Re: FreeRADIUS user Survey
On Thu, Oct 05, 2006 at 02:39:18PM -0400, Alan DeKok wrote: In order to better understand the needs of people using FreeRADIUS, I've set up a survey with 12 questions. The goal is to understand who's using FreeRADIUS, how they're using it, and what the users needs are. The page is: http://gs-survey.com/s.asp?s=1651 Please take a few minutes to fill out the survey, and I'll be posting a summary of the responses here. I expect to have a few more surveys after this one, to be able to target future development. Thanks for your efforts in supporting FreeRADIUS. Alan DeKok. In the first question (How large is your organization?) the range 101 - 1000 is missing... In the question (How many RADIUS client machines do you have?) is the last range 101? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy PEAP-EAP-MSCHAPv2 as MSCHAPv2
Hi,
I am trying to set up Freeradius to proxy PEAP/EAP-MSCHAPv2 request as MSCHAPv2
and know that some of you were able to set up this cofiguration successfully i.e.
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg22903.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16192.html
and others.
I have tried the examples in those postings as well as suggestions from other
postings without any success. I have started with the default config and turned
on the debug option. However, looking at the debug output yet I couldn't quite
figure out what went wrong.
What I got so far is as follow:
1) Send a PEAP/MSCHAPv2 request using Linux's Xsupplicant or Mac client to the
proxy radius
2) Proxy radius terminated EAP locally and proxied request (MSCHAPv2 minus EAP)
to home radius
3) Home radius responded with an access-accept packet to proxy radius
4) Proxy Radius sent access-reject to client. See error output below.
Tue Oct 3 20:10:37 2006 : Debug: rlm_eap: Request not found in the list
Tue Oct 3 20:10:37 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response
to an unknown EAP-request
Tue Oct 3 20:10:37 2006 : Debug: rlm_eap: Failed in handler
I am running Freeradius 1.1.3 and have attached below my configuration files
and an excerpt of
the debug output hoping that the mistake would look obvious to some of you and
that you could
provide some helpful pointers or links.
Thanks a lot for your help.
-David
For the outer identity, I have set it to use 'Anonymous' and the inner identity,
I have set it to use '[EMAIL PROTECTED]'
radiusd.conf
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
realm IPASS {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
# '[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
...
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = wireless
private_key_file = ${raddbdir}/certs/host.key
certificate_file = ${raddbdir}/certs/host.crt
CA_file = ${raddbdir}/certs/ca-root.crt
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
# Note: If I set proxy_tunneled_request_as_eap = yes (proxying
the request as eap-mschapv2)
# I was able to connect successfully
}
mschapv2 {
}
}
proxy.conf
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm abc.net {
type= radius
authhost= 199.186.1.2:1645
accthost= 199.186.1.2:1646
secret = wireless
nostrip
}
users:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := abc.net
Debug output (excerpt starting when the home radius replied with an access
accept)
see attached files for the complete output.
Tue Oct 3 20:10:37 2006 : Sending Access-Request of id 30 to 199.186.1.2 port
1645
User-Name = [EMAIL PROTECTED]
Re: IPV6 support
Hi, time (currently) and ALSO there is a bug. :: (listen on any address) causes a segmentation fault. WTF? types madly :-) ah. wasnt reported. Ah. 'struct sockaddr' isn't big enough to hold IPv6 addresses. We have to use 'struct sockaddr_storage'. Thanks, it's now fixed. great. it was late when i was quickly testing that so didnt have time to research if it was a reported bug. guess I dont have to report now. glad to have been of testing service to you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius bug?
Hi,
Hello, why if I have in my clients.conf this configuration:
client localhost {
secret = testing123
nastype = other
shortname = localhost
login = test
password = test
}
and I try #radtest test test localhost testing123
err, the login and password entries are for backend utilities such as
simultaneous usage checking (and other SNMP/telnet tools). for this
command to work, you have to add a 'test' user to either your users
file or to your SQL database, AD, etc etc look at the users file
for an example user entry that you can copy/edit at your will.
try changing the users entry to reject, accept and add a reply message
etc to see stuff being sent back to your radtest command
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
External module in c++
Hello every body, I only have a simple question to the mailing. Can I program an external module in c++. thanks Best Regards. Guillermo Rodriguez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius ntlm_auth problem
Hello! I sucesfully installed a free radius server with ntlm_auth, but have one problem. I have user names in Windows 2003 domain with whitespaces like 'user 1' 'user 2' (i know this is a bit lame, but they was created about years ago and be wery hard to change), these username with whitespaces ntlm_auth string won't authorize. Usernames without whitespaces authorize succesfully. When run ntlm_auth manal and write usernames like 'user 1' than work. And i want put a NT group requirment too like a 'Domain Users'
ntlm_auth string is: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
How can I fix this ?Thanks!P.S.Sorry my englisg isnt perfect :)Andris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication problem
Hi all, I've wirte about this problem another time here http://lists.freeradius.org/pipermail/freeradius-users/2006-October/057153.html . The core of this problem is an error that returns with chillispot when I authenticate a client with WPA-EAP. .. chillispot[15816]: radius.c: 1634: Received unknown radius packet 11! chillispot[15816]: chilli.c: 4148: radius_proxy_ind() failed! . I've seen the source code of radius.h in chilli at line 73, and I've seen that the packet 11 is RADIUS_CODE_ACCESS_CHALLENGE , so I've thinked that there is an error in EAP authentication. Someone has ideas about this problem? I must solve it . Thank you very much. Best regards. Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I want to use freeradius to manage my socks5 proxy
I configured a socks5 proxy. This question for me is how to authenticate users who I permit to use my socks5 proxy and account them--such as period and data flow--- I do not know how to integrate socks5 authentication and freeradius together. Is there any one have any idea or can provide me some docs. to help me. Thank you very much-- please visitmy blog http://blog.csdn.net/taft - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius ntlm_auth problem
Hi,
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
have you tried something like
--username=\%{mschap:User-Name}\
you might be able to escape the characters in this way.
alna
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
External module in c++
Hello every body, I only have a simple question to the mailing. Can I program an external module in c++. thanks Best Regards. Guillermo Rodriguez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius ntlm_auth problem
have you tried something like--username=\%{mschap:User-Name}\you might be able to escape the characters in this way.alnayes :( , and \' too
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Called-Station-ID and Cisco AP's
I am just starting looking into this, but it seems that the
Called-Station-ID being logged from my Cisco AP's is off: What I see in
the log is the following:
Called-Station-Id = 0017.0f8c.25c1
However, the cisco itself shows something slightly different:
Mac Address 0017.0f8c.25c0
As you can see, the last digit is off.
This is not the only one. Another example
Called-Station-Id = 0013.6078.7661
MAC Address 00:13:60:78:76:60
The only other system I have on the system (Bluesocket) does not have this
discrepancy.
I have searched through the archives, but trying to limit search by
Called-Station-Id and cisco does not help a lot. Have others seen/noticed
this before? If so any pointers to information on it? If not, can anyone
else look and see if they are having a similar issue?
Here is the information on AP
Cisco Aironet 1200 IOS
Firmware: 12.3(8)JA2
Using FreeRadius 1.1.2
The only conf file that even mentioned called station ID (that I am using)
is radiusd.conf. Here is the subsection
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be packet, reply, proxy, proxy_reply or config
# searchin = packet
# searchfor = [+ ]
# replacewith =
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended
# to the original string
# append = no
#}
As it is commented out I do not see that it could be the issue.
If you want any conf files let me know, I just did not want to clog up the
message with lots of conf info that is not useful.
Thanks to all.
-- Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
Called-Station-Id = 0017.0f8c.25c1 However, the cisco itself shows something slightly different: Mac Address 0017.0f8c.25c0 Does your AP have two radios? If so, is this the MAC of the other radio? Have others seen/noticed this before? ... If not, can anyone else look and see if they are having a similar issue? We use Cisco 1232 AP's and I'm not seeing this problem. The Called-Station-ID is the MAC of the AP and the Calling-Station-ID is the MAC of my XP laptop that associated to the AP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
Kostas Zorbadelos [EMAIL PROTECTED] wrote: In the first question (How large is your organization?) the range 101 - 1000 is missing... In the question (How many RADIUS client machines do you have?) is the last range 101? Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?
Mak Moussa [EMAIL PROTECTED] wrote: Would you still say that it is the ttls.c code, even though ttls w/mschap worked fine? Yes. I am looking for a differentiator in the code between mschap and mschapv2, Like the code I pointed you to? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
Giuseppina Venezia [EMAIL PROTECTED] wrote: The core of this problem is an error that returns with chillispot when I authenticate a client with WPA-EAP. .. chillispot[15816]: radius.c: 1634: Received unknown radius packet 11! Apparently Chillispot doesn't support EAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I want to use freeradius to manage my socks5 proxy
taft [EMAIL PROTECTED] wrote: I do not know how to integrate socks5 authentication and freeradius together. If the socks program you're using doesn't say it can use RADIUS, you can't integrate them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups, Realms, MySQL
G'day mate, thanks for the quick reply. I already have this in my
radiusd.conf:
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
The huntgroups file looks like this:
wirelessNAS-IP-Address == 127.0.0.1
wirelessNAS-IP-Address == localhost.localdomain
SQL-Group == 3072BY256
radgroupcheck table:
| 8 | netmaster | Huntgroup-Name | == | netmaster |
| 6 | 3072BY256 | Huntgroup-Name | == | wireless |
| 7 | 3072BY256 | Auth-Type | += | local |
| 9 | netmaster | Auth-Type | += | local |
All of this is still in a test environment so I am able to change
whatever is needed.
--
Brad McAllister
[EMAIL PROTECTED]
On Oct 5, 2006, at 6:13 PM, James Wakefield wrote:
Brad McAllister wrote:
If I removed the huntgroups out of the picture, is works fine. The
problem seems to be that the realm is not being stripped off of
the username when it checks it against the usergroup table. If
more information is needed, please let me know. I would really
like to get this working.
Thanks!
- Brad
Have a look at the realm { } instances and attr_rewrite in http://
wiki.freeradius.org/Radiusd.conf.
If that doesn't sort you out, could you post (with private info
obscured, of course) relevant excerpts from your radgroupcheck
table and huntgroups file?
Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
- List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
Date: Fri, 6 Oct 2006 09:13:20 -0400 From: Garber, Neal [EMAIL PROTECTED] Subject: RE: Called-Station-ID and Cisco AP's To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Called-Station-Id = 0017.0f8c.25c1 However, the cisco itself shows something slightly different: Mac Address 0017.0f8c.25c0 Does your AP have two radios? If so, is this the MAC of the other radio? Yes it does, but this is not the mac address for the LAN interface nor either of the radios: LAN MAC Address:00:17:94:EE:D8:C6 Radio 1 MAC Address:00:17:0F:8C:25:C0 Radio 2 MAC Address:00:17:0F:90:25:C0 Have others seen/noticed this before? ... If not, can anyone else look and see if they are having a similar issue? We use Cisco 1232 AP's and I'm not seeing this problem. The Called-Station-ID is the MAC of the AP and the Calling-Station-ID is the MAC of my XP laptop that associated to the AP. Thanks. What version of IOS are you running? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 18, Issue 24 -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users-file overruling anything else
Hi,
I am using freeradius+perl+ldap.
Meaning for every request I get the users information from a
LDAP-Server, run it through some perl-code to distinguish some users
form others for some reason (:-)).
Now my problem are users not listed in the ldap-system. I want to use
the users-file to overrule the ldap-system. Meaning if a user is found
in the users-file and the password matches, ignore everything else.
I think I had it working already, but somehow it does not work anymore! :-(
My authorization-section looks as follows:
authorize {
preprocess
chap
mschap
eap
#
# Read the 'users' file
files
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap # needed to get user information
perl # needed to twist the users a little bit :-)
}
my users-file is standard, containing:
help Auth-Type := Local, User-Password == support
Idle-Timeout := 30
Thanks for your help,
Florian Prester
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy question
Hy,
I'm having a small problem with the proxy.conf file.
I added the following entry to proxy.conf:
realm test.com{
type= radius
authhost= LOCAL
accthost= LOCAL
secret = foobar
strip
}
But when I send a user with the test.com domain, it wasn't stripped. The
radiusd -X log below shows the behavior:
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm test.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm test.com
rlm_realm: Adding Stripped-User-Name = rgreiner
rlm_realm: Proxying request from user rgreiner to realm test.com
rlm_realm: Adding Realm = test.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
radius_xlat: '[EMAIL PROTECTED]'
I've tried removing the realm LOCAL entry from proxy.conf, without
result. The realm DEFAULT with authhost = LOCAL or = localhost didn't
solve either. The only way I managed to get this to work was to write
realm test.com {
authhost = a.b.c.d
.
}
With a.b.c.d being the local server's real IP (not the localhost IP). Is
that the proper way to do it or am I missing something?
Thank you,
Roberto
--
---
| Marcos Roberto Greiner|
| |
| Os otimistas acham que estamos no melhor dos mundos |
| Os pessimistas tem medo de que isto seja verdade |
| Murphy|
---
| [EMAIL PROTECTED] |
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users-file overruling anything else UPDATE
Hi,
I am using freeradius+perl+ldap.
Meaning for every request I get the users information from a
LDAP-Server, run it through some perl-code to distinguish some users
form others for some reason (:-)).
Now my problem are users not listed in the ldap-system. I want to use
the users-file to overrule the ldap-system. Meaning if a user is found
in the users-file and the password matches, ignore everything else.
I think I had it working already, but somehow it does not work anymore! :-(
My authorization-section looks as follows:
authorize {
preprocess
chap
mschap
eap
#
# Read the 'users' file
files
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap # needed to get user information
perl # needed to twist the users a little bit :-)
}
my users-file is standard, containing:
help Auth-Type := Local, User-Password == support
Idle-Timeout := 30
UPDATE:
Maybe my perl-code is the problem, because I do a REJECT by the
Perl-module if the user is not found in the LDAP!
Hm, I should not do that, should I? I can grant access, but I should not
deny it, if want to grant it later?!
Thanks for your help,
Florian Prester
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Logs
With FreeRadius, Is it possible to log accounting data to both SQL and to standard Radius files? We would like to upgrade our Cistron Radius to FreeRadius, and our accounting system (Rodopi)uses standard Radius logs, but we would like to switch to SQL. Thanks, Kevin. -- Kevin Hemsley [EMAIL PROTECTED] NF7J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
2006/10/6, Alan DeKok [EMAIL PROTECTED]: Apparently Chillispot doesn't support EAP. I have launched chilli with --eapolenable and without, with the same results. Really, I don't know what must think. However, thank you Alan. Alan DeKok. Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two or more ippool
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm having some trouble with ippool.
I have some ip pools who need to be distributed
for my clients.
There is a example, my radiusd.conf:
...
ippool p0 {
range-start = xx.xx.xx.1
range-stop = xx.xx.xx.20
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p0
ip-index = ${raddbdir}/ippool/db.ipindex.p0
override = yes
maximum-timeout = 0
}
ippool p1 {
range-start = xx.xx.xx.21
range-stop = xx.xx.xx.40
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p1
ip-index = ${raddbdir}/ippool/db.ipindex.p1
override = yes
maximum-timeout = 0
}
...
In accounting:
accounting {
...
group mypools {
p0
p1
}
...
}
In post-auth:
post-auth {
...
group mypools {
p0
p1
}
...
}
In (mysql) radgroupcheck :
+-+---+--++-+--+
| id | GroupName | Attribute| op | Value | prio |
+-+---+--++-+--+
| 30 | mygroup | Pool-Name| := | p0 |1 |
| 31 | mygroup | Pool-Name| := | p1 |1 |
...
It's working, but my clients only catch IP from the first pool (p0).
They never catch from others pools (p1, p2 ...).
Somebody already had a problem like this?
Thanks !!!
- --
-
Roberto Gonzalez Azevedo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFJmaWF+EMwkXLsEwRAt+jAJ45YW7n1JkYxje54bNCtsRs5rmwXgCfUnf/
NFDvR7t4usmdljxm/xB26XQ=
=xMzx
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Called-Station-ID and Cisco AP's
Hi, I am just starting looking into this, but it seems that the Called-Station-ID being logged from my Cisco AP's is off: What I see in the log is the following: this COULD be the way that CISCO differentiates different VLANS on its AP when running in autonomous mode (are you running autonomous or LWAPP mode? you didnt say) ie first WLAN 0017.0f8c.25c0 second WLAN 0017.0f8c.25c1 third WLAN 0017.0f8c.25c2 (hence things like maximum of 8 WLAN on the autonomous etc) etc - its certainly plausible and matches to how they use MAC addresses on their other devices for variouis functions. we arent having this issue . but we are using Cisco 1131/1232 APs in LWAPP mode talking to 1.1.3 FreeRADIUS systems. so there may be some big differences in architecture there. Here is the information on AP Cisco Aironet 1200 IOS Firmware: 12.3(8)JA2 well, thats nice and up to date 12.3(8)JEA does fix a lot of other things though ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
I have just found out the the Cisco, when announcing multiple SSID's will create a virtual mac for the them. So looks like this is a 'feature'. Thanks. On Fri, 6 Oct 2006, Walter Reynolds wrote: Date: Fri, 6 Oct 2006 09:13:20 -0400 From: Garber, Neal [EMAIL PROTECTED] Subject: RE: Called-Station-ID and Cisco AP's To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Called-Station-Id = 0017.0f8c.25c1 However, the cisco itself shows something slightly different: Mac Address 0017.0f8c.25c0 Does your AP have two radios? If so, is this the MAC of the other radio? Yes it does, but this is not the mac address for the LAN interface nor either of the radios: LAN MAC Address:00:17:94:EE:D8:C6 Radio 1 MAC Address:00:17:0F:8C:25:C0 Radio 2 MAC Address:00:17:0F:90:25:C0 Have others seen/noticed this before? ... If not, can anyone else look and see if they are having a similar issue? We use Cisco 1232 AP's and I'm not seeing this problem. The Called-Station-ID is the MAC of the AP and the Calling-Station-ID is the MAC of my XP laptop that associated to the AP. Thanks. What version of IOS are you running? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 18, Issue 24 -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I want to use freeradius to manage my socks5 proxy
socks v5 can support EAP authentication, and I figure out that freeradius can do that too. So I am wondering if EAP is a connection between socksv5 and freeradius. any one else has some similar experience? thank you 2006/10/6, Alan DeKok [EMAIL PROTECTED]: taft [EMAIL PROTECTED] wrote: I do not know how to integrate socks5 authentication and freeradius together.If the socks program you're using doesn't say it can use RADIUS, youcan't integrate them.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- please visitmy blog http://blog.csdn.net/taft - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need a read Free Radius admin . . .
I am looking for a real freeradius admin who knows exactly what they are doing? Should be experienced with some references. We need advise, Setup, some maint, and support. Please send me your details. -Troy msn via [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
Thanks. What version of IOS are you running? Most are at 12.3(7)JA2. Some of our newer AP's are at 12.3(8)JA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Called-Station-ID and Cisco AP's
LAN MAC Address: 00:17:94:EE:D8:C6 Radio 1 MAC Address: 00:17:0F:8C:25:C0 Radio 2 MAC Address: 00:17:0F:90:25:C0 At the risk of this sounding like a stupid question... If you do a show run in enable mode, do you see a mac-address command after the radio interface (i.e., have you manually changed the MAC addr of the radio)? It is possible to manually change it: int d0 mac-address 0017.0f8c.25c1 Even if you do this, a sh int command will still show the real MAC address (I just tried this on one of my test APs). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Logs
Kevin Hemsley [EMAIL PROTECTED] wrote: With FreeRadius, Is it possible to log accounting data to both SQL and to standard Radius files? Yes. Just list detail and sql in the relevant accounting sections. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users-file overruling anything else
florian.prester [EMAIL PROTECTED] wrote:
Now my problem are users not listed in the ldap-system. I want to use
the users-file to overrule the ldap-system. Meaning if a user is found
in the users-file and the password matches, ignore everything else.
The problem is that the users file doesn't do authentication. It
only stores a known good password for a user.
My suggestion is to do:
authorize {
preprocess
chap
mschap
eap
perl
files {
ok = return
updated = return
}
ldap
}
And PLEASE don't set Auth-Type := Local. The users file entries
should look like:
usernameUser-Password := password
...
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius bug?
Hello, why if I have in my clients.conf this configuration:
client localhost {
secret = testing123
nastype = other
shortname = localhost
login = test
password = test
}
and I try #radtest test test localhost testing123
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, October 05, 2006 10:20 PM
Subject: Re: freeradius bug?
Abel Monzon [EMAIL PROTECTED] wrote:
Why is Access-Reject? There is a bug of freeradius?
Run the server in debugging mode and it will tell you why it's
sending a reject.
This is documented in the README, FAQ, INSTALL, and daily on this list.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ InformaciĆ³n de NOD32, revisiĆ³n 1.1237 (20050929) __
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
This is the answer of radtest:
Module: Instantiated files (files)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 201.220.197.67:32840, id=166,
length=50
Service-Type = Framed-User
User-Name = test
User-Password = test
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [test/test] (from client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 166 to 201.220.197.67 port 32840
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 166 with timestamp 4526856b
Nothing to do. Sleeping until we see a request.
I not see the problem
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Roberto Greiner [EMAIL PROTECTED] wrote: But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior: Show the *full* log. modcall[authorize]: module files returns notfound for request 0 radius_xlat: '[EMAIL PROTECTED]' ok... and the logs don't show it being proxied. So you're asking a question about why isn't the proxy code doing what you want, and you haven't shown the server doing any proxying. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius ntlm_auth problem
Andris [EMAIL PROTECTED] wrote: I sucesfully installed a free radius server with ntlm_auth, but have one problem. I have user names in Windows 2003 domain with whitespaces like 'user 1' 'user 2' (i know this is a bit lame, but they was created about years ago and be wery hard to change), these username with whitespaces ntlm_auth string won't authorize. So... what command is being executed? What are the results? Again, showing the output of debugging mode is MUCH MORE HELPFUL than saying stuff doesn't work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
Roberto Greiner [EMAIL PROTECTED] wrote: I have a server running GNU-Radius 1.3, and was preparing to migrate it to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being developed. My doubt is, should I go ahead and install 1.1.3, or wait and go straight for 2.0? The GNU-Radius machine is not giving me troubles for now, and there are no heavy time constraints to make the switch. Should I wait or go now for 1.1.3, updating later to 2.0? I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two or more ippool
You're using the wrong syntax for including the pools in each section.
Here's an example from my own config...
modules {
ippool 512k_high {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start =x.x.x.6
range-stop =x.x.x.66
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 60
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/ippool.512k_high
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/ipindex.512k_high
# override: Will this ippool override a
Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum
time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool 512k_low {
...
instantiate {
}
authorize {
preprocess
sql
}
authenticate {
pap
}
preacct {
preprocess
}
accounting {l
radutmp
512k_high
512k_low
10m_high
10m_low
sql
}
session {
radutmp
sql
}
post-auth {
sql
512k_high
512k_low
10m_high
10m_low
}
Also, I notice that 'mygroup' has IP assignments from 2 pools. This
can't work, because RADIUS will just select the first one it gets from
MySQL. May I suggest either subdividing your users into two groups, or
merging the two groups?
Hope this helps,
Jan
On 06/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm having some trouble with ippool.
I have some ip pools who need to be distributed
for my clients.
There is a example, my radiusd.conf:
...
ippool p0 {
range-start = xx.xx.xx.1
range-stop = xx.xx.xx.20
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p0
ip-index = ${raddbdir}/ippool/db.ipindex.p0
override = yes
maximum-timeout = 0
}
ippool p1 {
range-start = xx.xx.xx.21
range-stop = xx.xx.xx.40
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p1
ip-index = ${raddbdir}/ippool/db.ipindex.p1
override = yes
maximum-timeout = 0
}
...
In accounting:
accounting {
...
group mypools {
p0
p1
}
...
}
In post-auth:
post-auth {
...
group mypools {
p0
p1
}
...
}
In (mysql) radgroupcheck :
+-+---+--++-+--+
| id | GroupName | Attribute| op | Value | prio |
+-+---+--++-+--+
| 30 | mygroup | Pool-Name| := | p0 |1 |
| 31 | mygroup | Pool-Name| := | p1 |1 |
...
It's working, but my clients only catch IP from the first pool (p0).
They never catch from others pools (p1, p2 ...).
Somebody already had a problem like this?
Thanks !!!
- --
-
Roberto Gonzalez Azevedo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFJmaWF+EMwkXLsEwRAt+jAJ45YW7n1JkYxje54bNCtsRs5rmwXgCfUnf/
NFDvR7t4usmdljxm/xB26XQ=
=xMzx
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I want to use freeradius to manage my socks5 proxy
taft [EMAIL PROTECTED] wrote: socks v5 can support EAP authentication, and I figure out that freeradius can do that too. So I am wondering if EAP is a connection between socksv5 and freeradius. Once again, very slowly. If the socks program you're using doesn't say it can use RADIUS, you can't integrate them. EAP is not RADIUS. EAP is transported over RADIUS. See the documentation. But for that to work, you need a RADIUS implementation in the socks program. Again, that means reading the documentation of the socks program you're using. ... As I said before. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Not to rude, have you had a chance to poke that Patch again? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 04, 2006 6:54 PM To: FreeRadius users mailing list Subject: Re: Windows Vista doing PEAP King, Michael [EMAIL PROTECTED] wrote: Things didn't work so hot. :-( Seg Fault Arg. I'll go back and poke the patch again. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Alan DeKok wrote: Roberto Greiner [EMAIL PROTECTED] wrote: But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior: Show the *full* log. rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = [EMAIL PROTECTED] User-Password = teste Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: Looking up realm test.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm test.com rlm_realm: Adding Stripped-User-Name = rgreiner rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = test.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 3 modcall[authorize]: module files returns notfound for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): User not found modcall[authorize]: module sql returns notfound for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/teste] (from client dsu24 port 0) Sending Access-Reject of id 4 to 143.107.71.24 port 4126 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 4 with timestamp 4526adb5 Nothing to do. Sleeping until we see a request. -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1.1.3 or 2.0?
-Original Message- I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. I think question he was trying to get across, is 2.0 going to be significantly different from 1.1.3 from a config standpoint. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
Alan DeKok wrote: Roberto Greiner [EMAIL PROTECTED] wrote: I have a server running GNU-Radius 1.3, and was preparing to migrate it to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being developed. My doubt is, should I go ahead and install 1.1.3, or wait and go straight for 2.0? The GNU-Radius machine is not giving me troubles for now, and there are no heavy time constraints to make the switch. Should I wait or go now for 1.1.3, updating later to 2.0? I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. Alan DeKok. Ok. Thx Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
King, Michael [EMAIL PROTECTED] wrote: Not to rude, have you had a chance to poke that Patch again? Reload it from the same URL as last time. If it still crashes, see doc/bugs. I don't see how it can crash at all, so the crash looks like a symptom of another issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius bug?
Abel Monzon [EMAIL PROTECTED] wrote: ... auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user You didn't tell the server what the known good' password is for the user. See the FAQ for how to configure a test user. There IS documentation for the server. Go read it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Roberto Greiner [EMAIL PROTECTED] wrote: Show the *full* log. rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = [EMAIL PROTECTED] Is this the log from the home server? If so, why? You already said the username wasn't stripped, so showing that the home server receives it non-stripped is pointless. If this is the log from the proxying server, then it's not doing proxying, so of course it isn't stripping the username. rlm_realm: Adding Stripped-User-Name = rgreiner rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = test.com rlm_realm: Authentication realm is LOCAL. You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two or more ippool
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thanks for reply.
I can't subdivide in two groups ...
I need 1 group, with several pools ...
Thanks
-
Roberto Gonzalez Azevedo
Jan Mulders wrote:
You're using the wrong syntax for including the pools in each section.
Here's an example from my own config...
modules {
ippool 512k_high {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start =x.x.x.6
range-stop =x.x.x.66
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 60
# session-db: The main db file used to allocate ip's to
clients
session-db = ${raddbdir}/ippool.512k_high
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/ipindex.512k_high
# override: Will this ippool override a
Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum
time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool 512k_low {
...
instantiate {
}
authorize {
preprocess
sql
}
authenticate {
pap
}
preacct {
preprocess
}
accounting {l
radutmp
512k_high
512k_low
10m_high
10m_low
sql
}
session {
radutmp
sql
}
post-auth {
sql
512k_high
512k_low
10m_high
10m_low
}
Also, I notice that 'mygroup' has IP assignments from 2 pools. This
can't work, because RADIUS will just select the first one it gets from
MySQL. May I suggest either subdividing your users into two groups, or
merging the two groups?
Hope this helps,
Jan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFJsW3F+EMwkXLsEwRAvBWAJ9gCqSst7b9rwLCHhb3f/PO91jFSgCfcKRv
V5wK1k3//j5PcVBqOte5FAc=
=xw2T
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can Session-Timeout be used to force users to re-authenticate?
Is it possible to use the Session-Timeout setting to force wireless clients to re-authenticate with the RADIUS server at a given interval? Unfortunately my Acesss Point does not provide this functionality, so I either have to do it via a supplicant such as the Funk Odyssey Client or on the Freeradius server. I am running Freeradius 1.1.3 on a Debian Sarge 3.1 system and I'm using EAP-TLS for authentication. I don't think it matters but I'm using a Buffalo WHR-G54S Wireless Router with the DD-WRT v23 SP2 firmware. I am trying to force my wireless clients to re-authenticate with the RADIUS server every 30 minutes (1800 seconds) with the Session-Timeout setting. Currently I am testing with just one user, and the Session-Timeout = 1800 setting is being sent with the Radius Access Accept message (I can see it in the Accept Accept message when I run in debug mode). However, this seems to have no affect. The user does not re-authenticate at the given interval. Here's my setting from the users file: Jason Wittlin-Cohen Session-Timeout = 1800 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding proxying to our EAP setup
Hello,
I've been using FreeRADIUS for years to do PEAP/MSCHAP2 WPA
authentications, and it's worked well enough to be a
set-it-and-forget-it solution. I'm currently running 1.0.4, but would
upgrade if it would help me accomplish the goals in this message.
However, changing environments bring me back into the config, and I'm
not sure how to do what I want. We've been using ntlm_auth against the
AD for our primary authentication, with a fallback to sql and plaintext
passwords for local accounts. I'd like to change from maintaining my
own sql copy/user database to RADIUS proxying to someone else's server.
From a few trial/error tests, I have two questions about proxying and
EAP.
What's the recommended way to configure failover proxying/realms when
there's no realm-ish identifier? When user logs in, I want them to
check against ntlm_auth, and if that fails, resort back to a proxied
realm as user. Right now, I'm doing that via the default config realm
suffix {} module, and a realm NULL section in proxy.conf. Is there a
better way? Hints or something? Does this involve the
configurable_failover documentation?
Second question involves proxies and EAP. Since my upstream RADIUS
server I'm proxying to doesn't seem to support EAP, is it even possible
for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a
'normal' RADIUS packet to relay? Or do I have to get the upstream
server to support EAP? It seems like if suffix (realm) module is
anywhere in the authorize section, it proxies the entire EAP packet.
Can I tell it only to do that at a certain stage in the process?
How would you recommend I configure this?
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Session-Timeout be used to force users to re-authenticate?
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: I am trying to force my wireless clients to re-authenticate with the RADIUS server every 30 minutes (1800 seconds) with the Session-Timeout setting. Currently I am testing with just one user, and the Session-Timeout = 1800 setting is being sent with the Radius Access Accept message (I can see it in the Accept Accept message when I run in debug mode). However, this seems to have no affect. The user does not re-authenticate at the given interval. Then the AP does not support Session-Timeout. There really isn't a good way to do this, if the AP doesn't support it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is not restarting properly (fails to quit and becomes a zombie process)
Alan DeKok wrote:
Jason Wittlin-Cohen [EMAIL PROTECTED] wrote:
Over the last few days I've been having a recurring problem. Whenever I
start Freeradius either with radiusd in a terminal or as a service in
Debian, I can not restart/kill radiusd properly if it's authenticated
any clients. Restarting the service says it's successful but the radius
log states that port 1812 is already in use. "top" shows 100% cpu usage
It looks like http://bugs.freeradius.org/show_bug.cgi?id=365
The solution is to not re-initialize the modules on HUP.
It works in *most* cases, because the code handling the HUP tries to
wait until all of the modules have stopped. But if your back-end DB's
are slow, it doesn't have much choice but to proceed with handling the
HUP.
Most people don't see it because the modules respond quickly. I'd
say the first step to a work-around is to make sure none of the
modules you're using are blocking the server.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have discovered the root of the problem. When I enable the
"check_cert_cn = %{User-Name}" option in eap.conf and successfully
authenticate 1 user , a restart or stop of the radiusd service leads to
a zombie process which needs to be killed with "kill -9". If this
option is disabled, as is the default setting, radiusd can be restarted
normally without issue. This issue does not occur if either a) no users
have attempted to authenticate, or b) users have authenticated but were
rejected. Is this a known issue?
Jason Wittlin-Cohen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius ntlm_auth problem
Andris wrote:
...
Usernames without whitespaces authorize succesfully. When
run ntlm_auth manal and write usernames like 'user 1' than work. And
i want put a NT group requirment too like a 'Domain Users' ntlm_auth
string is:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Try using: ntlm_auth = '...', i.e. use single quotes rather than
double quotes. The issue appears to be that the User-Name string is
expanded *before* the 'exec program' code is being called.
That means the splitting of the program arguments by spaces is
hitting the space in the username. What *should* happen is that
entire string gets sent to the 'exec program' code, which splits the
string by spaces, and *then* expands User-Name.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
King, Michael wrote: -Original Message- I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. I think question he was trying to get across, is 2.0 going to be significantly different from 1.1.3 from a config standpoint. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Actually it's both: to know if the new version was expect to be ready soon and if the general structure would be too different, but since it's still months before 2.0 is ready, I will go for 1.1.3. :-) Thank you for the feedback, Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Alan DeKok wrote: Roberto Greiner [EMAIL PROTECTED] wrote: Show the *full* log. rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = [EMAIL PROTECTED] Is this the log from the home server? If so, why? You already said the username wasn't stripped, so showing that the home server receives it non-stripped is pointless. If this is the log from the proxying server, then it's not doing proxying, so of course it isn't stripping the username. rlm_realm: Adding Stripped-User-Name = rgreiner rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = test.com rlm_realm: Authentication realm is LOCAL. You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied? Actually I don't wan't it to be proxied, only that it removes the realm part to handle it locally. But it's comparing the full entry (with realm) against the database name, instead of only the login. Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin
Hello, I need administer my freeradius+mysql, and I ask: There is some utility in addition to dialup_admin? Tanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients
I have a question Is possible no have secret for X client? Tanx, Abel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can Simultaneous-Use be used with EAP-TLS?
I am using EAP-TLS for authentication so I have no use for a backend db to check username/password credentials. However, I would still like to prevent simultaneous logins with the same certificate. Is this possible without having an sql database? I have Simultaneous-Users := 1 set in the users configuration file but it doesn't seem to do anything. Clients are being checked against this line in users DEFAULT Simultaneous-Use :=1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
