Radius CDR'S
Hi FreeRadius users, Presently Iam using FreeRadius-1.1.1 with SER iam getting all account start account stop details in to the Radius database This is a Raw data what I mean is iam gettting two or three messages for one call . So , in order to get them like a CDR per customer what is the way to do it ? Do we have to rely on other softwares?if yes please tell me i will go through that process . Thanks To FreeRadius ,Regards,Ravi. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining different Service-Types for different equipment for the same user
Alan DeKok wrote: Nuno Cervaens [EMAIL PROTECTED] wrote: My problem is that when a user logs in to an Enterasys SSR with the Service-Type = Administrative, it goes immediately to the configure mode, and I dont want that, just the enable mode. I presume this is a documented Enterasys feature. If not, file a bug with them. Yes its a SSR feature, so I cannot change this. So for a user that has Serv.Type = Administrative I would like to specifically define for the SSRs the Service-Type as NAS-Prompt (which goes to enable mode, equivalent for Administrative for CISCO that goes as well to enable mode for example). I'm not sure what you mean by that. You can define what you want, but what do you want to put in what packet? Here's an example for what it would be a perfect solution: userOne Crypt-Password == $1$GYuKhumy$wUkW0ZvClTCi86kkkgJBw. Service-Type = 6 Service-Type = 7 (for the SSRs) userTwo Crypt-Password == $1$ASD#$SDGYuKhasdcasdcasdumy$wUk. Service-Type = 7 Service-Type = 1 (for the SSRs) So, userOne would log in as Administrative in all routers and as NAS-Prompt for the SSRs, userTwo would log in as NAS-Prompt in all routers and as Login for the SSRs. The reason I want this is because for the same Service-Type I have different behaviors from the equipments. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
On 4 Jul 2006, at 17:01, Alan DeKok wrote: Graeme Hinchliffe [EMAIL PROTECTED] wrote: Further to this, I have just noticed that this doesn't seem to just be restricted to the IP address, but also the Session ID field. Instead of displaying the session ID as say 020268001A6C-44A618FF I am seeing: 0x303230324646464636383030314136432d3434413631384646 Which is the hex dump of the ASCII string. 0x30 == '0'. indeed. I think the dictionaries from 1.1.2 didn't get installed, so many of the attributes default to type octets. I have found entries which indicate this has happened prior to my upgrade to 1.1.2, and also checking I can see that all the dictionary files are the versions that came with the 1.1.2 code. What would cause FreeRADIUS to output in this manner, we have summized that if it sees a none ASCII byte in the field it would convert the whole field into a hex representation to stop trying to write binary to the db. If this is the case then it could well be a bug with the hardware and we can chase the vendor and apply a patch to the code in freeradius until we get it fixed. Also, when I ran the code in debug mode (-X switch) I never saw one occurence of this problem in the screen output or the postgres logs. Of course computers being what they are it's most likley that it was just a fluke, but at what point would FreeRADIUS decide to convert the output to a hex representation? our NASes are all Redbacks, SE400's and SMS10K's Thanks Graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in configuring PEAP on freeRADIUS1.1.2
Generate certificates and then Configure eap.conf, it'll work. Regards. sukhvinder --- Pradeep Sengar [EMAIL PROTECTED] wrote: Hi, I m running freeRADIUS 1.1.2. Trying to run it for PEAP authentication and made few changes in radiusd.conf,eap.conf users files in /usr/local/etc/raddb/ directory. on running freeradius in debugging mode by typing radiusd -x on command prompt it gives this output: [EMAIL PROTECTED] ~]# radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:0200100E:system library:fopen:Bad address rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf [10]: eap: Module instantiation failed. radiusd.conf[1920] Unknown module eap. radiusd.conf[1867] Failed to parse authenticate section. I am attaching radiusd.conf,clients.conf,eap.conf and users files here. Plz tell me also how to mention network in clients.conf. Do i need to install openssl before running freeradius server? I m pasting my files below here: radiusd.conf ## radiusd.conf-- FreeRADIUS server configuration file. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid #user = nobody #group = nobody # max_request_time: The maximum time (in seconds) to handle a request. # # Useful range of values: 5 to 120 # max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # CLIENTS CONFIGURATION $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION snmp= no $INCLUDE ${confdir}/snmp.conf # THREAD POOL CONFIGURATION thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } # MODULE CONFIGURATION modules { pap { encryption_scheme = crypt } === message truncated === - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple Auth-Type
I've mutiple Auth-Type and Autz-Type to use for LDAP backend From below setting, i'm trying NOT to set Auth-Type as suggested... So i let Freeradius detecting Auth-Type by itself... It only working for OCE line coz it's EAP type. Other line not working unless the password is stored in plain-text in LDAP If all line (except OCE line) been added with Auth-Type :=LDAP/Y5/ADSL.. then it's working .. So my big question is ..why it's recommended not to set Auth-Type?? Error in debug: auth: type Local auth: user supplied User-Password does NOT match local User-Password users: = DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5 DEFAULT Huntgroup-Name == adsl, Autz-Type := ADSL DEFAULT NAS-Identifier == OCEPOP, Autz-Type := OCE DEFAULT Autz-Type := LDAP modules{ ldap ldapadsl { -- some config basedn = ou=ADSL,ou=AAA,ou=People,dc=jaring,dc=my -- some config } ldap ldapy5 { -- some config basedn = ou=Y5,ou=AAA,ou=People,dc=jaring,dc=my -- some config } ldap ldap1 { -- some config basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my -- some config } ldap ldapOCE { -- some config basedn = ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my -- some config } } authorize { Autz-Type ADSL { ldapadsl } Autz-Type Y5 { ldapy5 } Autz-Type OCE { ldapOCE } Autz-Type LDAP { ldap1 } } authenticate { Auth-Type ADSL { ldapadsl } Auth-Type Y5 { ldapy5 } Auth-Type OCE { ldapOCE } Auth-Type LDAP { ldap1 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
On 6 Jul 2006, at 09:58, Graeme Hinchliffe wrote: On 4 Jul 2006, at 17:01, Alan DeKok wrote: Graeme Hinchliffe [EMAIL PROTECTED] wrote: Further to this, I have just noticed that this doesn't seem to just be restricted to the IP address, but also the Session ID field. Instead of displaying the session ID as say 020268001A6C-44A618FF I am seeing: 0x303230324646464636383030314136432d3434413631384646 Which is the hex dump of the ASCII string. 0x30 == '0'. indeed. I think the dictionaries from 1.1.2 didn't get installed, so many of the attributes default to type octets. I have found entries which indicate this has happened prior to my upgrade to 1.1.2, and also checking I can see that all the dictionary files are the versions that came with the 1.1.2 code. What would cause FreeRADIUS to output in this manner, we have summized that if it sees a none ASCII byte in the field it would convert the whole field into a hex representation to stop trying to write binary to the db. If this is the case then it could well be a bug with the hardware and we can chase the vendor and apply a patch to the code in freeradius until we get it fixed. Also, when I ran the code in debug mode (-X switch) I never saw one occurence of this problem in the screen output or the postgres logs. Of course computers being what they are it's most likley that it was just a fluke, but at what point would FreeRADIUS decide to convert the output to a hex representation? our NASes are all Redbacks, SE400's and SMS10K's I just checked a bit further, and noticed the problem with on eof our Dialup NASes which are Cisco AS5300's so I don't think it is a hardware vendor issue. Not as many sessions go through the Dialin racks anymore so not seeing as much data from them. Graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown module eap error
Hello, I was running freeRadius version 1.1.1, and everything was working smoothly. I then had to reformat my server, so I saved my entire raddb config directory so that I would not need to start completely from scratch. However, I have now installed version 1.1.2, and I cannot get it running properly. I have included the output from running in debug mode below. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 60 main: cleanup_delay = 6 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = nobody main: group = nobody main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc rlm_eap: Failed to link EAP-Type/tls: file not found radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1894] Unknown module eap. radiusd.conf[1841] Failed to parse authenticate section. Any help or advice would be appreciated. Thanks, Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown module eap error
Hi, rlm_eap: Failed to link EAP-Type/tls: file not found radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1894] Unknown module eap. radiusd.conf[1841] Failed to parse authenticate section. you want to use TLS or TTLS or PEAP, but have compiled the server without TLS support. Install openssl and the corresponding development libraries (often called openssl-devel) and recompile the server. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgp0XH2T9XRge.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
module install
Hi all, Im new to radius and im searching authentication without username/password but calling number about a week. After all, i find rlm_checkval module. We are using version 0.9.3 and rlm_checkval module doesnt exist. I want to install it but its not in stable list. So, here is the question : in 1.1.2 version, it is in stable list. If i want to install rlm_checkval module which exists in 1.1.2 version to 0.9.3 , what happens? I think there is no difference. Thanks in advance. Cihan. Omsan'in sundugu hizmetleri nasil degerlendiriyorsunuz? Görüsleriniz bizim için degerli. Aldiginiz hizmetin beklentilerinizi ve ihtiyaçlarinizi ne ölçüde karsiladigi konusunda benimle irtibata geçebilir veya [EMAIL PROTECTED], [EMAIL PROTECTED] veya [EMAIL PROTECTED] adreslerine e-mail gönderebilirsiniz. How do you evaluate the services of Omsan? Your opinions are valuable for us. You can contact me or send an e-mail to, [EMAIL PROTECTED], [EMAIL PROTECTED] or [EMAIL PROTECTED] to inform us about the extent to which the services provided fulfill your expectations and needs. Bu e-posta mesaji kisiye özel olup, gizli bilgiler içeriyor olabilir. Eger bu e-posta mesaji size yanlislikla ulasmissa, içerigini hiç bir sekilde kullanmayiniz ve ekli dosyalari açmayiniz. Bu durumda lütfen e-posta mesajini kullaniciya hemen geri gönderiniz ve tüm kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hiç bir sekilde, herhangi bir amaç için çogaltilamaz, yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji virüslere karsi anti-virüs sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hiçbir sorumlulugu kabul etmez. This message is intended solely for the use of the individual or entity to whom it is addressed, and may contain confidential information. If you are not the intended recipient of this message or you receive this mail in error, you should refrain from making any use of the contents and from opening any attachment. In that case, please notify the sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the presence of computer viruses. In doing so, however, sender cannot warrant that virus or other forms of data corruption may not be present and do not take any responsibility in any occurrence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listening on proxy*: 1814
Giuseppe Parlato [EMAIL PROTECTED] wrote: I upgraded freeradius but when it starts at the end of debug I don't get the usual Listening on proxy*: 1814 , where can I configure it.. You don't. If you're not proxying packets, then that port won't be used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module install
=?iso-8859-9?Q?Cihan_DEM=DDR?= [EMAIL PROTECTED] wrote: in 1.1.2 version, it is in stable list. If i want to install rlm_checkval module which exists in 1.1.2 version to 0.9.3 , what happens? I think there is no difference. You can't do it. Upgrade to 1.1.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP and Windows 2003 AD LDAP
Alan DeKok wrote: Luke [EMAIL PROTECTED] wrote: Unfortunately I need to support CHAP because it is used by an external global Dial-Up provider which the freeradius machine is authenticating for. If the passwords are in AD your ONLY choice is to use IAS, and even then, only if ALL of the passwords are stored via what they call using reversible encryption. Thanks Alan - looks like it is not possible (we do not want to use IAS and store passwords using reversible encryption - which would also mean resetting every user's password). I'm going to need to talk to our global dial-up provider to see if they can send the radius request using anything other than CHAP if possible. Thanks again, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco 3550
hi, I am using freeradius 1.0.5 on cygwin in eap-tls mode. My switch is a cisco 3550. I hope to affect a user under a vlan and modified my users file in adding these attributes: Tunnel-Type = 13,Tunnel-Medium-Type = 6,Tunnel-Private-Group-Id = vlan number the user is authenticated, but it seems as if cisco have not receive the request. The "accept request" in log shows anything about the affectation of my user under the vlan. Do I have to add other vendor specific attributes for my user? Here is my dictionary.cisco content: # -*- text -*- # # dictionary.cisco # # Accounting VSAs originally by # "Marcelo M. Sosa Lugones" [EMAIL PROTECTED] # # Version: $Id: dictionary.cisco,v 1.12.4.1 2005/11/30 22:17:21 aland Exp $ # # For documentation on Cisco RADIUS attributes, see: # # http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm # VENDOR Cisco 9 # # Standard attribute # BEGIN-VENDOR Cisco ATTRIBUTE Cisco-AVPair 1 string ATTRIBUTE Cisco-NAS-Port 2 string # # T.37 Store-and-Forward attributes. # ATTRIBUTE Cisco-Fax-Account-Id-Origin 3 string ATTRIBUTE Cisco-Fax-Msg-Id 4 string ATTRIBUTE Cisco-Fax-Pages 5 string ATTRIBUTE Cisco-Fax-Coverpage-Flag 6 string ATTRIBUTE Cisco-Fax-Modem-Time 7 string ATTRIBUTE Cisco-Fax-Connect-Speed 8 string ATTRIBUTE Cisco-Fax-Recipient-Count 9 string ATTRIBUTE Cisco-Fax-Process-Abort-Flag 10 string ATTRIBUTE Cisco-Fax-Dsn-Address 11 string ATTRIBUTE Cisco-Fax-Dsn-Flag 12 string ATTRIBUTE Cisco-Fax-Mdn-Address 13 string ATTRIBUTE Cisco-Fax-Mdn-Flag 14 string ATTRIBUTE Cisco-Fax-Auth-Status 15 string ATTRIBUTE Cisco-Email-Server-Address 16 string ATTRIBUTE Cisco-Email-Server-Ack-Flag 17 string ATTRIBUTE Cisco-Gateway-Id 18 string ATTRIBUTE Cisco-Call-Type 19 string ATTRIBUTE Cisco-Port-Used 20 string ATTRIBUTE Cisco-Abort-Cause 21 string # # Voice over IP attributes. # ATTRIBUTE h323-remote-address 23 string ATTRIBUTE h323-conf-id 24 string ATTRIBUTE h323-setup-time 25 string ATTRIBUTE h323-call-origin 26 string ATTRIBUTE h323-call-type 27 string ATTRIBUTE h323-connect-time 28 string ATTRIBUTE h323-disconnect-time 29 string ATTRIBUTE h323-disconnect-cause 30 string ATTRIBUTE h323-voice-quality 31 string ATTRIBUTE h323-gw-id 33 string ATTRIBUTE h323-incoming-conf-id 35 string ATTRIBUTE h323-credit-amount 101 string ATTRIBUTE h323-credit-time 102 string ATTRIBUTE h323-return-code 103 string ATTRIBUTE h323-prompt-id 104 string ATTRIBUTE h323-time-and-day 105 string ATTRIBUTE h323-redirect-number 106 string ATTRIBUTE h323-preferred-lang 107 string ATTRIBUTE h323-redirect-ip-address 108 string ATTRIBUTE h323-billing-model 109 string ATTRIBUTE h323-currency 110 string ATTRIBUTE subscriber 111 string ATTRIBUTE gw-rxd-cdn 112 string ATTRIBUTE gw-final-xlated-cdn 113 string ATTRIBUTE remote-media-address 114 string ATTRIBUTE release-source 115 string ATTRIBUTE gw-rxd-cgn 116 string ATTRIBUTE gw-final-xlated-cgn 117 string # SIP Attributes ATTRIBUTE call-id 141 string ATTRIBUTE session-protocol 142 string ATTRIBUTE method 143 string ATTRIBUTE prev-hop-via 144 string ATTRIBUTE prev-hop-ip 145 string ATTRIBUTE incoming-req-uri 146 string ATTRIBUTE outgoing-req-uri 147 string ATTRIBUTE next-hop-ip 148 string ATTRIBUTE next-hop-dn 149 string ATTRIBUTE sip-hdr 150 string # # Extra attributes sent by the Cisco, if you configure # "radius-server vsa accounting" (requires IOS11.2+). # ATTRIBUTE Cisco-Multilink-ID 187 integer ATTRIBUTE Cisco-Num-In-Multilink 188 integer ATTRIBUTE Cisco-Pre-Input-Octets 190 integer ATTRIBUTE Cisco-Pre-Output-Octets 191 integer ATTRIBUTE Cisco-Pre-Input-Packets 192 integer ATTRIBUTE Cisco-Pre-Output-Packets 193 integer ATTRIBUTE Cisco-Maximum-Time 194 integer ATTRIBUTE Cisco-Disconnect-Cause 195 integer ATTRIBUTE Cisco-Data-Rate 197 integer ATTRIBUTE Cisco-PreSession-Time 198 integer ATTRIBUTE Cisco-PW-Lifetime 208 integer ATTRIBUTE Cisco-IP-Direct 209 integer ATTRIBUTE Cisco-PPP-VJ-Slot-Comp 210 integer ATTRIBUTE Cisco-PPP-Async-Map 212 integer ATTRIBUTE Cisco-IP-Pool-Definition 217 string ATTRIBUTE Cisco-Assign-IP-Pool 218 integer ATTRIBUTE Cisco-Route-IP 228 integer ATTRIBUTE Cisco-Link-Compression 233 integer ATTRIBUTE Cisco-Target-Util 234 integer ATTRIBUTE Cisco-Maximum-Channels 235 integer ATTRIBUTE Cisco-Data-Filter 242 integer ATTRIBUTE Cisco-Call-Filter 243 integer ATTRIBUTE Cisco-Idle-Limit 244 integer ATTRIBUTE Cisco-Account-Info 250 string ATTRIBUTE Cisco-Service-Info 251 string ATTRIBUTE Cisco-Command-Code 252 string ATTRIBUTE Cisco-Control-Info 253 string ATTRIBUTE Cisco-Xmit-Rate 255 integer VALUE Cisco-Disconnect-Cause Unknown 2 VALUE Cisco-Disconnect-Cause CLID-Authentication-Failure 4 VALUE Cisco-Disconnect-Cause No-Carrier 10 VALUE Cisco-Disconnect-Cause Lost-Carrier 11 VALUE Cisco-Disconnect-Cause No-Detected-Result-Codes 12 VALUE Cisco-Disconnect-Cause User-Ends-Session 20 VALUE Cisco-Disconnect-Cause Idle-Timeout 21 VALUE Cisco-Disconnect-Cause Exit-Telnet-Session 22 VALUE Cisco-Disconnect-Cause
Radius ip pool service !!
Hi, I read about ip pool service in freeradius. I need to deliver ip to my clients postauth. I need to know if ip pool is the tool for this. Thank's Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius ip pool service !!
Hi, I read about ip pool service in freeradius. I need to deliver ip to my clients postauth. I need to know if ip pool is the tool for this. That depends on who your clients are. If you have 802.1X secured networks, you will need a DHCP server. 802.1X does not support passing arguments like an IP address on the layer 2 link to the client. If you have dialup users using PPP, then ip pools are your friend. The IP address can then be sent in a Framed-IP-Address attribute and, given the dialup server supports it, be transported in the PPP session to the user. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
Quite new to radius and struggling to get my head around things so forgive me if my assumptions are wrong. I appear to have the setup working but i'm concerned it's not doing what it think it is. I don't think the authentication requests are actually going over an encrypted channel. You need to differentiate two parts of the link: a) the data that is passed between the client device and the RADIUS server and b) the backend communication between RADIUS server and LDAP. a) is encrypted when using EAP-TTLS b) may or may not be encrypted, depending on your settings in the RADIUS server. I'm using freeradius-1.1.2 on a freebsd server and i've compiled it against openldap-2.3.24 which all went well. I'm attempting to set up secure wireless with WPA2 using our ldap directory for authentication. We have a replica of our directory running on the freeradius server. Originally i had hoped to use some sort of web-redirect-to-an-authentication-page system like you sometimes see in hotels but i can't find anything about that (any information welcome). Try googling for captive portal. After reading around, the best form of authentication i can see would be eap-ttls with pap as the inner protocol. I believe (from comments in the radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now, There is a chance that you could, but using MD5 kindof sucks. And it might be non-trivial to set up. i've set it up in a way that appears to be mostly right and i *can* authenticate with my username/password in ldap but doing a tcpdump on the radius server worries me. You should see lots of RADIUS packets going between your server and the client (switch/access point) with encrypted payload in the attribute EAP-Message. I can see my username passed in the clear in the packets so i'm concerned it's not using tls at all. I told the wireless client to use ttls so i can't understand what's going on. You might see the clear text password on packets going from your RADIUS server to LDAP (depending on how you set up the LDAP communication). That's what's going on. The following is a summary of the main changes i made from the radiusd.conf and eap.conf files. If i dont mention an attribute it's because i didn't change it from the default setting: radiusd.conf: modules { ldap { server = localhost filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no And this is where the non-encrypted backend communication comes from: no TLS configured for the LDAP backend. dictionary_mapping = ${raddbdir}/ldap.attrmap } } authorize { eap ldap } authenticate { Auth-Type PAP { pap } eap Auth-Type LDAP { ldap } } eap.conf: eap { default_eap_type = ttls tls { private_key_file = ${raddbdir}/certs/radius_key.pem certificate_file = ${raddbdir}/certs/radius_cert.pem CA_file = ${raddbdir}/certs/cacert.pem random_file = ${raddbdir}/certs/random } ttls { default_eap_type = md5 } } Now i know that default_eap_type setting looks wrong but i don't know what i *should* have there. The one in ttls {} looks a bit awkward. But if things work, it's okay I guess. On the server in /var/log/radiusd.log i see the following: Wed Jul 5 16:10:32 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Which is completely normal. It means that the *client* is not sending a certificate. TTLS makes him send username and password instead of a certificate, so nothing to see here. Please move along. I based my certificate generation on the instructions at: http://homepage.mac.com/andreaswolf/public/wpaeap.html including using the xpextensions mentioned there. I generated my random file using dd and /dev/urandom. Good boy. And it seems like everything worked out beautifully. Now secure your backend communication with TLS as well if you are really concerned about that, and you're done. I am a little lost and don't know what is best practice. Any advice would be appreciated. I've tried googling but haven't found a good guide that matches our setup.I can, of course, give more information if needed. Really? WPA2 is quite a wide-spread scenario. And using LDAP as backend is quite common as well. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See
Re: EAP-TTLS/PAP - LDAP for WPA2
Hi, I'm using freeradius-1.1.2 on a freebsd server and i've compiled it against openldap-2.3.24 which all went well. I'm attempting to set up secure wireless with WPA2 using our ldap directory for authentication. We have a replica of our directory running on the freeradius server. Originally i had hoped to use some sort of web-redirect-to-an-authentication-page system like you sometimes see in hotels but i can't find anything about that (any information welcome). captive portal - there are several software tools that will do this... eg http://en.wikipedia.org/wiki/Captive_portal most people seem to be moving away from this method as it is riddled with possible security compromises. After reading around, the best form of authentication i can see would be eap-ttls with pap as the inner protocol. I believe (from comments in the radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now, i've set it up in a way that appears to be mostly right and i *can* authenticate with my username/password in ldap but doing a tcpdump on the radius server worries me. I can see my username passed in the clear in the packets so i'm concerned it's not using tls at all. I told the wireless client to use ttls so i can't understand what's going on. PAP uses clear text (unencrypted) password authentication. whilst the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted session) when you CAN see the PAP in the clear is when its being sent over to LDAP - so you need to make sure that that communication is encrpyted...either by making sure its configured to use SSL for its communication channel...or simply 'stunnel'ing the traffic. modules { ldap { server = localhost filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no ^^ this! dictionary_mapping = ${raddbdir}/ldap.attrmap } } authorize { eap ldap } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
Stefan Winter wrote: You need to differentiate two parts of the link: a) the data that is passed between the client device and the RADIUS server and b) the backend communication between RADIUS server and LDAP. a) is encrypted when using EAP-TTLS b) may or may not be encrypted, depending on your settings in the RADIUS server. Hi Stefan, Thanks for the quick reply. a) is my concern, b) is not an issue. As i said in the original mail (or at least i meant to!) there is a replica of our ldap server running on the same machine as our freeradius server. It binds to the loopback device only and as such there's no real point in encrypting traffic. Originally i had hoped to use some sort of web-redirect-to-an-authentication-page system like you sometimes see in hotels but i can't find anything about that (any information welcome). Try googling for captive portal. Thanks - just didn't know the name of it! After reading around, the best form of authentication i can see would be eap-ttls with pap as the inner protocol. I believe (from comments in the radiusd.conf file) that i wouldn't be able to use md5 with ldap. Now, There is a chance that you could, but using MD5 kindof sucks. And it might be non-trivial to set up. As i understand it, if ttls is working correctly, it should adequately protect my username/password no matter what inner protocol i use. So, PAP should be fine, right? i've set it up in a way that appears to be mostly right and i *can* authenticate with my username/password in ldap but doing a tcpdump on the radius server worries me. You should see lots of RADIUS packets going between your server and the client (switch/access point) with encrypted payload in the attribute EAP-Message. Ah.It would seem my original tcpdump trunkated the packets so i was missing some of the attributes. By setting -s 0, i now get the full RADIUS packets. The EAP-Message doesn't appear to be encrypted on the initial packet from the ap to the server. Inside i see Type and Identity (containing my username. The username is also in the User-Name attribute) After that, all the EAP-Message packets have Type EAP-TTLS [Funk], which i suppose is pretty funky from ethereal's point of view. But it's good news to me. I can look at the SSL fields and it appears that everything is good. So i'm feeling much happier. But i'm *not* happy with the fact that my username is going in the clear. Is there anything i can do about this? This potentially gives an attacker information he can use to try and brute force or even just passively get a list of users... On the server in /var/log/radiusd.log i see the following: Wed Jul 5 16:10:32 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Wed Jul 5 16:10:32 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Which is completely normal. It means that the *client* is not sending a certificate. TTLS makes him send username and password instead of a certificate, so nothing to see here. Please move along. Excellent - good news. Good boy. And it seems like everything worked out beautifully. Now secure your backend communication with TLS as well if you are really concerned about that, and you're done. As i say, not an issue. No encrypted packets on the network between the radius server and the ldap server as they're on the same host, communicating over the loopback interface I am a little lost and don't know what is best practice. Any advice would be appreciated. I've tried googling but haven't found a good guide that matches our setup.I can, of course, give more information if needed. Really? WPA2 is quite a wide-spread scenario. And using LDAP as backend is quite common as well. But (imho) all the write-ups dont really explain what's going on. Myself, i don't understand what the authorize section and authenticate sections are supposed to do. Could somebody talk to the radius server directly without encryption using my settings? Can i specify what kinds of authentication i'll accept from users compared to the types of backend authentication i can do? I just find it hard to get my head around it... Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
[EMAIL PROTECTED] wrote: captive portal - there are several software tools that will do this... eg http://en.wikipedia.org/wiki/Captive_portal most people seem to be moving away from this method as it is riddled with possible security compromises. Thanks for the heads-up. I'll take a look at it, but keep in mind the possible security implications (i'll google). PAP uses clear text (unencrypted) password authentication. whilst the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted session) when you CAN see the PAP in the clear is when its being sent over to LDAP - so you need to make sure that that communication is encrpyted...either by making sure its configured to use SSL for its communication channel...or simply 'stunnel'ing the traffic. start_tls = no ^^ this! As mentioned in my reponse to Stefan, this is not a concern for me as they're on the same host communicating exclusively over the loopback interface. On a side-note, I've now noticed that radius doesn't appear to be respecting my ldap filter. base_filter = (objectclass=radiusprofile) but i can authenticate as a user without a radiusprofile attribute. Ideas? Thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
Hi, The EAP-Message doesn't appear to be encrypted on the initial packet from the ap to the server. Inside i see Type and Identity (containing my username. The username is also in the User-Name attribute) that'll be your outer identity... which, as it is plain to see (pun definately intended folks), is why many people use some anonymous identity for protection..why give away some of your credentials? - eg [EMAIL PROTECTED] But (imho) all the write-ups dont really explain what's going on. Myself, i don't understand what the authorize section and authenticate sections are supposed to do. Could somebody talk to the radius server directly without encryption using my settings? Can i specify what kinds of authentication i'll accept from users compared to the types of backend authentication i can do? I just find it hard to get my head around it... authenticate = yes, you are who you are authorize = should you be using this? do we perhaps change the service you get (eg VLAN) if you've allowed people to talk to the RADIUS server, then they can...this is why you have eg the clients.conf (or clients SQL) to define *WHAT* NAS can talk to RADIUS server and what secret key they must have to talk to it. you can define whatever type of authentication that FR supports...depending on the eg username... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql Authentication
Hi all, We are migrating from an old installation of Radiator onto Freeradius. Local test accounts work fine, however I am getting an error on mysql based authentication. I am sure I'm missing something basic, here is the output from the radiusd process. Thanks, Max Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:59269, id=53, length=75 User-Name = [EMAIL PROTECTED] User-Password = testdial NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm foo.com rlm_realm: Proxying request from user cisp1 to realm foo.com rlm_realm: Adding Realm = foo.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 53 to 127.0.0.1 port 59269 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 53 with timestamp 44ad4ca3 -- Max Clark http://www.clarksys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
Le Thu, Jul 06, 2006 at 10:48:03AM -0700, Max Clark ecrivait: Hi all, We are migrating from an old installation of Radiator onto Freeradius. Local test accounts work fine, however I am getting an error on mysql based authentication. I am sure I'm missing something basic, here is the output from the radiusd process. Thanks, Max Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:59269, id=53, length=75 User-Name = [EMAIL PROTECTED] User-Password = testdial NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm foo.com rlm_realm: Proxying request from user cisp1 to realm foo.com rlm_realm: Adding Realm = foo.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 53 to 127.0.0.1 port 59269 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 53 with timestamp 44ad4ca3 Set Auth-Type to Local in your database. Regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
It was actually much more of a basic problem - dialupadmin uses crypt passwords by default and the default radius configuration looks for clear text. Thanks, Max On 7/6/06, Francois-Xavier GAILLARD [EMAIL PROTECTED] wrote: Le Thu, Jul 06, 2006 at 10:48:03AM -0700, Max Clark ecrivait: Hi all, We are migrating from an old installation of Radiator onto Freeradius. Local test accounts work fine, however I am getting an error on mysql based authentication. I am sure I'm missing something basic, here is the output from the radiusd process. Thanks, Max Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:59269, id=53, length=75 User-Name = [EMAIL PROTECTED] User-Password = testdial NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm foo.com rlm_realm: Proxying request from user cisp1 to realm foo.com rlm_realm: Adding Realm = foo.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 53 to 127.0.0.1 port 59269 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 53 with timestamp 44ad4ca3 Set Auth-Type to Local in your database. Regards, Fox. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFErVLawy/AUbta0EwRAvs8AJ98378eVPhgACk4Vf+VQbKtVR18KwCffZEC jDVkpNGWQnzBG+W80ofMlwg= =a1AQ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Max Clark http://www.clarksys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
Max Clark [EMAIL PROTECTED] wrote: We are migrating from an old installation of Radiator onto Freeradius. Local test accounts work fine, however I am getting an error on mysql based authentication. I am sure I'm missing something basic, here is the output from the radiusd process. You still have the entry in the users file that sets Auth-Type = System Delete it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP - LDAP for WPA2
[EMAIL PROTECTED] wrote: The EAP-Message doesn't appear to be encrypted on the initial packet from the ap to the server. Inside i see Type and Identity (containing my username. The username is also in the User-Name attribute) that'll be your outer identity... which, as it is plain to see (pun definately intended folks), is why many people use some anonymous identity for protection..why give away some of your credentials? - eg [EMAIL PROTECTED] Hmmm. Well, in the first packet i see the Identity in the EAP-Message, but the User-name attribute is in every packet sent by the AP. How would i go about using an anonymous identity? Would that be up to the wireless client configuration? It would be quite important for me to hide this. If i'm understanding you correctly, the User-name attribute and the Identity field in the EAP-Message attribute have nothing to do with authentication which is all enclosed (including the username) in PAP which is encrypted inside EAP-TTLS? If i could just get this fixed, i think i'd be happy with my setup... authenticate = yes, you are who you are authorize = should you be using this? do we perhaps change the service you get (eg VLAN) if you've allowed people to talk to the RADIUS server, then they can...this is why you have eg the clients.conf (or clients SQL) to define *WHAT* NAS can talk to RADIUS server and what secret key they must have to talk to it. you can define whatever type of authentication that FR supports...depending on the eg username... This certainly helps me understand, but it would be nice to get a more complete understanding. I don't want to hassle you by continually asking you questions until i get it - can you point me to somewhere i can read up on this and understand. For example, it confuses me that there is an ldap, eap and pap section in the authorize section, but pap is to be used exclusively inside eap with the client and ldap is to be used exclusively with the backend server. Thanks for your help, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
Graeme Hinchliffe [EMAIL PROTECTED] wrote: What would cause FreeRADIUS to output in this manner, we have summized that if it sees a none ASCII byte in the field it would convert the whole field into a hex representation to stop trying to write binary to the db. No, it should print out non-ASCII bytes as octal in that case. It will create octal attributes if it can't find the attribute in the dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining different Service-Types for different equipment for the same user
Nuno Cervaens [EMAIL PROTECTED] wrote: Here's an example for what it would be a perfect solution: userOne Crypt-Password == $1$GYuKhumy$wUkW0ZvClTCi86kkkgJBw. Service-Type = 6 Service-Type = 7 (for the SSRs) I don't think that will work. You're allowed ONE Service-Type in a response. You have to configure the server to send Service-Type = 6 for one NAS, and 7 for another. You will need two different entries in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x authentication
Hi, All: I need some pointers on how to set up 802.1x (PEAP/MSCHAP v.2) authentication in freeradius. Generating certificates? Modifying configurations? Jin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html