbdir) libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { ipaddr = zzz.zz.zz.zzz port = 0 type = auth } listen { ipaddr = zzz.zz.zz.zzz port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log { destination = files syslog_facility = daemon file = ${logdir}/radius.log stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf snmp= no $INCLUDE snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { radwtmp = ${logdir}/radwtmp } $INCLUDE eap.conf mschap { } ldap { server = ldap.cadorna.biz port = 636 identity = cn=freeradius,ou=applications,dc=cadorna,dc=biz password = sambombas basedn = ou=people,dc=cadorna,dc=biz filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no cacertfile = /etc/raddb2/cacert.pem randfile= /dev/urandom require_cert= allow } access_attr = radiusAllowed dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } realm IPASS { format = prefix delimiter = / } realm suffix { format = suffix delimiter = @ } realm realmpercent { format = suffix delimiter = % } realm ntdomain { format = prefix delimiter = \\ } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = %t } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } $INCLUDE sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = yes } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = no } attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } attr_filter attr_filter.pre-proxy { attrsfile = ${confdir}/attrs.pre-proxy } attr_filter attr_filter.access_reject { key = %{User-Name} attrsfile = ${confdir}/attrs.access_reject } attr_filter attr_filter.accounting_response { key = %{User-Name} attrsfile = ${confdir}/attrs.accounting_response } counter daily { filename = ${db_dir}/db.daily key
Re: radiusd dying
Frank Winkler wrote: After 1.1.7 had been running for about a month without any problems, radiusd has now died silently or completely stuck (it has to be kill -9ed) a couple of times. In either case, I get no logs about what's wrong. My platform is Solaris 10/x64 with quite current patches. Are there any known issues? No idea. Try grabbing CVS of branch_1_1: $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 radiusd and in the checkout: $ cvs diff -u -r release_1_1_7 -r branch_1_1 There are a number of fixes post 1.1.7 which may help. These may be rolled into a 1.1.8 at some point, but it's a very low priority. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Edwin van Zyl wrote: I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. It *should* be working... Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. eapol_test, which is part of wpa_supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't get 'access-accept' from Linux clients
2008/1/11, Arran Cudbard-Bell [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, Sergio Belkin [EMAIL PROTECTED] piše: 2008/1/10, Ivan Kalik [EMAIL PROTECTED]: ... rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ... You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? EAP-TTLS with PAP inner encryption. Though you'd need to use SecureW2 or the Open SEA supplicant for the windows side. Otherwise you'd need NT-Hashes for MSChap based methods Sorry for the stupid and moron question, but how should I do that? Of course I don't ask you that you tell me the step by step, only a clue to follow... thanks in advance , or the password stored in the clear. TIA -- Arran Cudbard-Bell ([EMAIL PROTECTED]) -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. On 13 Feb 2008, at 12:20 PM, Alan DeKok wrote: Edwin van Zyl wrote: That worked. thx. ... Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 01 0d 65 64 77 69 6e 76 61 6e 7a 79 6c 02 09 74 TTLS tunnel data in 0010: 65 73 74 69 6e 67 1e 0a 69 6e 74 65 72 6e 65 74 The supplicant is sending data inside the TTLS tunnel packed as *RADIUS* attributes. That's wrong. They attributes are supposed to be packed in the *Diameter* AVP format. Whatever supplicant you're using is broken, and WILL NOT work with *any* RADIUS server supporting TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - no huntgroups
[EMAIL PROTECTED] wrote: yep - but i think the default schema for clients didnt have these extra features added. at least someone mentioned synchronising them recently more importantly for other people - do these attributes get passed through the message structure for PERL and Python? Nope. They're only in the configuration file, and only available via the run-time expansion. But you *can* do: update request { Client-Foo = %{client:foo} } Which is good enough for most purposes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help.. MD5 with PAP
cengiz coþkun wrote: Hi, I have configured freeradius 2.0.0 EAP-ttls and configured a mysql db to store the users. It was working fine until i recently decided to convert the database-stored passwords to md5 encryption. Store the passwords as MD5-Password. See man rlm_pap. You do NOT need to edit anything in the default configuration. Auth-Type md5 { pap This is not necessary. Delete it. pap { encryption_scheme = md5 authtype = md5 auto_header = yes Did you even read the comments in radiusd.conf for the pap module? The encryption_scheme should *not* be used in 2.0, and it is *not* documented as a working configuration. -+--+++--+--+ | 90 | t1 | Crypt-Password | := | 83f1535f99ab0bf4e9d02dfd85d3e3f7 | cengiz Read man rlm_pap. Really, it explains almost everything... and the following in radgroupcheck table. ++---+--++-+ | id | groupname | attribute| op | value | ++---+--++-+ | 1 | dynamic | Auth-Type| := | MD5 | Delete that entry. It's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool error problem
Dear All : rlm_ippool return duplicate ip address in past i used version Version 1.0.5 , so i thought that may be bug in the version so i installed Version 2.0.1 and the problem is still appears but in the last version the problem appears always in specific ips for example x.x.117.63 , x.x .119.162 after lot of debug i doubte in the pool defintions starting not from 1 and the mask ippool nonsub_pool { range-start = x.x.116.177 range-stop = x.x.119.254 netmask = 255.255.252.0 cache-size = 833 session-db = ${raddbdir}/dbnon.ippool ip-index = ${raddbdir}/dbnon.ipindex override = no } any idea or hint please Thanks _ Connect and share in new ways with Windows Live. http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id in pam_radius_auth
Stefan Winter wrote: Is there a way to tell pam_radius_auth to send a value in Calling-Station-Id? Source code edits. Is there a way at all to send variables to PAM at all, to be used for setting Calling-Station-Id within pam_radius_auth? Source code edits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Hi, I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. wpa_supplicant is a good tool alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Escape Chars
Hi, Am I right in thinking that most alpha numeric characters are escaped before being inserted into SQL databases, and that the resultant string is =Ascii value as hex ? For example, the Reply-Message 'HP Networking equipment makes me sad, angry and staby.' would be entered as 'HP Networking equipment makes me sad=2C angry and staby.' Or is it just sensitive SQL chars that are written in this form ? Is this going to change at some point in the future, or can I safely start replacing these with HTML special when displaying FreeRADIUS'd attributes ... -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote: David W Bell wrote: Ranner, Frank MR wrote: UNCLASSIFIED Config as requested - I did uncomment and configure the identity section - is this not required? ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = localhost identity = cn=Administrator,dc=dxi,dc=net password = trPic4n03 basedn = dc=dxi,dc=net filter = (uid=%{Stripped-User-Name:-%{User-Name}}) #base_filter = (objectclass=radiusprofile) # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile= /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: #never (don't even bother trying) #allow (try, but don't fail if the cerificate # can't be verified) #demand (fail if the certificate doesn't verify.) # # The default is allow # require_cert = demand } # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword Thanks for the tip - tried it and it didnt work Worth a try tho - so thanks David rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld) expand: dc=dxi,dc=net - dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in
Re: eap authentication and cpu utilization
Alan DeKok wrote: .. $ openssl speed Or $ openssl speed rsa http://www.madboa.com/geek/openssl/#benchmark-speed For 2048 bit rsa keys, the web page gives 77 signs/s for a 2GHz Intel Core 2. My 1GHz laptop gives around 20/s. That number becomes the limiting factor for any TLS-based EAP method. It doesn't matter if the rest of the server can handle 5k PAP requests/s. If it can only do 77 rsa signings/s, that is the maximum number of EAP-TLS/TTLS/PEAP sessions that it can do. Fine, that openssl switch has been new to me. Do you also have experience in how many percent of that theoretic value can be reached in practise with a database backend on the same machine where beside freeradius and the database nothing else is running? Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Authentic changing usernames
We're bringing a Cisco (formerly Airespace) lightweight wireless system online, and I'm seeing some odd things in the accounting. Specifically, the usernames can change in the accounting packets. This causes the default SQL queries (at least, the ones for Postgres under 1.1.7) to generate duplicate entries for the session, because the where clause includes the username. For example, I might see this: User-Name = unknown NAS-Port = 29 NAS-IP-Address = 172.16.x.x Framed-IP-Address = 192.168.x.x NAS-Identifier = wlan-wism-1-1 Airespace-Wlan-Id = 2 Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746 Acct-Authentic = Remote Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3602 Acct-Status-Type = Start Calling-Station-Id = 00:aa:bb:cc:dd:ee Called-Station-Id = 00:1b:d5:08:01:00 ...then a few seconds later User-Name = THEUSER NAS-Port = 29 NAS-IP-Address = 172.16.x.x Framed-IP-Address = 192.168.x.x NAS-Identifier = wlan-wism-1-1 Airespace-Wlan-Id = 2 Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3602 Acct-Status-Type = Interim-Update Acct-Input-Octets = 105078 Acct-Output-Octets = 72551 Acct-Input-Packets = 754 Acct-Output-Packets = 300 Acct-Session-Time = 74 Acct-Delay-Time = 0 Calling-Station-Id = 00:aa:bb:cc:dd:ee Called-Station-Id = 00:1b:d5:08:01:00 If the user is on e.g. a windows XP laptop and logs out, I might finally see: User-Name = host/thelaptop.domain.com NAS-Port = 29 NAS-IP-Address = 172.16.x.x Framed-IP-Address = 192.168.x.x NAS-Identifier = wlan-wism-1-1 Airespace-Wlan-Id = 2 Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746 Acct-Authentic = Remote Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3602 Acct-Status-Type = Stop Acct-Input-Octets = 1852445 Acct-Output-Octets = 5401691 Acct-Input-Packets = 17608 Acct-Output-Packets = 8630 Acct-Terminate-Cause = User-Request Acct-Session-Time = 30517 Acct-Delay-Time = 0 Calling-Station-Id = 00:aa:bb:cc:dd:ee Called-Station-Id = 00:1b:d5:08:01:00 It seems the NAS is having a changing view of the authentication username as various events take place, presumably at the EAPOL layer. However it seems to consistently set Acct-Authentic to RADIUS for real usernames, and Remote for unknown or non-authenticated usernames, so it sort of knows this is happening. Now the Cisco WLC (nee Airespace) is a weird bit of kit anyway; it sort of holds onto client sessions in case they come back shortly (not unusual for wireless) but I'm wondering if this behaviour is legal, sane or what? I can probably fix our SQL queries, but I thought people might be interested; for interest, what was the original rationale behind the where clause in the default SQL queries: where username='%{SQL-User-Name}' ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP tunneling issue
Your comment *should* focussed my attention on the JRadius simulator and I finally got it to work. Problem: Old version of JRadiusSimulator. The one I used, I've downloaded from http://sourceforge.net/projects/jradius . Rather use the java web start option at http://coova.org/wiki/index.php/JRadius/Simulator for the latest version. Thx for your assistance. Kind Regards, Edwin On 13 Feb 2008, at 4:33 PM, Alan DeKok wrote: Edwin van Zyl wrote: I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. It *should* be working... Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. eapol_test, which is part of wpa_supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed to configure Challenge Response
Can someone guide me with the steps to enable the Challenge Response in Freeradius server? Thanks, Deepak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is tunnel right? (EAP-TTLS)
Hi, I am using EAP-TTLS with eap.conf, it is working, but I was looking in debugging messages and output of sniffing that I can see the User-Name (pepino, in this example), earlier in radius 1.17 only showed anonymous... I see no passwords (I think that it's safe onto tunnel, isn't it?). Is that right? That's is the debug output: rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=125 User-Name = pepino NAS-IP-Address = 10.30.1.83 Called-Station-Id = 000625f17036 Calling-Station-Id = 000e35bf5118 NAS-Identifier = 000625f17036 NAS-Port = 54 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b016d6261726265 Message-Authenticator = 0xef93fe76912976e965bb1b2a20401ef3 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pepino, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for pepino WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=pepino) expand: ou=people,dc=saltamontes,dc=edu - ou=people,dc=saltamontes,dc=edu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.saltamontes.edu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb2/cacert.pem rlm_ldap: setting TLS Key File to /dev/urandom rlm_ldap: bind as cn=freeradius,ou=applications,dc=saltamontes,dc=edu/pepe to ldap.saltamontes.edu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=saltamontes,dc=edu, with filter (uid=pepino) rlm_ldap: checking if remote access for pepino is allowed by radiusAllowed rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user pepino authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.30.1.83 port 2053 EAP-Message = 0x010100061520 Message-Authenticator = 0x State = 0x09eceb5c09edfe065d8607a9b4fe1db7 Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.30.1.83 port 2053, id=0, length=192 Cleaning up request 0 ID 0 with timestamp +76 User-Name = pepino NAS-IP-Address = 10.30.1.83 Called-Station-Id = 000625f17036 Calling-Station-Id = 000e35bf5118 NAS-Identifier = 000625f17036 NAS-Port = 54 Framed-MTU = 1400 State = 0x09eceb5c09edfe065d8607a9b4fe1db7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201003c15800032160301002d01290301b3354670c815c498b03d3c14301c2e8510e09178ba9ac6cb27077efc961addd802000a0100 Message-Authenticator = 0x30363c19771b184b796c396e6ef5438b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pepino, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 60 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 50 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0852], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server
Re: Acct-Authentic changing usernames
Phil Mayers wrote: We're bringing a Cisco (formerly Airespace) lightweight wireless system online, and I'm seeing some odd things in the accounting. Specifically, the usernames can change in the accounting packets. This causes the default SQL queries (at least, the ones for Postgres under 1.1.7) to generate duplicate entries for the session, because the where clause includes the username. For example, I might see this: User-Name = unknown NAS-Port = 29 NAS-IP-Address = 172.16.x.x Framed-IP-Address = 192.168.x.x NAS-Identifier = wlan-wism-1-1 Airespace-Wlan-Id = 2 Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746 Acct-Authentic = Remote Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3602 Acct-Status-Type = Start Calling-Station-Id = 00:aa:bb:cc:dd:ee Called-Station-Id = 00:1b:d5:08:01:00 ...then a few seconds later User-Name = THEUSER NAS-Port = 29 NAS-IP-Address = 172.16.x.x Framed-IP-Address = 192.168.x.x NAS-Identifier = wlan-wism-1-1 Airespace-Wlan-Id = 2 Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3602 Acct-Status-Type = Interim-Update Acct-Input-Octets = 105078 Acct-Output-Octets = 72551 Acct-Input-Packets = 754 Acct-Output-Packets = 300 Acct-Session-Time = 74 Acct-Delay-Time = 0 Calling-Station-Id = 00:aa:bb:cc:dd:ee Called-Station-Id = 00:1b:d5:08:01:00 If the user is on e.g. a windows XP laptop and logs out, I might finally see: User-Name = host/thelaptop.domain.com NAS-Port = 29 NAS-IP-Address = 172.16.x.x Framed-IP-Address = 192.168.x.x NAS-Identifier = wlan-wism-1-1 Airespace-Wlan-Id = 2 Acct-Session-Id = 47b3193c/00:aa:bb:cc:dd:ee/5746 Acct-Authentic = Remote Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3602 Acct-Status-Type = Stop Acct-Input-Octets = 1852445 Acct-Output-Octets = 5401691 Acct-Input-Packets = 17608 Acct-Output-Packets = 8630 Acct-Terminate-Cause = User-Request Acct-Session-Time = 30517 Acct-Delay-Time = 0 Calling-Station-Id = 00:aa:bb:cc:dd:ee Called-Station-Id = 00:1b:d5:08:01:00 It seems the NAS is having a changing view of the authentication username as various events take place, presumably at the EAPOL layer. However it seems to consistently set Acct-Authentic to RADIUS for real usernames, and Remote for unknown or non-authenticated usernames, so it sort of knows this is happening. Have you tried specifying a User-Name in your Access-Accept packets? According the original RFC specs, the AP should use that User-Name in all subsequent accounting packets. If your doing that already, try just returning a canned User-Name string and see where in turns up in the accounting packets. If I were to guess, I'd say the Acct-Start was sent prior to the supplicant responding to the EAP Identity Request, at the point of wireless association. The interim packet was using a returned User-Name, and the stop packet was using the outer identity in the EAP Ident Response. Weird ... Now the Cisco WLC (nee Airespace) is a weird bit of kit anyway; it sort of holds onto client sessions in case they come back shortly (not unusual for wireless) but I'm wondering if this behaviour is legal, sane or what? I can probably fix our SQL queries, but I thought people might be interested; for interest, what was the original rationale behind the where clause in the default SQL queries: where username='%{SQL-User-Name}' ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR Unix pws
I am using FreeRADIUS v1.0.5 in a non-production lab environment. I am using the group and passwd files for RADIUS authentication. I'm not using the standard ones, but copies that I have created just for FreeRADIUS and stored in another directory (so it doesn't interfere with regular systems administration). What hashing algorithm is used to store passwords in passwd? Does FreeRADIUS have an option to read passwords in clear text? Is there an easy way to create hashed passwords from some Unix command-line utility? Thanks for your time! 4 out of 10 women surveyed think Alan DeKok is a sex magnet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello, I want to use freeradius 2.0.1 to do accouting for my DSL users. I would like to acheive the following setup: NASes send request to the first radius (SunOS radius) which only handles authentication request and proxies accouting request to Freeradius (v2.0.1). I'd like freeradius to do several things: 1 - Do accounting to a mysql database 2 - Send accounting responses to the first radius 3 - proxy/copy accouting data to severals home server (3 servers: 1 billing server and 2 content filtering servers) To do this I setup freeradius 2.0.1 with 1 default virtual server writing accouting to mysql and to a detail file and one other virtual server which listen the detail file ( listen { type = detail} ) and proxies request The problem is that the proxying is done for one request and stops when the response has been received so others request that are in the detail file are not proxied! does anybody have an idea / use this kind of setup? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Unix pws
Lemaster, Rob wrote: I am using FreeRADIUS v1.0.5 in a non-production lab environment. Well... I suggest upgrading. What hashing algorithm is used to store passwords in passwd? $ man passwd i.e. whatever your system supports. Does FreeRADIUS have an option to read passwords in clear text? Sure. See the passwd module documentation in FreeRADIUS. Is there an easy way to create hashed passwords from some Unix command-line utility? The simplest is Apache's htpasswd program. 4 out of 10 women surveyed think Alan DeKok is a sex magnet. Then they cry themselves to sleep at night. I'm not available. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Alexandre Chapellon wrote: To do this I setup freeradius 2.0.1 with 1 default virtual server writing accouting to mysql and to a detail file and one other virtual server which listen the detail file ( listen { type = detail} ) and proxies request The problem is that the proxying is done for one request and stops when the response has been received so others request that are in the detail file are not proxied! This bug was fixed recently. 2.0.2 will be released either today or tomorrow, and will contain the fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html