Re: Survey Results are in.
On Mon, 2006-10-30 at 17:42 -0500, Alan DeKok wrote: Something called documentation beat out the next nearest response by nearly 2:1. We'll see if we can work on that. Which was the next nearest response? thanks Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius not stable on my server
Hi Alan, Thank you again for helping me, I will try to explain myself bellow: Alan DeKok escreveu: Nataniel Klug [EMAIL PROTECTED] wrote: I am having a problem: sometimes my freeradius get a little crazy and close some connections and other times it just says that the client is still connected and block the client to use (becouse of max login set to 1) like in this two situatios: FreeRADIUS doesn't close connections. If it blocks users, it's because it thinks the user is still logged in. Sometimes my NAS send a disconnect for the radius (I have remote logging and I am monitoring every step of the NAS(es) and the radius) and, for some reason that I could not know, this request for disconect do not get into the FreeRadius. I really dont know if the radius is not receiving the message (for network reasons or something) or its is comming to the radius server but the program (radiusd) is not able to process this request. This way the client keep logged in and, if the same client, trys to connect it is rejected. What can I do to make my radius system more stable? Migrate it to a MySQL solution? I have about 200 login records in most usage time and a average of 80 all day. It's stable. Migrating to MySQL won't help. A load of 80 logins per day is tiny, and isn't a problem. I know this is very low busy for freeradius... But the problem is killing me. I think the problem is that you're not clear why the server is behaving the way it is. Please explain *why* you think it's unstable when someone tries to log in twice, and it rejects the second attempt. Why do you think the server closes connections? I am not sure what is making the problem. Thats why I came here, I need to know what tools can I use to identify where is the problem. The request from NAS to Radius I know that is coming throw my netowork and it is registered in my logger server. This is my network topology: router - ns1 (logger/gw) -- nas1 (gw-int1) -- nas2 ns2 (radius) nas3 All the nases are sending their logs to ns1 and it logs every single try to disconect a client that nas sends but some of them do not get into radius server. And the no login record issue is the fault of the NAS. FreeRADIUS is just logging what the NAS sends it. See the FAQ. No logging record does not mean that the NAS send a message to remove some client from the connected and the radius look for the client but, when it can not be found, the radius log this message? Thank you again. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS problem
Hello, I'm trying to do a cvs checkout but it won't let me: cvs -d :pserver:[EMAIL PROTECTED]:/source login Logging in to :pserver:[EMAIL PROTECTED]:2401/source CVS password: anoncvs cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd It just hangs in the checkout part... Any problems with the server? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Freeradius is mad ! Or me...
You are in the good The problem is Selinux ... The user raduisdd is not authorized to launch the freeraduis. so freeradius and me are not made... is Selinux ;) Thks ! Selon Thibault Le Meur [EMAIL PROTECTED]: Why the command radiusd -A work fine and not /etc/init.d/raduisd start ??? When you run 'radiusd -A' (I suppose you're root), you are running the radius Server as Root. When you run /etc/init.d/radiusd start, it switches to the 'radiusd' user identity (in FC5). So it is possible that you have a permission issue on some config file. Try to run: # su - radiusd --shell /bin/bash $ radiusd -X You'll see if there is a permision issue. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PROBLEM - Proxy + SQLIPPOOL + Framed-IP-Address
Hi, Doing proxy, freeradius always ignore the static Framed-IP-Address set in radreply table and sets the random SQLIPPOOL instead. Without proxy, SQLIPPOOL won't assign an IP from the pool and grabs the Framed-IP-Address correctly. I guess it's because the Framed-IP-Address = 255.255.255.254 contained in the Access-Accept packet from the proxy home server. Played with attrs but no luck. Please help! Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Accounts against AD
-Original Message- I'm not sure 1.0.4 had that fix in the rlm_mschap module. If you need to use 1.0.4 for some reason, you may have to backport the patch from a later version of the module. --Mike Awww Man... I went back to 1.0.4 because 1.1.2 and 1.1.3 kept crashing with the load I'm putting on the server. What verison do you think it was fixed in? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure USERS file to assign the VLAN ID according to LDAP group name?
Hi Everyone, I configure a Freeradius server working with LDAP. The group name in LDAP is used as the VLAN ID issued by radius too. This is my users file configuration: DEFAULT Group == 1 Auth-Type = LDAP, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 1, Fall-Through = 1 DEFAULT Group == 10 Auth-Type = LDAP, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 10, Fall-Through = 1 Now, it works fine except I have to add more lines manual once I add one more group in LDAP. Because freeradius is going to assign the VLAN ID by matchingthe Group name replied by LDAP with the configured Group name in users file. Can I configure the Group as a variable containing the value of the group name in LDAP, and radius can assign the Tunnel-Private-Group-ID by recognizing the variable? Suchas programming: Tunnel-Private-Group-ID = Group Thank you very much! Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius slower than SBR
[EMAIL PROTECTED] wrote: I'm proposing a FreeRadius solution for 802.1x authentication of Wired client based on Client certificates, a CRL lookup, and vlan assoociation from Active Directory. FreeRADIUS doesn't do CRL lookups right now (i.e. OCSP), but it's probably not too hard to add. The IT department, who usuall buy Steel Belted Radius from Juniper, are saying FreeRadius is just too slow, and could not handle the traffic. Sure... See the survey results I posted yesterday. Ask Juniper how many sites with more than 10 million users have deployed SBR. Ask them why their market share is 1/3 that of Cisco or IAS. Ask them how they do load balancing or failover to LDAP directories... they don't. Performance isn't everything. And 99% of the servers performance is limited by the back-end database. Now, I don't see the basis for these assertions and I would imagine the bottlenext being the CRL lookups and AD requests. Yes. I estimate the number of authentication sper sec to reach about 60 to 100 for this project. That's a lot for a sustained load. And if that's a problem, you need to buy more machines. You don't say how many users you have, but if you have a few hundred thousand (or more), I would *strongly* suggest multiple RADIUS servers for redundancy, just in case one hiccups. Oh, wait... you can't do that with SBR, because it's model is to pay per server installation. That means your network is *more* likely to fail, because you're using 1-2 servers where a good design would use 3-4. Take the money you save by *not* buying SBR licenses, and buy more machines. Install FreeRADIUS on those machines, and your network will be thank you for it. :) However I'd like to humbly ask the list what they think of such assertions, is there something in SBR that would make them much more scalable or faster? No. Where would the bottlenecks be? The database, and the SSL traffic. How many client cert auths/sec could FR handle, on say an entry level single CPU server HW? Not a lot. If you're just doing PAP to the users file, the server can handle 1000's to 10's of 1000's per second. Add LDAP lookups, and that probably drops to low 1000's per second. Add SSL, and it drops even more. But SBR will have exactly the same issues with LDAP and SSL, for exactly the same reason: 99% of the time will be spent waiting for LDAP, or doing encryption. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Survey Results are in.
Luca Corti [EMAIL PROTECTED] wrote: Something called documentation beat out the next nearest response by nearly 2:1. We'll see if we can work on that. Which was the next nearest response? Features help with configuration. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS problem
Guilherme Franco [EMAIL PROTECTED] wrote: It just hangs in the checkout part... Any problems with the server? I think the disk is full. Give me a few hours, and I'll put a mirror up on deployingradius.com. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS AUTHENTICATOR---need HELP using MSCHAP and NTPASSWORD
Message: 6Date: Mon, 30 Oct 2006 08:25:43 -0500From: Michael Lecuyer [EMAIL PROTECTED]Subject: Re: RADIUS AUTHENTICATOR---need HELP using MSCHAP and NTPASSWORDTo: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset=ISO-8859-1; format=flowed This pretty much sums up the problem: rlm_mschap: No MS-CHAP-Challenge in the request This is not a valid MS-CHAP request. You might want to look at the actual attributes passed to see if this is really an MS-CHAP request. It will contain Microsoft VSAs containing a MS-CHAP-Challenge and a MS-CHAP-Response.How I can do it?ego seek wrote: I use Squid and RADIUS. Squid use Squid_radius_authenticator to authenticate a client and write a log in which there is the username and the http request. THE PROBLEM IS: In the radcheck table i put a value: AUTH-TYPE and set MS-CHAP for the user. his password is stored in NT-HASH format. when the authenticator try to authenticate the user, this is the output ... rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 auth: Failed to validate the user. Login incorrect:[username/password] can anybody help me? please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
upper case ralms
We just noticed that our server is authenticating no matter weather the realm specified is upper or lower case. Even though the realm is specified as lower in proxy.conf. Can it be set to stop this? Mark Jones London Operations Managed Network Systems 171 Queens Ave Suite 515 London Ontario N6A 5J7 519-679-5207 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CVS problem
BTW, Seems today is the day for website problems http://deployingradius.com/blog/ MySQL error! Error establishing a database connection! (Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)) 1. Are you sure you have typed the correct user/password? 2. Are you sure that you have typed the correct hostname? 3. Are you sure that the database server is running? -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Alan DeKok Sent: Tuesday, October 31, 2006 10:18 AM To: FreeRadius users mailing list Subject: Re: CVS problem Guilherme Franco [EMAIL PROTECTED] wrote: It just hangs in the checkout part... Any problems with the server? I think the disk is full. Give me a few hours, and I'll put a mirror up on deployingradius.com. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS problem
King, Michael [EMAIL PROTECTED] wrote: http://deployingradius.com/blog/ MySQL error! Debian is starting to annoy me. apt-get upgrade not only stops services 9and doesn't re-start them), but it over-writes my local config files, too. Anyway, it's fixed now. I'll have to put a cron job in to mail me if something screws up again. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius installation problem.
When I run ./confiugre, make and make install, "radiusd" does not install. I have checked the /usr/local/bin and /usr/local/sbin and it is not there. Yes, I did make sure that I was showing hidden files when I search for it. I also did a search for radiusd and it does not show up anywhere. Therefore, when I try to run radiusd by typing "radiusd -X", it says command not found. I am running Ubuntu Linux and trying to install Freeradius-1.0.0(behind the times, I know). I am a total newbie to Freeradius altogether, so please be patient! I have already tried to reinstall, but that didn't work. Any help would greatly be appreciated.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius service hangs
Am running Freeradius ver 1.1.1 on a RHEL 3 box which keeps hanging frequently. So everytime i need to restart the freeradius service. Is this version is stable one ? Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize_check_query and authorize_reply_query
Hello list, I'm using freeradius and have some doubts abot these steps.
authorize_check_query = store_check_query
'%{Stripped-User-Name:-%{User-Name}},
authorize_reply_query = store_check_query
'%{Stripped-User-Name:-%{User-Name}},
At this moment I'm using both authorize (check and reply), executong in
both steps an store procedure.
The question is if is madatory use both auth or is possible use only one of
them. i.e. only authorize_reply_query
Thanks in advanced
Guido
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius installation problem.
Any strange output from configure or make ? are you sure you're running make install as root ? what are the error messages if any =? [EMAIL PROTECTED] wrote on 10/31/2006 02:45:09 PM: When I run ./confiugre, make and make install, radiusd does not install. I have checked the /usr/local/bin and /usr/local/sbin and it is not there. Yes, I did make sure that I was showing hidden files when I search for it. I also did a search for radiusd and it does not show up anywhere. Therefore, when I try to run radiusd by typing radiusd -X, it says command not found. I am running Ubuntu Linux and trying to install Freeradius-1.0. 0(behind the times, I know). I am a total newbie to Freeradius altogether, so please be patient! I have already tried to reinstall, but that didn't work. Any help would greatly be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?
Hi, Alan, Thanks for reply. Right now the situation is the RADIUS can authenticate the user in LDAP. But the group attribute does work. So, the vlan ID can not be assigned. Could you tell me what should be correct configuration in users file. Richard - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, October 31, 2006 6:19 PM Subject: Re: How to configure USERS file to assign the VLAN ID according toLDAP group name? richard Bai [EMAIL PROTECTED] wrote: This is my *users* file configuration: *DEFAULT Group == 1* Why put asterisks around every line? * Auth-Type = LDAP,* 1) Auth-Type belongs on the first line, radiusd -X will tell you that 2) Setting Auth-Type = LDAP is probably wrong. Now, it works fine except I have to add more lines manual once I add one more group in LDAP. Except the Group attribute is for Unix groups, not LDAP groups. Either your system *doesn't* work at all, or the users file entries you included above are *not* what you're using. Such as programming: *Tunnel-Private-Group-ID = Group * See doc/variables.txt. It explains how to copy the contents of one attribute to another attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius installation problem.
--- Hernan Antolini [EMAIL PROTECTED] wrote: Any strange output from configure or make ? are you sure you're running make install as root ? what are the error messages if any =? I did run ./configure, make and make install as root. There is an error message from make install that concerns me about radiusd. It is Making install in main... make[4]: Entering directory `/usr/local/src/freeradius-1.0.0/src/main' /usr/local/src/freeradius-1.0.0/libtool --mode=install /usr/local/src/freeradius-1.0.0/install-sh -c -m 755 -s radiusd /usr/local/sbin /usr/local/src/freeradius-1.0.0/install-sh -c -m 755 -s radiusd /usr/local/sbin/radiusd install: radiusd does not exist - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius installation problem.
Chad Best wrote: Making install in main... make[4]: Entering directory `/usr/local/src/freeradius-1.0.0/src/main' /usr/local/src/freeradius-1.0.0/libtool --mode=install /usr/local/src/freeradius-1.0.0/install-sh -c -m 755 -s radiusd /usr/local/sbin /usr/local/src/freeradius-1.0.0/install-sh -c -m 755 -s radiusd /usr/local/sbin/radiusd install: radiusd does not exist 1. Go get a newer version. You are compiling from source, there is no reason not to be using the latest stable version. If you want support, you need to use a version that people can help you with. 2. There was probably an error in make. Look again. If you do something like make make_output.txt that will save the normal STDOUT output to a file (to review later if you like) and the STDERR will still go to your screen and will be easier to see. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another Installation Problem
Hello: I am trying to install freeRADIUS-1.1.3. The INSTALL instructions says to download the tar file. I have not been able to find the tar file for the newest version. Please help. Where is this tar file? Thanks. Kirt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another Installation Problem
kbajwa wrote: I am trying to install freeRADIUS-1.1.3. The INSTALL instructions says to download the ‘tar’ file. I have not been able to find the tar file for the newest version. Please help. Where is this ‘tar’ file? 1. Go to www.freeradius.org 2. Click on the very first link 3. The rest should be obvious -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Another Installation Problem
Dennis: I have already done that. The first link is 'download', which takes to the download site. The first link is 'download', and when I CLICK on it, I get to the 'download' page. The first file todownload is: # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) Please note the extension 'bz2' I have been to this page several times before posting. This download file is not the 'tar' file from which I install. This is a file from which we extract a freeradius-1.1.3 folder. Please try again and re-direct to the 'tar' file from which I can do the installation!! Thanks. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Skinner Sent: Tuesday, October 31, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: Another Installation Problem 1. Go to www.freeradius.org 2. Click on the very first link 3. The rest should be obvious -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Another Installation Problem
Ok. Look in the News! Section on the front most page. It has this link ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.3.tar.gz -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of kbajwa Sent: Tuesday, October 31, 2006 5:14 PM To: 'FreeRadius users mailing list' Subject: RE: Another Installation Problem Dennis: I have already done that. The first link is 'download', which takes to the download site. The first link is 'download', and when I CLICK on it, I get to the 'download' page. The first file todownload is: # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) Please note the extension 'bz2' I have been to this page several times before posting. This download file is not the 'tar' file from which I install. This is a file from which we extract a freeradius-1.1.3 folder. Please try again and re-direct to the 'tar' file from which I can do the installation!! Thanks. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Dennis Skinner Sent: Tuesday, October 31, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: Another Installation Problem 1. Go to www.freeradius.org 2. Click on the very first link 3. The rest should be obvious -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'{%SQL-User-Name}' does not work for SQLIPPOOL
Hello,
'{%SQL-User-Name}' does not work for SQLIPPOOL, it always appears blank.
What should I use in order to get the username?
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another Installation Problem
On Tuesday 31 October 2006 17:13, kbajwa wrote: Dennis: I have already done that. The first link is 'download', which takes to the download site. The first link is 'download', and when I CLICK on it, I get to the 'download' page. The first file todownload is: # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) Please note the extension 'bz2' I have been to this page several times before posting. This download file is not the 'tar' file from which I install. This is a file from which we extract a freeradius-1.1.3 folder. Please try again and re-direct to the 'tar' file from which I can do the installation!! Thanks. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Skinner Sent: Tuesday, October 31, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: Another Installation Problem 1. Go to www.freeradius.org 2. Click on the very first link 3. The rest should be obvious Greetings, Download the freeradius-1.1.3.tar.bz2 file. Then from the command line issue the following commend to extract it: tar jxpf freeradius-1.1.3.tar.bz2 That will bunzip2 it, and untar the file all in one step. -- William pgpezXcWMZdpf.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another Installation Problem
kbajwa [EMAIL PROTECTED] wrote: I have been to this page several times before posting. This download file is not the 'tar' file from which I install. This is a file from which we extract a freeradius-1.1.3 folder. The 'bz2' extension means that the tar file has been compressed. Use bunzip2 to decompress it, and you will get a tar file. Please try again and re-direct to the 'tar' file from which I can do the installation!! Please become familiar with Unix tools and practices that have been in use for many years now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius service hangs
Karthik R [EMAIL PROTECTED] wrote: Am running Freeradius ver 1.1.1 on a RHEL 3 box which keeps hanging frequently. So everytime i need to restart the freeradius service. Is this version is stable one ? Yes. Where is it hanging? What is going wrong? Do you have any additional information? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?
Richard [EMAIL PROTECTED] wrote: Right now the situation is the RADIUS can authenticate the user in LDAP. But the group attribute does work. As I said before, Group is for Unix groups. If you want to check LDAP groups, you should use the LDAP-Group attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Another Installation Problem
Thanks. You saved several hours. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael Sent: Tuesday, October 31, 2006 5:23 PM To: FreeRadius users mailing list Subject: RE: Another Installation Problem Ok. Look in the News! Section on the front most page. It has this link ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.3.tar.gz -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of kbajwa Sent: Tuesday, October 31, 2006 5:14 PM To: 'FreeRadius users mailing list' Subject: RE: Another Installation Problem Dennis: I have already done that. The first link is 'download', which takes to the download site. The first link is 'download', and when I CLICK on it, I get to the 'download' page. The first file todownload is: # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) Please note the extension 'bz2' I have been to this page several times before posting. This download file is not the 'tar' file from which I install. This is a file from which we extract a freeradius-1.1.3 folder. Please try again and re-direct to the 'tar' file from which I can do the installation!! Thanks. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Dennis Skinner Sent: Tuesday, October 31, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: Another Installation Problem 1. Go to www.freeradius.org 2. Click on the very first link 3. The rest should be obvious -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another Installation Problem
kbajwa wrote: Dennis: I have already done that. The first link is 'download', which takes to the download site. The first link is 'download', and when I CLICK on it, I get to the 'download' page. The first file todownload is: # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) Please note the extension 'bz2' Please note the tar extension before the bz2 I have been to this page several times before posting. This download file is not the 'tar' file from which I install. This is a file from which we extract a freeradius-1.1.3 folder. Please try again and re-direct to the 'tar' file from which I can do the installation!! Wowthat last sentence was kinda snarky. You want help right? This is not a FreeRADIUS question. This is a basic unix/linux question. Please go purchase a Linux User Manual of some sort. In the meantime, that *is* the tarball. tar = archived into a single file (ie uncompressed). bz2 means that tarball is zipped. You will almost never find an unzipped tarball on the net. They will either be gz or bz2 files. Get the file. tar xvjf filename.tar.bz2 that will unzip and extract it. Again, please go get a bookif you don't understand the system, how can you install and support a service running on it? And to save some other poor list the aggravationif you download a gz file (as opposed to bz2) the command is slightly different: tar xvzf file.tar.gz man tar is your friend. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another Installation Problem
kbajwa wrote: I have been to this page several times before posting. This download file is not the 'tar' file from which I install. This is a file from which we extract a freeradius-1.1.3 folder. Sorry. I misread that last line. You didn't look in the folder, did you? I bet there are some README and INSTALL files and a doc directory. Any guesses what you should do with the README file? Linux!=Windows. There is no installer file. You will need to compile the binaries yourself. Again, a book would be helpful here. If you are looking for an rpm or deb, then you *don't* want the tar file, you need to go to your distro's repository. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another Installation Problem
kbajwa wrote: Dennis: I have already done that. The first link is 'download', which takes to the download site. The first link is 'download', and when I CLICK on it, I get to the 'download' page. The first file todownload is: # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) Please note the extension 'bz2' tar jxf freeradius-1.1.3.tar.bz2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius against AD authentication not working
Running Freeradius v1.1.1 on a RHEL 4 box and trying to authenticate the WiFi users against windows 2003 active directory using EAP-MSCHAPv2.I was able to join the linux box to windows domain successfully and able to read the users and groups from AD. I have configured the windows XP supplicant with
root.der certificate and EAP-MSCHAPv2. When i try to connect to access point, it takes the local machine name default instead of asking for username and password.
Does i missed anything ? Here is my radius log file.
bash3.0#radiusd -X -A
Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.confmain: prefix = /usr/localmain: localstatedir = /usr/local/varmain: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/libmain: radacctdir = /usr/local/var/log/radius/radacctmain: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024
main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = nomain: log_file = /usr/local/var/log/radius/radius.logmain: log_auth = no
main: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/var/run/radiusd/radiusd.pidmain: user = (null)main: group = (null)main: usercollide = no
main: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = nomain: checkrad = /usr/local/sbin/checkradmain: proxy_requests = yes
proxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120proxy: post_proxy_authorize = noproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200
security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.
read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded execexec: wait = yesexec: program = (null)
exec: input_pairs = requestexec: output_pairs = (null)exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)
Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = yesmschap: require_strong = yesmschap: with_ntdomain_hack = yes
mschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge} --nt-re
sponse=%{mschap:NT-Response}Module: Instantiated mschap (mschap)Module: Loaded PAPpap: encryption_scheme = cryptModule: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)
Module: Loaded Systemunix: cache = nounix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix)Module: Loaded eapeap: default_eap_type = peapeap: timer_expire = 60eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = Password: gtc: auth_type = PAPrlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = (null)tls: pem_file_type = yestls: private_key_file = /usr/local/etc/raddb/secert/cert-
srv.pemtls: certificate_file = /usr/local/etc/raddb/secert/cert-srv.pemtls: CA_file = /usr/local/etc/raddb/secert/root.pemtls: private_key_password = removed
tls: dh_file = /usr/local/etc/raddb/secert/dhtls: random_file = /usr/local/etc/raddb/secert/randomtls: fragment_size = 1024tls: include_length = yestls: check_crl = notls: check_cert_cn = (null)
rlm_eap_tls: Loading the certificate file as a chainrlm_eap: Loaded and initialized type tlspeap: default_eap_type = mschapv2peap: copy_request_to_tunnel = nopeap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yesrlm_eap: Loaded and initialized type peapmschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap)Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroupspreprocess: hints = /usr/local/etc/raddb/hintspreprocess: with_ascend_hack = nopreprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack = nopreprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess)Module: Loaded realmrealm: format = suffix
realm: delimiter = @realm:
SOLVED '{%SQL-User-Name}' does not work for SQLIPPOOL
Nevermind, I used %{User-Name} and it works.
Hello,
'{%SQL-User-Name}' does not work for SQLIPPOOL, it always appears blank.
What should I use in order to get the username?
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius hangs
Karthik R [EMAIL PROTECTED] wrote: Am running Freeradius ver 1.1.1 on a RHEL 3 box which keeps hanging frequently. So everytime i need to restart the freeradius service. Is this version is stable one ?Yes. Where is it hanging? What is going wrong? Do you have anyadditional information? Alan DeKok. Alan, Have configured dlink f/w for remote users login which authenticatesusers against AD using freeradius. When users tries to connect it says verifying username and password and it doesnt proceed further. Unless i restart the radius service. I made the radius service to run on the background and this happens intermittently. Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius against AD authentication not working
You have the supplicant incorrectly configured.
You can also try in radius.conf:
with_ntdomain_hack=yes
--
Chris Liles
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karthik R
Sent: Tuesday, October 31, 2006 6:32 PM
To: freeradius-users@lists.freeradius.org
Subject: freeradius against AD authentication not working
Running Freeradius v1.1.1 on a RHEL 4 box and trying to authenticate the WiFi
users against windows 2003 active directory using EAP-MSCHAPv2. I was able to
join the linux box to windows domain successfully and able to read the users
and groups from AD. I have configured the windows XP supplicant with root.der
certificate and EAP-MSCHAPv2. When i try to connect to access point, it takes
the local machine name default instead of asking for username and password.
Does i missed anything ? Here is my radius log file.
bash3.0#radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge} --nt-re
sponse=%{mschap:NT-Response}
Module: Instantiated mschap (mschap)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/secert/cert- srv.pem
tls: certificate_file = /usr/local/etc/raddb/secert/cert-srv.pem
tls: CA_file = /usr/local/etc/raddb/secert/root.pem
tls: private_key_password = removed
tls: dh_file = /usr/local/etc/raddb/secert/dh
tls: random_file = /usr/local/etc/raddb/secert/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap:
Re: freeradius against AD authentication not working
Karthik R [EMAIL PROTECTED] wrote: When i try to connect to access point, it takes the local machine name default instead of asking for username and password. You have to configure the local machine to NOT authenticate as the machine. It's in the Windows supplicant configuration somewhere. There is nothing you can do to the NAS or RADIUS server to solve this problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius hangs
Karthik R [EMAIL PROTECTED] wrote: Have configured dlink f/w for remote users login which authenticates users against AD using freeradius. When users tries to connect it says verifying username and password and it doesnt proceed further. sigh That's the message on the NAS. And you're simply repeating your earlier comment that it doesn't work. Again, what is the RADIUS server doing? You can't expect to understand what the RADIUS server is doing by looking at the NAS. You have to look at the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
