RE: framedipaddress
We worked with Meru as Access Point, but not as NAS. If you want to autrhenticate users, then it is not the correct device; use another one. Anyway I think there is other better devices in the market at he same cost. Date: Tue, 11 May 2010 17:16:31 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: framedipaddress Paweł Pogorzelski wrote: Unfortunately Meru claims that the client IP address is not sent to the radius in any other attribute either. Buy a NAS that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Diseñar aplicaciones tiene premio. ¡Si eres desarrollador no esperes más! http://www.imaginemobile.es- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to implement EAP-TLS with freeradius and wpa_supplicant?
Sorry, I forgot the subject. Zheng, Jiajia wrote: Hi, I hope it is the right place to ask questions about EAP-TLS with radius server. I installed freeradius-2.1.6 rpm package on my Fedora 10 system. EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP, etc. work fine. However, EAP-TLS handshake failed. Here are my steps to implement EAT-TLS with radius server. 1. on server: yum install freeradius 2. on server: cd /etc/raddb 3. on server: edit users and clients.conf (see attachments) 4. on server: radiusd -X 5. I configured the AP which is wired connected to the server using WPA-TKIP 6. copy ca.pem from server to my wireless machine. 6. I tried EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP on my wireless machine, which all worked fine. 7. on server: cd /etc/raddb/certs 8. on server: make client.pem 9. copy client.pem from server to my wireless machine 10. run wpa_supplicant on my wireless machine: wpa_supplicant -Dwext -iwlan0 -c WPA_EAP_TLS.conf WPA_EAP_TLS.conf as below, ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid=ASUS-2.4G scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity=root ca_cert=./ca.pem client_cert=./client.pem private_key=./client.pem private_key_passwd=whatever } 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Is there anything I did wrong? Let me know if you need more debugging info. Thanks, jiajia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
Hi, We worked with Meru as Access Point, but not as NAS. but an Access Point IS a NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-server-2.1.8
Hi, and ther is nothing ! in the output of radiusd -X nothing at all? or do you mean its quiet after the 'ready to process requests' line? if so, check your firewall on the servermake sure UDP 1812-1824 are allowed in to the daemon! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: framedipaddress
Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. -- Pozdrawiam/Best regards Paweł Pogorzelski e-mail: ppogorzel...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
Hi, Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. I'm uncertain to your tone here - but fundamentally, if the hardware doesnt send an attribute then theres nothing that ANY RADIUS server can do about it! ask your vendor why they dont support it perhaps? ask for a feature improvement? they might have an alternative attribute or VSA that you can use or rewrite... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
What are you authenticating? Where is the radius debug logs? Chances are you are more than likely authenticating a Wireless Association to the Access Point - not a PPP type of service where IP addresses are involved. Debug your radius logs a bit and perhaps post a bit more detail 2010/5/12 Paweł Pogorzelski ppogorzel...@gmail.com Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. -- Pozdrawiam/Best regards Paweł Pogorzelski e-mail: ppogorzel...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framedipaddress
I manage a large Meru instalation. If you want to get an IP address logged with a user name or Mac address like Aruba does you can't do it unless you use the captive portal. And the captive portal only sends this info via syslog as u...@1.2.3.4. For the auditors at our site, we send the auth response and end-station identifier from radius via syslog and DHCP log to a Splunk box and then they are happy and can block MAC addresses. Meru is OK, but hoastapd on a RedHat appliance as a NAS can be annoying at times. Sent via Verizon Wireless -Original Message- From: Alan Buxey a.l.m.bu...@lboro.ac.uk Date: Wed, 12 May 2010 11:33:46 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Subject: Re: framedipaddress Hi, Listen we've already bought complete meru sytem to eduroam project and there is no turning back. There are many great feature which only meru have. Right now i must find solution for this sytem. I'm uncertain to your tone here - but fundamentally, if the hardware doesnt send an attribute then theres nothing that ANY RADIUS server can do about it! ask your vendor why they dont support it perhaps? ask for a feature improvement? they might have an alternative attribute or VSA that you can use or rewrite... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
Zheng, Jiajia wrote: 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Paste the debug output into the self-help form at: http://networkradius.com/freeradius.html Look for red text. Is there anything I did wrong? Let me know if you need more debugging info. The debug log already shows everything you need to know. The CA used by the client is *not* the same as the CA used by the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
When to ldap?
I am working on a new radius config and have been trying to avoid the lookup in LDAP I have been seeing for the outer identity. I have moved to 2.1.8 with the inner-tunnel virtual host enabled. I have an authorise section for the relevant virtual server that has: authorize { preprocess auth_log chap mschap suffix eap { ok = return } files if (!EAP-Message) { ldap } expiration logintime pap } The if(!EAP-Message) works a treat at preventing an LDAP lookup for the outer identity, but if I want to send a basic User-Name/User-Password type auth request after checking with LDAP and returning Remote access is permitted, I then see: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user What am I missing to tell the authenticate section below what I want to do next? authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } Auth-Type EAP { eap } eap } I presume: if (!EAP-Message) { ldap } Fails to set Auth-Type LDAP? -- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department Tel: 0151 795 9540 attachment: h1_a.png --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can proxy packet be configured to be resent in case no response from the home server
Hi, Do anyone know whether we can configure to resend proxy packet in case no response is received? Thanks, Gina Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration trouble (2.1.8 for use with WiMAX)
Dear all, I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can someone help me figure out what I am not doing OR doing incorrectly? I have configured the raddb/sites-available/default and raddb/modules/wimax files per instructions included in the files themselves. For reference, here are the configuration stanzas in the post-auth section of default: update request { WiMAX-MN-NAI = %{User-Name} } update reply { WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = %{EAP-MSK} } wimax Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. Thank you in advance, and I apologize if this question has been answered before -- I did not find answers/pointers in the FAQ or the Wiki. Best Regards, Sumedh -- FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11 2010 at 23:50:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main {
RE: Configuration trouble (2.1.8 for use with WiMAX)
Which product are you using? Some WiMax NAS do not send the proper keys to Freeradius. I have gotten FR to work with pretty much all of the major brands of WiMax we sell. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of Sumedh Sathaye Sent: Wednesday, May 12, 2010 2:50 PM To: FreeRadius users mailing list Subject: Configuration trouble (2.1.8 for use with WiMAX) Dear all, I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can someone help me figure out what I am not doing OR doing incorrectly? I have configured the raddb/sites-available/default and raddb/modules/wimax files per instructions included in the files themselves. For reference, here are the configuration stanzas in the post-auth section of default: update request { WiMAX-MN-NAI = %{User-Name} } update reply { WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = %{EAP-MSK} } wimax Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. Thank you in advance, and I apologize if this question has been answered before -- I did not find answers/pointers in the FAQ or the Wiki. Best Regards, Sumedh -- FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11 2010 at 23:50:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file
RE: Configuration trouble (2.1.8 for use with WiMAX)
David, thanks for your reply. I am using a simulated WIMAX ASN gateway from the BOC-WiMAX distribution. It's available at: http://opensource.bolloretelecom.eu/projects/boc-wimax/ Sounds like you have insights into keys that NAS equipment does not send to FreeRadius. Can you share that information with me? Best Regards, Sumedh | | From: | | --| |David Peterson dav...@wirelessconnections.net | --| | | To:| | --| |'FreeRadius users mailing list' freeradius-users@lists.freeradius.org | --| | | Date: | | --| |05/12/2010 03:23 PM | --| | | Subject: | | --| |RE: Configuration trouble (2.1.8 for use with WiMAX) | --| | | Sent by: | | --| |freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org | --| Which product are you using? Some WiMax NAS do not send the proper keys to Freeradius. I have gotten FR to work with pretty much all of the major brands of WiMax we sell. David From: freeradius-users-bounces +david.peterson=acc-corp@lists.freeradius.org [ mailto:freeradius-users-bounces +david.peterson=acc-corp@lists.freeradius.org] On Behalf Of Sumedh Sathaye Sent: Wednesday, May 12, 2010 2:50 PM To: FreeRadius users mailing list Subject: Configuration trouble (2.1.8 for use with WiMAX) Dear all, I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can someone help me figure out what I am not doing OR doing incorrectly? I have configured the raddb/sites-available/default and raddb/modules/wimax files per instructions included in the files themselves. For reference, here are the configuration stanzas in the post-auth section of default: update request { WiMAX-MN-NAI = %{User-Name} } update reply { WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = %{EAP-MSK} } wimax Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. Thank you in advance, and I apologize if this question has been answered before -- I did not find answers/pointers in the FAQ or the Wiki. Best Regards, Sumedh -- FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11 2010 at 23:50:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file
RE: Configuration trouble (2.1.8 for use with WiMAX)
I have looked into BOC-WIMAX and it looks interesting but fairly incomplete. I have not tried to get it working 100% so I have only a little experience. Some of the NAS simply want to talk to FR via EAP-TTLS and receive only a Framed-Filter-Id response. Is there a manufacturer you are looking to work with in particular or is this an attempt to get BOC-WiMax working as your ASN? David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of Sumedh Sathaye Sent: Wednesday, May 12, 2010 3:43 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: RE: Configuration trouble (2.1.8 for use with WiMAX) David, thanks for your reply. I am using a simulated WIMAX ASN gateway from the BOC-WiMAX distribution. It's available at: http://opensource.bolloretelecom.eu/projects/boc-wimax/ Sounds like you have insights into keys that NAS equipment does not send to FreeRadius. Can you share that information with me? Best Regards, Sumedh Inactive hide details for David Peterson ---05/12/2010 03:23:47 PM---Which product are you using? Some WiMax NAS do not sendDavid Peterson ---05/12/2010 03:23:47 PM---Which product are you using? Some WiMax NAS do not send the proper keys to Freeradius. I have gott From: David Peterson dav...@wirelessconnections.net To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Date: 05/12/2010 03:23 PM Subject: RE: Configuration trouble (2.1.8 for use with WiMAX) Sent by: freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org _ Which product are you using? Some WiMax NAS do not send the proper keys to Freeradius. I have gotten FR to work with pretty much all of the major brands of WiMax we sell. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of Sumedh Sathaye Sent: Wednesday, May 12, 2010 2:50 PM To: FreeRadius users mailing list Subject: Configuration trouble (2.1.8 for use with WiMAX) Dear all, I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can someone help me figure out what I am not doing OR doing incorrectly? I have configured the raddb/sites-available/default and raddb/modules/wimax files per instructions included in the files themselves. For reference, here are the configuration stanzas in the post-auth section of default: update request { WiMAX-MN-NAI = %{User-Name} } update reply { WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = %{EAP-MSK} } wimax Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. Thank you in advance, and I apologize if this question has been answered before -- I did not find answers/pointers in the FAQ or the Wiki. Best Regards, Sumedh -- FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11 2010 at 23:50:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file
sending Access-request, Access-Reject
hi can someone help me in that i add a users : abc cleartext-password:=123 and i run freeradius -X after that i do: r...@pfe-laptop:/home/pfe# radtest abc 123 localhost 1812 testing123 Sending Access-Request of id 48 to 127.0.0.1 port 1812 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=48, length=20 and this is the output of deamon: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:41804, id=48, length=55 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 48 to 127.0.0.1 port 41804 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 48 with timestamp 4beb3ff9 Nothing to do. Sleeping until we see a request. _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sending Access-request, Access-Reject
On 05/12/2010 08:01 PM, dorra aa wrote: hi can someone help me in that i add a users : abc cleartext-password:=123 It's right there in the debug output users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rlm_pap: Found existing Auth-Type, not changing it. rad_check_password: Found Auth-Type System modcall[authenticate]: module unix returns notfound for request 0 It shouldn't be using an auth-type of System, that means to lookup the user in the /etc/passwd (/etc/shadow) file. But you don't have a user on your system named abc so the not found result makes sense, right? Why is it trying to find abc amongst the unix users on your system? The answer is right above, look at the lines labeled users:, that's your users file, also look at the line that says Found Auth-Type, not changing it. So somthing in your users file forced the user abc to have an Auth-Type of system or unix, it also tells you which lines in the users files it matched. Go fix your users file so it doesn't do that. I'm guessing in your attempts to get things working you may have mangled the example users file, you might want to start with the unaltered users file and just add your test user. All this is documented in the link I sent you a week ago: http://deployingradius.com/documents/configuration/pap.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement EAP-TLS with freeradius and wpa_supplicant?
检查一下时间系统,要求在证书的有效期内 CA的事情有点难说,你再检查下配置 On Thu, May 13, 2010 at 10:53 AM, Zheng, Jiajia jiajia.zh...@intel.comwrote: Alan DeKok wrote: Zheng, Jiajia wrote: 11. EAP-TLS failed, see the attached tls.log for the output of radiusd Could you help me out on this issue? Paste the debug output into the self-help form at: http://networkradius.com/freeradius.html Look for red text. Is there anything I did wrong? Let me know if you need more debugging info. The debug log already shows everything you need to know. The CA used by the client is *not* the same as the CA used by the server. Yes, from the debug log, we can tell that the CA is wrong. But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes wrong with EAP-TLS? Here is my configure file for EAP-TTLS which works. WPA_EAP_TTLS_CHAP.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid=ASUS-2.4G scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity=root password=wireless ca_cert=./ca.pem phase2=auth=CHAP } Here is my configure file for EAP-TLS which fails authentication. WPA_EAP_TLS.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid=ASUS-2.4G scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity=root ca_cert=./ca.pem client_cert=./client.pem private_key=./client.pem private_key_passwd=whatever } The client.pem used by client was also copied from server. Is there anything wrong with my configure file? I also attached the *.pem. Thanks, jiajia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clark Wang has invited you to Dropbox
Dropbox has been defeated by the GreatFireWall, we are so sorry On Wed, May 5, 2010 at 1:39 PM, Dropbox no-re...@dropbox.com wrote: We're excited to let you know that Clark Wang has invited you to Dropbox! Clark Wang has been using Dropbox to sync and share files online and across computers, and thought you might want it too. Visit www.dropbox.comhttp://www.dropbox.com/link/20.CqkpaxwNh3/NjE2MzQ0ODgxNwto get started. - The Dropbox Team To stop receiving invites from Dropbox, click herehttp://www.dropbox.com/bl/28952efc12b9/freeradius-users%40lists.freeradius.org © 2010 Dropbox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html