EAP TLS login fails after creation of new certs
Hi,
Im running a FreeRadius 1.0.1 Server on Suse
Linux v9.1 with EAP-TLS for Authentication.
I have previousliy used the CA.all Script to
generate the necessary Certificates for test purpose.
Now I tried to write a script for creating the Certs
myself without obvious problems.
But after I installed the Certs on the Radius Server
and the Windows XP Client, the Client doesnt
Login anymore.
Can anyone tell me what Ive done wrong with
the Certs?!
Big THX to you all.
Skript for Root Cert
Pass=XXX #Pass for PrivKey
openssl genrsa -out ./root.key -passout pass:${Pass}
1024
openssl req -new -key ./root.key -passin
pass:${Pass} -passout pass:${Pass} -out ./root.req
openssl x509 -req -days 365 -in ./root.req -signkey
./root.key -out ./root.cert -passin pass:${Pass}
openssl pkcs12 -export -cacerts -in ./root.cert
-passin pass:${Pass} -passout pass:${Pass} -inkey ./root.key -out ./root.p12
openssl pkcs12 -in ./root.p12 -out ./root.pem
-passin pass:${Pass} -passout pass:${Pass}
openssl x509 -inform PEM -outform DER -in ./root.pem
-out ./root.der
Skript for Server Cert
Pass=XXX #Pass for PrivKey
openssl genrsa -out ./server.key -passout
pass:${Pass} 1024
openssl req -new -key ./server.key -passin
pass:${Pass} -passout pass:${Pass} -out ./server.req
openssl x509 -req -days 365 -CA ./../Root/root.cert
-CAkey ./../Root/root.key -CAcreateserial -in ./server.req -out ./server.cert
-passin pass:${Pass}
openssl pkcs12 -export -in ./server.cert -passin
pass:${Pass} -passout pass:${Pass} -inkey ./server.key -out ./server.p12
openssl pkcs12 -in ./server.p12 -out ./server.pem
-passin pass:${Pass} -passout pass:${Pass}
openssl x509 -inform PEM -outform DER -in
./server.pem -out ./server.der
Skript for Client Cert
Pass=XXX #Pass for PrivKey
openssl genrsa -out ./client.key -passout
pass:${Pass} 1024
openssl req -new -key ./client.key -passin
pass:${Pass} -passout pass:${Pass} -out ./client.req
openssl x509 -req -days 365 -CA ./../Root/root.cert
-CAkey ./../Root/root.key -CAcreateserial -in ./client.req -out ./client.cert
-passin pass:${Pass}
openssl pkcs12 -export -in ./client.cert -passin
pass:${Pass} -passout pass:${Pass} -inkey ./client.key -out ./client.p12
openssl pkcs12 -in ./client.p12 -out ./client.pem
-passin pass:${Pass} -passout pass:${Pass}
openssl x509 -inform PEM -outform DER -in
./client.pem -out ./client.der
Restricting VPN User
Hi All I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? Thanks in advance.. Regards Thanks Mahesh S Kudva Robosoft Technologies System Administration Department Phone: 0820-2535458 Extn: 205, 244 http://www.robosoftin.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user lost connectivity
i know that my nas is sending Lost_Carrier as Acct-Terminate-Cause value. So in some way i should put that stoptime in the radacct table manually when this happens. Maybe some trigger on accounting_update_query? Edgars Kyriaki Gali wrote: yes i know it is a problem and i don't know if we can do something else. I have the same problem also so if you find anything please let me know. regards, Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:39 PM Subject: [Fwd: Re: user lost connectivity] i already have such a filed in radacct and it's staying to NULL value if this happens. Edgars Kyriaki Gali wrote: This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PEAP auth using xp clients
So you're still getting the core dump. Let me guess... you have two versions of OpenSSL installed, and you built the server without using --disable-shared. Fix one of those two problems, and it will work. Alan DeKok. I am still getting the same dump, I have used --disable-shared while building the radius server Please find below the gdb output, would appreciate your comments: auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076225856 (LWP 17733)] 0x401420d7 in BIO_read () from /lib/libcrypto.so.0.9.7 (gdb) bt #0 0x401420d7 in BIO_read () from /lib/libcrypto.so.0.9.7 #1 0x40290ffe in tls_handshake_send (ssn=0x40290798) at tls.c:230 #2 0x40295852 in eappeap_authenticate (arg=0x8194920, handler=0x819e4f8) at rlm_eap_peap.c:192 #3 0x4027b46d in eaptype_call (atype=0x8174b70, handler=0x819e4f8) at eap.c:170 #4 0x4027b5ce in eaptype_select (inst=0x81571b0, handler=0x819e4f8) at eap.c:353 #5 0x4027ab80 in eap_authenticate (instance=0x81571b0, request=0x81c1d80) at rlm_eap.c:289 #6 0x0805423c in call_modsingle (component=0, sp=0x8156730, request=0x81c1d80, default_result=0) at modcall.c:226 #7 0x080543a2 in modcall (component=0, c=0x8156730, request=0x81c1d80) at modcall.c:353 #8 0x0805432d in call_modgroup (component=0, g=0x57e58955, request=0x81c1d80, default_result=0) at modcall.c:261 #9 0x08054419 in modcall (component=0, c=0x8197120, request=0x81c1d80) at modcall.c:344 #10 0x08053f17 in module_authenticate (auth_type=6, request=0x81c1d80) at modules.c:907 #11 0x0805129c in rad_check_password (request=0x81c1d80) at auth.c:324 #12 0x080516af in rad_authenticate (request=0x81c1d80) at auth.c:586 #13 0x0804d17d in rad_respond (request=0x81c1d80, fun=0x80515c8 rad_authenticate) at radiusd.c:1555 ---Type return to continue, or q return to quit--- #14 0x0804cd85 in main (argc=2, argv=0x81c1d80) at radiusd.c:1327 #15 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6 _ Sports, sports and more sports! Keep up with all thats happening! http://www.msn.co.in/sports/ Stay connected with MSN Sports! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting VPN User
cheers, Can u plz give more details about u r setup reason u want to restrict one server but can u tell me what ports wise so i will get more idea give most of thing specific.like Vpn user is connected and user may be used intranet / File server so please specify what u want to do extact. why i m asking reason u can use some radius attribute to used for u can block ports.. On Mon, 18 Oct 2004 12:44:10 +0530, Mahesh S Kudva [EMAIL PROTECTED] wrote: Hi All I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? Thanks in advance.. Regards Thanks Mahesh S Kudva Robosoft Technologies System Administration Department Phone: 0820-2535458 Extn: 205, 244 http://www.robosoftin.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Vipul Ramani [EMAIL PROTECTED] [EMAIL PROTECTED] ~We Know HoW NeTWoRkS ~~~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user lost connectivity
yes i think it will work. see sql.conf if you can do something like that. i don't think to have any problem if i'll try it i'll tell you. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 18, 2004 11:32 AM Subject: Re: user lost connectivity i know that my nas is sending Lost_Carrier as Acct-Terminate-Cause value. So in some way i should put that stoptime in the radacct table manually when this happens. Maybe some trigger on accounting_update_query? Edgars Kyriaki Gali wrote: yes i know it is a problem and i don't know if we can do something else. I have the same problem also so if you find anything please let me know. regards, Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:39 PM Subject: [Fwd: Re: user lost connectivity] i already have such a filed in radacct and it's staying to NULL value if this happens. Edgars Kyriaki Gali wrote: This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Who can help me with a slight re-write of user_edit.php3 ?
Hi everyone! For the setup we have here I am in need of a slight re-write of user_edit.php3, but unfortunately I don't possess adequate knowledge of PHP yet to do so... :-/ The page now shows in a drop-down the group(s) a user is a member of. What we need here is a drop-down that shows all groups, with the group(s) high-lighted of which the user is a member. This makes it a lot easier for the admin to change membership group(s) of a user. Who has enough knowledge of PHP to assist me with this? Actually I think there will be more people interested in a script like this one, so if you can assist with this, you'll probably make many people happy! ;-) Regards, Evert Meulie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems configuring on Solaris
Hi there folks, I am trying to build freeradius-1.0.1 on a Sun running Solaris 9 using gcc-3.3.2 ! There are a number of warnings during configure and a make also bombs. I have grepped the errors from the config.log file: configure:7947: error: dereferencing pointer to incomplete type configure:8545: error: too many arguments to function `gethostbyaddr_r' configure:8639: error: too many arguments to function `gethostbyname_r' configure:8731: error: too many arguments to function `ctime_r' I'd be happy to post more detail, or the entire log if need be. Any suggestions on how to get past the above errors ? Kind regards, Hennie Rautenbach This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. The contents of this e-mail are the opinion of the writer only and are not endorsed by Sabinet Online Limited unless expressly stated otherwise. begin:vcard fn:Hennie Rautenbach n:Rautenbach;Hennie org:Sabinet Online Ltd.;Computer Hardware and Network Infrastructure adr;dom:Centurion;;Box 9785;;;0046 email;internet:[EMAIL PROTECTED] title:Mr. tel;work:+27 12 643-9500 tel;cell:+27 82 556-1191 note:It may be that your sole purpose in life is simply to serve as a warning to others... :-) url:http://www.sabinet.co.za version:2.1 end:vcard
Re: user lost connectivity
Kyriaki, your help will be gratly appreciated! Edgars Kyriaki Gali wrote: yes i think it will work. see sql.conf if you can do something like that. i don't think to have any problem if i'll try it i'll tell you. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 18, 2004 11:32 AM Subject: Re: user lost connectivity i know that my nas is sending Lost_Carrier as Acct-Terminate-Cause value. So in some way i should put that stoptime in the radacct table manually when this happens. Maybe some trigger on accounting_update_query? Edgars Kyriaki Gali wrote: yes i know it is a problem and i don't know if we can do something else. I have the same problem also so if you find anything please let me know. regards, Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:39 PM Subject: [Fwd: Re: user lost connectivity] i already have such a filed in radacct and it's staying to NULL value if this happens. Edgars Kyriaki Gali wrote: This is a problem i don't know if there is a way to fix this but I suggest in radacct table to insert a field to get the disconnect cause, so if you haven't AcctStopTime you will know why. Or check for how long your cdr is without an AcctStopTime. Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: Edgars [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 1:15 PM Subject: user lost connectivity Hello, is there anyway how to write acctstoptime when the user is loosing connectivity with his NAS? After this happens the user is promted to login again but the previous acctstoptime stays blank. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP
Hi, I tried to get freeradius to work with PEAP. I got LEAP working but I want to use PEAP because it is more secure. It seems I have some problems with the certs. I tried it with the demo certs included in the tar.gz and also with the certs made with the cert.sh in the scripts dir. I installed the cacert.pem on the client PC (it is w2k sp4 with a cisco Aironet card). The access point is a Cisco 1231. I attached a text file with the debugging information. This e-mail may contain privileged or confidential information and is intended only for use by the addressee. If you are not the addressee, we request you not to use the contents or to disclose it in any manner to third parties, and to inform us immediately by reply email and delete the email from your system. Ahrend denies any responsibility for damages resulting from the use of e-mail. Mon Oct 18 16:19:39 2004 : Info: Starting - reading configuration files ... Mon Oct 18 16:19:39 2004 : Debug: reread_config: reading radiusd.conf Mon Oct 18 16:19:39 2004 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Mon Oct 18 16:19:39 2004 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Mon Oct 18 16:19:39 2004 : Debug: Config: including file: /usr/local/etc/raddb/eap.conf Mon Oct 18 16:19:39 2004 : Debug: main: prefix = /usr Mon Oct 18 16:19:39 2004 : Debug: main: localstatedir = /var Mon Oct 18 16:19:39 2004 : Debug: main: logdir = /var/log/radius Mon Oct 18 16:19:39 2004 : Debug: main: libdir = /usr/lib Mon Oct 18 16:19:39 2004 : Debug: main: radacctdir = /var/log/radius/radacct Mon Oct 18 16:19:39 2004 : Debug: main: hostname_lookups = no Mon Oct 18 16:19:39 2004 : Debug: main: max_request_time = 30 Mon Oct 18 16:19:39 2004 : Debug: main: cleanup_delay = 5 Mon Oct 18 16:19:39 2004 : Debug: main: max_requests = 1024 Mon Oct 18 16:19:39 2004 : Debug: main: delete_blocked_requests = 0 Mon Oct 18 16:19:39 2004 : Debug: main: port = 0 Mon Oct 18 16:19:39 2004 : Debug: main: allow_core_dumps = no Mon Oct 18 16:19:39 2004 : Debug: main: log_stripped_names = no Mon Oct 18 16:19:39 2004 : Debug: main: log_file = /var/log/radius/radius.log Mon Oct 18 16:19:39 2004 : Debug: main: log_destination = files Mon Oct 18 16:19:39 2004 : Debug: main: log_auth = no Mon Oct 18 16:19:39 2004 : Debug: main: log_auth_badpass = no Mon Oct 18 16:19:39 2004 : Debug: main: log_auth_goodpass = no Mon Oct 18 16:19:39 2004 : Debug: main: pidfile = /var/run/radiusd/radiusd.pid Mon Oct 18 16:19:39 2004 : Debug: main: user = radiusd Mon Oct 18 16:19:39 2004 : Debug: main: group = radiusd Mon Oct 18 16:19:39 2004 : Debug: main: usercollide = no Mon Oct 18 16:19:39 2004 : Debug: main: lower_user = no Mon Oct 18 16:19:39 2004 : Debug: main: lower_pass = no Mon Oct 18 16:19:39 2004 : Debug: main: nospace_user = no Mon Oct 18 16:19:39 2004 : Debug: main: nospace_pass = no Mon Oct 18 16:19:39 2004 : Debug: main: checkrad = /usr/sbin/checkrad Mon Oct 18 16:19:39 2004 : Debug: main: debug_level = 0 Mon Oct 18 16:19:39 2004 : Debug: main: proxy_requests = no Mon Oct 18 16:19:39 2004 : Debug: security: max_attributes = 200 Mon Oct 18 16:19:39 2004 : Debug: security: reject_delay = 1 Mon Oct 18 16:19:39 2004 : Debug: security: status_server = no Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading dictionary Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading naslist Mon Oct 18 16:19:39 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading clients Mon Oct 18 16:19:39 2004 : Debug: read_config_files: reading realms Mon Oct 18 16:19:39 2004 : Debug: radiusd: entering modules setup Mon Oct 18 16:19:39 2004 : Debug: Module: Library search path is /usr/lib Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded exec Mon Oct 18 16:19:39 2004 : Debug: exec: wait = yes Mon Oct 18 16:19:39 2004 : Debug: exec: program = (null) Mon Oct 18 16:19:39 2004 : Debug: exec: input_pairs = request Mon Oct 18 16:19:39 2004 : Debug: exec: output_pairs = (null) Mon Oct 18 16:19:39 2004 : Debug: exec: packet_type = (null) Mon Oct 18 16:19:39 2004 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated exec (exec) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded expr Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated expr (expr) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded PAP Mon Oct 18 16:19:39 2004 : Debug: pap: encryption_scheme = crypt Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated pap (pap) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded CHAP Mon Oct 18 16:19:39 2004 : Debug: Module: Instantiated chap (chap) Mon Oct 18 16:19:39 2004 : Debug: Module: Loaded MS-CHAP Mon Oct 18 16:19:39 2004 : Debug: mschap: use_mppe = yes Mon Oct 18 16:19:39 2004 : Debug: mschap: require_encryption = no Mon Oct 18 16:19:39 2004 : Debug: mschap:
radtest/NTRadPing users/passwd
Please help me make sense of inconsistent results. Using either raddest
(local) or NTRadPing (remote) the tests are successful if I login as a
user in /etc/passwd. In NTRadPing I must make sure CHAP is *not* selected.
Using NTRadPing with CHAP selected I can login as a user in
raddb/users. If I use radtest for the same test, the test fails. I'm
guessing that this is a PAP vs. CHAP issue, but I'm not sure, and I'm
not sure what to do about the problem.
I added these entries to the bottom of the raddb/users file:
mao User-Password == testing
kikoAuth-Type = Local, Password = testing
The only other change from defaults is this entry in raddb/clients.conf:
client 192.168.0.1 {
secret = testing123
shortname = kiko
}
A failed test against a username in raddb/users looks like this:
radtest -d /usr/local/etc/raddb/ kiko testing 127.0.0.1 10 testing123
Sending Access-Request of id 181 to 127.0.0.1:1812
User-Name = kiko
User-Password = testing
NAS-IP-Address = cooler
NAS-Port = 10
Re-sending Access-Request of id 181 to 127.0.0.1:1812
User-Name = kiko
User-Password = \026\262\336\000\274\353#k|W\034a\272\270$\r
NAS-IP-Address = cooler
NAS-Port = 10
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=181, length=20
A successful test against a user in /etc/passwd looks like this:
radtest -d /usr/local/etc/raddb/ paul changed 127.0.0.1 10 testing123
Sending Access-Request of id 193 to 127.0.0.1:1812
User-Name = paul
User-Password = changed
NAS-IP-Address = cooler
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=193, length=20
Any feedback would be appreciated, even if you only direct me to the
relevant reading material. ^_^
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more info, radtest/NTRadPing users/passwd
Running radiusd -X produces the following during a failed radtest test: rad_recv: Access-Request packet from host 127.0.0.1:32782, id=58, length=55 User-Name = mao User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = mao, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 users: Matched DEFAULT at 152 users: Matched mao at 216 modcall[authorize]: module files returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module unix returns notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 58 to 127.0.0.1:32782 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 58 with timestamp 4173c4cc Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing freeRadius on RH Linux 9.0
Yes, and you received a response telling you that mysql_devel was missing: You need to get your lies straightened out. Gene .. I had the same type errors until I made sure the mysql_devel RPM was installed .. Even then my make process completed with messages such as sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory sql_mysql.c:47: parse error before MYSQL sql_mysql.c:47: warning: no semicolon at end of struct or union sql_mysql.c:48: warning: type defaults to `int' in declaration of sock' sql_mysql.c:48: warning: data definition has no type or storage class sql_mysql.c:49: parse error before '*' token sql_mysql.c:49: warning: type defaults to `int' in declaration of result' sql_mysql.c:49: warning: data definition has no type or storage class sql_mysql.c:51: parse error before '}' token sql_mysql.c:51: warning: type defaults to `int' in declaration of `rlm_sql_mysql_sock' sql_mysql.c:51: warning: data definition has no type or storage class sql_mysql.c: In function `sql_init_socket': My testing looks to be working but I am just not getting the other .conf files tailored. Brent Berry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, October 15, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: Re: Installing freeRadius on RH Linux 9.0 Gene Rouse [EMAIL PROTECTED] wrote: Below I have included the error messages. I get. gmake[11]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' [ xrlm_sql_mysql = x ] || /root/freeradius-1.0.1/libtool --mode=install /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la /usr/local/lib/rlm_sql_mysql.la libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Did the make process succeeed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gene Rouse Sent: Monday, October 18, 2004 12:58 AM To: [EMAIL PROTECTED] Subject: FW: Installing freeRadius on RH Linux 9.0 I did post the errors. Below is the message I sent on 10/15/2004. It's a non-issue now, because I found out what the problem was. Two extremely helpful members of the Linux community contacted me off-list and we compared their Linux installations with mine and found I was missing the mysql-devel package. Once installed it went great. I now have not one but two functional freeRADIUS boxes. Just so everyone knows, I am a MS MCSE and this is a major departure from what I've spent the last 20 years using. I'm not just running Linux on the server side. It's on every box in our office. I'm not saying I'm abandoning Windows. This particular solution called for something a little more secure, less prone to virus attacks and a heck of a lot cheaper. My total software cost for this WISP is $3000.00 which is for the billing software and its options. Considering I'm used to a point and click world, I don't think I'm doing too bad. Thanks Paul and Bruce, Gene -Original Message- From: Gene Rouse [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 3:32 PM To: '[EMAIL PROTECTED]' Subject: Installing freeRadius on RH Linux 9.0 Below I have included the error messages. I get. gmake[11]: Entering directory `/root/freeradius- 1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' [ xrlm_sql_mysql = x ] || /root/freeradius-1.0.1/libtool -- mode=install /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la /usr/local/lib/rlm_sql_mysql.la libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. gmake[11]: *** [install] Error 1 gmake[11]: Leaving directory `/root/freeradius- 1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' gmake[10]: *** [common] Error 1 gmake[10]: Leaving directory `/root/freeradius- 1.0.1/src/modules/rlm_sql/drivers' gmake[9]: *** [install] Error 2
radiusd seg faulting
Hello,
Somehow I have been able to get radiusd to seg fault. I am not sure
exactly what to provide - so if there is something someone needs to
further diagnose, let me know.
Details of the issue:
If I authenticate 1 time, access-accept. Same for time #2. Third time is
not so good - it seg-faults the daemon. I am not sure if this is an
issue with requesting kerb tickets to quickly or not. When I looked at
the strace output there was no indication of this being the problem as
it failed at the opening/writing to a log file.
I have an strace file which details out the issue to a point. Compressed
it is ~60k but it de-compresses to ~13meg. For the sake of not sending
this to people who do not want it, I will only provide it to those who
ask ( and not send it to the list of course ... )
Here are the Details of my configuration:
( the following are just the things I have messed with which apply to
the configuration ... If the full configs are desired, let me know )
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
# Auth-Type PAP {
# pap
# }
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
# Auth-Type CHAP {
# chap
# }
#
# MSCHAP authentication.
# Auth-Type MS-CHAP {
# mschap
# }
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line.
# digest
#
# Pluggable Authentication Modules.
#
# un-comment to re-enable
# - bilsch
#pam
#
# krb5 / kerberos
#
krb5
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
#unix
# Uncomment it if you want to use ldap for authentication
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
# eap
}
( more modules are configured - they should have no bearing as best I
can tell )
modules {
krb5 {
service_principal = SITE.NET
}
}
( changed my ip's and realm for security )
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
default = SYSLOG
kdc = FILE:/var/log/krb5kdc.log
kdc = SYSLOG
admin_server = FILE:/var/log/kadmind.log
admin_server = SYSLOG
[libdefaults]
ticket_lifetime = 24000
default_realm = SITE.NET
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
SITE.NET = {
kdc = 1.2.3.20:88
admin_server = 1.2.3.20
}
[domain_realm]
.telsource.net = SITE.NET
telsource.net = SITE.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 86500
#renew_lifetime = 36000
renew_lifetime = 86500
forwardable = true
krb4_convert = false
addressless = true
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting VPN User
Dear All The setup is straight. I just want to restrict one server of my internal network to the VPN user. Web port in the application port, but I need the users to be able to access the entire server. Regards Thanks Mahesh S Kudva Original Message- cheers, Can u plz give more details about u r setup reason u want to restrict one server but can u tell me what ports wise so i will get more idea give most of thing specific.like Vpn user is connected and user may be used intranet / File server so please specify what u want to do extact. why i m asking reason u can use some radius attribute to used for u can block ports.. On Mon, 18 Oct 2004 12:44:10 +0530, Mahesh S Kudva [EMAIL PROTECTED] wrote: Hi All I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? Thanks in advance.. Regards Thanks Mahesh S Kudva Robosoft Technologies System Administration Department Phone: 0820-2535458 Extn: 205, 244 http://www.robosoftin.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Vipul Ramani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ Tagged - SPAM ? ] Restricting VPN User
Title: RE: [ Tagged - SPAM ? ] Restricting VPN User The group policy on my VPN server dictates the accessible networks. I have several setups that only allow one specific IP address with a 255.255.255.255 subnet. Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mahesh S Kudva Sent: Monday, October 18, 2004 2:14 AM To: [EMAIL PROTECTED] Subject: [ Tagged - SPAM ? ] Restricting VPN User Importance: Low Hi All I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? Thanks in advance.. Regards Thanks Mahesh S Kudva Robosoft Technologies System Administration Department Phone: 0820-2535458 Extn: 205, 244 http://www.robosoftin.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
Re: EAP TLS login fails after creation of new certs
Beekmann (EXT), Lars [EMAIL PROTECTED] wrote: Now I tried to write a script for creating the Certs myself - without obvious problems. But after I installed the Certs on the Radius Server and the Windows XP Client, the Client doesn't Login anymore. Run the server in debugging mode to see what's going wrong, and why. Can anyone tell me what I've done wrong with the Certs?! Why are you writing your own script? Just edit the CA.certs file to have your own information, and then use the script to create new certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting VPN User
Mahesh S Kudva [EMAIL PROTECTED] wrote: I have a VPN Server which redirects all the authentication to freeRADIUS1.0.1. My question is how do I restrict the VPN User to a particular host in the network ... For what? depriving him of all the resources and hosts in the network. In short I want to restrict the VPN user to One and Only One Network Server.? I'm not sure what you mean by a network server. I think if you give the user a private IP, and then tell your VPN not to route that IP, that might work... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems configuring on Solaris
Hennie Rautenbach [EMAIL PROTECTED] wrote: I have grepped the errors from the config.log file: configure:7947: error: dereferencing pointer to incomplete type Those errors are part of the configure process, as it tries to figure out what to do. Since the configure process didn't stop with an error, those lines in config.log should be ignored. There are a number of warnings during configure and a make also bombs. So... what warnings are there during configure? What goes wrong during the make process? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest/NTRadPing users/passwd
Paul [EMAIL PROTECTED] wrote: A failed test against a username in raddb/users looks like this: radtest -d /usr/local/etc/raddb/ kiko testing 127.0.0.1 10 testing123 ... Why are you looking at the output from radclient when the README, FAQ, man pages, and other places say to run the server in debugging mode and to read it's output? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Paul [EMAIL PROTECTED] wrote: rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module unix returns notfound for request 2 Ok... what part of that message is not clear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Alan DeKok wrote: Paul [EMAIL PROTECTED] wrote: rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module unix returns notfound for request 2 Ok... what part of that message is not clear? Thanks for replying. Well, that seems to indicate that radtest is not sending the password in the form of CHAP. As a result, it looks like the server is trying to use /etc/passwd to validate a user that is actually in raddb/users. So, is radtest incapable of sending a proper CHAP password, or am I doing something wrong? (This test is successful using NTRadPing.) Output from radiusd -X using NTRadPing: rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 14 rlm_chap: login attempt by kiko with CHAP password rlm_chap: Using clear text password testing for user kiko authentication. rlm_chap: chap user kiko authenticated succesfully Output from radiusd -X using radtest: rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 modcall[authenticate]: module unix returns notfound for request 15 modcall: group authenticate returns notfound for request 15 auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius accounting issue
I cannot get Radius accounting to work. I am running Freeradius 0.9.3 on Solaris 9. Authentication works fine. When I start radius in debug mode I see processing the config file with no errors and listening on the proper ports that I have set in the /etc/services file. /etc/services excerpt radius 1645/udpradius #radius radius-acct 1646/udpradius-acct #radius accounting radius-proxy1649/udpradius-proxy#radius proxy radiusd.conf excerpt Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp. Ready to process requests. Then I see the following: rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=176, length=210 Ignoring request from unknown home server 192.168.1.14:1027 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=177, length=241 Ignoring request from unknown home server 192.168.1.14:1027 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=178, length=239 Ignoring request from unknown home server 192.168.1.14:1027 --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=179, length=211 Ignoring request from unknown home server 192.168.1.14:1027 What do I need to do to get accounting to start working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Paul [EMAIL PROTECTED] wrote: Well, that seems to indicate that radtest is not sending the password in the form of CHAP. As a result, it looks like the server is trying to use /etc/passwd to validate a user that is actually in raddb/users. So edit raddb/users to set Auth-Type := Local, or Auth-Type := PAP for that user. So, is radtest incapable of sending a proper CHAP password, or am I doing something wrong? (This test is successful using NTRadPing.) radtest is just a shell script wrapper around radclient. radtest can't send a CHAP password, because it takes the password you give it, and puts it into a User-Password attribute. Edit the script to see. radclient can send a CHAP-Password. Just put the clear-text password into the CHAP-Password attribute, and radtest will do the right thing before sending the RADIUS packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius accounting issue
Russell Premont [EMAIL PROTECTED] wrote: Then I see the following: rad_recv: Accounting-Request packet from host 192.168.1.14:1027, id=176, length=210 Ignoring request from unknown home server 192.168.1.14:1027 Why do you have the client sending packets to port 1027? The debug log of the server, and /etc/services, shows that accounting packets should be sent to port 1646. What do I need to do to get accounting to start working? What RADIUS client are you using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Installing freeRadius on RH Linux 9.0
Hi, I did post the errors. Below is the message I sent on 10/15/2004. Just wanted to point out that you did post the errors of make install (or maybe a second call to make), which was not helpful at all in diagnosing the error. The errors generated by make (or even of the first run of it) would have been needed... Two extremely helpful members of the Linux community contacted me off-list and we compared their Linux installations with mine and found I was missing the mysql-devel package. That's a slightly harder way of doing things... Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting User-Name to 'modified' mac address
Hmmm,
I've been been trying to use regex to get the 12 hex characters in the
Calling-Station-Id but, I must be doing something wrong.
In my hints file i have
DEFAULT Calling-Station-Id =~
(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)
User-Name := `%{0}`
This should set the User Name to the hex characters in the mac address
or 'something' at least
However, in debug mode I can see that User-Name is not modified.
In perl i can use the regex below and it seems to work
PERL
-=-=-=-=-==-==-=-=-=-=-==-=-
my $string = '23-00-ab-fa-ee-23';
if( $string =~ /(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)/ )
{
print $1,$2,$3,$4,$5,$6;
}
-=-=-=-=-==-==-=-=-=-=-==-=-
What am I doing wrong? How do I fix it?
Thanks,
On Fri, 2004-10-15 at 09:03, Alan DeKok wrote:
Jose Guevarra [EMAIL PROTECTED] wrote:
I have freeradius authenticating mac addresses listed in a MySQL
database. It works! But, the mac address passed by the client(hp 2650)
is in the form 00-00-00-00-00-00. I set the 'user name' to the 'calling
station id' in the 'hints' file like so
User-Name := %i
Is it possible to filter out the - or : or put it into any format I
like?
Yes. Use regular expressions. See doc/variables.txt
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting User-Name to 'modified' mac address
Jose Guevarra [EMAIL PROTECTED] wrote:
In my hints file i have
DEFAULT Calling-Station-Id =~ (\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)
User-Name := `%{0}`
This should set the User Name to the hex characters in the mac address
or 'something' at least
Or something...
And if you're going to use %{0}, you don't need regular expressions.
Just use %{Calling-Station-Id}
However, in debug mode I can see that User-Name is not modified.
In perl i can use the regex below and it seems to work
Perl supports \w in regular expressions. Posix expressions (which
the libraries from your system the server uses) do not support \w.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question SQL-freeradius testing tools
Dirk Enrique Seiffert - CaribeNet [EMAIL PROTECTED] wrote: It's included with the server. www.freeradius.org says so. But www.freeradius.org is not the bible: Huh? www.freeradius.org is the DEFINITIVE place to find FreeRADIUS. We include dialup_admin in our releases. If Suse doesn't, that's their issue. At least my distribution (SuSE) includes freeradius, but no dialup admin. So why should ther be a link? Ask Suse. www.freeradius.org makes it clear that diaup_admin is included with the server. You might want to add some FAQs: Freeside and SQL: 1) Where can I find Dialup Admin? The server comes with a PHP-based web user administration tool, called dialupadmin. You also can download dialupadmin on http://sourceforge.net/projects/dialup-admin/ No. dialup_admin is included with the server. That sourceforge page is no longer active. 2) Were can I find documentaion on HowTo setup MySQL Accounting with freeradius? The server comes with documentation on how to do this. If you think these questions are exotic or covered already: Read the Mailing List Archives and the FAQ, ... but read it. I've read it. My conclusion is that for most people, the documentation which comes with the server answers these questions. For others, it doesn't. For a small number of people, no amount of documentation is good enough. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UDPFROMTO and Proxy Problem
Raimund Sacherer [EMAIL PROTECTED] wrote: There where two problems with proxying, first, i listen to 2 ip addresses, if those where on different interfaces (eth0/eth1) it is not working, the problem is, the packet is sent to the roamingpartner, but the response is not recognized by freeradius (where a local test with netcat is recognized), but i can see it clearly with tcpdump. ... Please submit the patch to bugs.freeradius.org. That way it won't get forgotten. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug with redundant code in accounting module
Rick Macdougall [EMAIL PROTECTED] wrote:
In our configuration and testing we came across one small bug in the
accounting module.
accounting {
detail # always log to detail, stopping if it fails
redundant {
sql1 # try module sql1
sql2 # if that's down, try module sql2
handled # otherwise drop the request as
# it's been handled by the always
# module (see doc/rlm_always)
}
}
Does not work, it logs to both servers.
Hmm... that's odd. It should only do so if the first returns fail.
group {
sql1 {
fail = 1
notfound = 2
...
Does work correctly, only logging to the second server when the first
server is down or other wise has an error.
I don't see why, the accounting function in rlm_sql *never*
returns notfound.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with client certificates
Khurram Jahangir [EMAIL PROTECTED] wrote: I think the problem lies in the following part of the Radiusd log Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: Unable to tunnel TLS inside of TLS So... you're trying to use EAP-TLS inside of EAP-PEAP. As the error message says, you can't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with client certificates
Hi Again, Correct me if I misunderstood you. You mean that EAP-TLS inside of EAP-PEAP is not possible at all and is wrong or it is correct and freeradius might support this in future. Regards Khurram --- Alan DeKok [EMAIL PROTECTED] wrote: Khurram Jahangir [EMAIL PROTECTED] wrote: I think the problem lies in the following part of the Radiusd log Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: Unable to tunnel TLS inside of TLS So... you're trying to use EAP-TLS inside of EAP-PEAP. As the error message says, you can't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more info, radtest/NTRadPing users/passwd
Alan DeKok wrote: Paul [EMAIL PROTECTED] wrote: Well, that seems to indicate that radtest is not sending the password in the form of CHAP. As a result, it looks like the server is trying to use /etc/passwd to validate a user that is actually in raddb/users. So edit raddb/users to set Auth-Type := Local, or Auth-Type := PAP for that user. Thanks! Auth-Type := Local made it work consistently. Auth-Type := PAP didn't work for me at all. Now to see if everything works with an XP client. The only options in XP are MSCHAPv2 and certs. I guess that's another mini-adventure for me. ^_^ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with client certificates
Khurram Jahangir [EMAIL PROTECTED] wrote: You mean that EAP-TLS inside of EAP-PEAP is not possible at all and is wrong or it is correct and freeradius might support this in future. FreeRADIUS does not support this. It may in the future, if someone supplies a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: setting User-Name to 'modified' mac address
Ok Posix expressions are supported here then shouldn't putting parenthases
around the hex characters give me groups %{1}...%{6}?
I do this
DEFAULT Calling-Station-Id =~
([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-
([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])
User-Name := `%{1}%{2}%{3}%{4}%{5}%{6}`
Instead of getting a mac address with no '-' I get a long weird combination
of
hex and '-'. I mapped out the ${x} groups and they are not what I expect
for example:
11-c0-4f-40-47-b4
becomes groups
%{1} = 11
%{2} = c0-4f
%{3} = 4f-40-47
%{4} = 40-47-b4
%{5} = 47-b4
%{6} = b4
Is my regex wrong or what?
Thanks,
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Monday, October 18, 2004 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: setting User-Name to 'modified' mac address
Jose Guevarra [EMAIL PROTECTED] wrote:
In my hints file i have
DEFAULT Calling-Station-Id =~
(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)
User-Name := `%{0}`
This should set the User Name to the hex characters in the mac address
or 'something' at least
Or something...
And if you're going to use %{0}, you don't need regular expressions.
Just use %{Calling-Station-Id}
However, in debug mode I can see that User-Name is not modified.
In perl i can use the regex below and it seems to work
Perl supports \w in regular expressions. Posix expressions (which the
libraries from your system the server uses) do not support \w.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: setting User-Name to 'modified' mac address(continued)
Alan,
Perl supports \w in regular expressions. Posix expressions (which
the libraries from your system the server uses) do not support \w.
how do I tell which 'libraries' are being used hence the supported regex
syntax/capabilities?
Thanks,
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jose
Guevarra
Sent: Monday, October 18, 2004 4:31 PM
To: [EMAIL PROTECTED]
Subject: RE: setting User-Name to 'modified' mac address
Ok Posix expressions are supported here then shouldn't putting parenthases
around the hex characters give me groups %{1}...%{6}?
I do this
DEFAULT Calling-Station-Id =~
([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-
([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])-([a-fA-F0-9][a-fA-F0-9])
User-Name := `%{1}%{2}%{3}%{4}%{5}%{6}`
Instead of getting a mac address with no '-' I get a long weird combination
of hex and '-'. I mapped out the ${x} groups and they are not what I expect
for example:
11-c0-4f-40-47-b4
becomes groups
%{1} = 11
%{2} = c0-4f
%{3} = 4f-40-47
%{4} = 40-47-b4
%{5} = 47-b4
%{6} = b4
Is my regex wrong or what?
Thanks,
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Monday, October 18, 2004 11:40 AM
To: [EMAIL PROTECTED]
Subject: Re: setting User-Name to 'modified' mac address
Jose Guevarra [EMAIL PROTECTED] wrote:
In my hints file i have
DEFAULT Calling-Station-Id =~
(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)\-(\w\w)
User-Name := `%{0}`
This should set the User Name to the hex characters in the mac address
or 'something' at least
Or something...
And if you're going to use %{0}, you don't need regular expressions.
Just use %{Calling-Station-Id}
However, in debug mode I can see that User-Name is not modified.
In perl i can use the regex below and it seems to work
Perl supports \w in regular expressions. Posix expressions (which the
libraries from your system the server uses) do not support \w.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
D-Link DWL-2700AP Enterprise Access Point
I have two questions: 1. I have recently completed a freeradius install and tested it using NTradping. Everything looks good. My access point is a D-Link DWL-2700AP outdoor access point. It supports (among other things) WPA-RADIUS and 802.1x. The AP is configured to use 802.1x on port 1812 for auth and 1813 for acctg. When I do a test with NTradping I can watch the requests come in. When I try to connect to AP I don't see any auth requests on the server. D-Link says the device is fully radius compliant. In the clients.conf I have the NAS configured as a type other since D-Link isn't in the list with the other vendor's. I would like to know at least where I can get started troubleshooting the issue. Is there a Windows software utility that will let me read the info coming out of the NAS to see what it is sending? If more info is needed let me know so that I can forward it to the list. 2. This is possibly a dumb question. I apologize in advance if it is. We want to control upload and download bandwidth with the radius box. In order to do this does the radius server need to physically be connected between the NAS and internet router? Gene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem authenticating to passwd/shadow files
I am using freeradius (or trying) to authenticate my poptop (pptpd) clients. the configuration is as follows fedora core 2 freeradius 1.0.1 pptpd-1.2.1-1 and pppd 2.4.3 (compiled with radius plugin) I can use ntradping to authenticate just fine, but when my client tries it fails. there appears,from the debug logs, to be a problem in the encryption of the client mschapv2 and of radiusd.conf which says mschap but that it can handle mschapv2. scenario 1. when I do not have the radius plugin in my options.pptpd file, I can authenticate to the chap-secrets file (i.e. not using radius, my pptpd config works) scenario 2. when I do have the radius plugin in the options.pptpd file, but turn off pap/chap/mschap req's in the same file. I can authenticate to radius. scenario 3. when I have the radius plugin in the options.pptpd file, refuse pap/chap/mschap, require mschapv2 and mppe-128. authentication fails, with the following error from debug. ++ modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute User-Password is required for authentication. modcall[authenticate]: module unix returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. ++ before I attach a bunch of log files and config files I would like to know 1. if I am combining things that would prefer not to go together (i.e. this won' work!) or 2. if there is a drop in config that some one can point me towards (no reason to recreate the wheel). any help would be greatly appreciated! cb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate extensions
Hi, I have question regarding the following line in the CA.all script: openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem Does the use of the switch -extensions here (implying extended key usage), overrides some other key usages of the key? I ask this because when I print out the purpose of the certificate generated by CA.all script, it does not show the key usages such as Digital Signature etc and only shows TLS Web Server authentication. Whereas when I take -extensions part out, I get a whole list of key usages. Thanks, Bilal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
