Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan! You wrote on Mon, 19 Mar 2007 17:54:52 +0100: AD Hmm... it looks like similar patches were added in revision 1.72 AD of AD that file. I've double-checked the code, and found one more AD location. AD Please try the attached patch. I applied the patch and it does not work. It seemes to me, it's becuase SQL socket may be unconnected and sqlsocket-conn != NULL, so I think it's better to check sqlsocket-state . Corrected patch is attached. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] patch-src-modules-rlm-sql-sql.c Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius don't start!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Gadbois ha scritto: peppeska wrote: freeradius.pid not found ??? what??? Start it like this, as root: # radiusd -X k I don't have radiud but work with #freeradius -X Thank! - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/6jXkA6hcnFZI/YRAivEAJ9m+hdTjhIxevXwADoNAfqKVenIWQCfXbpr GFkN0wtlID1X/hAM4TZRfns= =UycT -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please freeradius User... HELP ME! So, I use a pppoe-freeradius-ldap system for access and autenticate user.. but some go wrong.. and when I try to connect me appare this error... what's wrong in my configuration? look this! this is the freeradius output Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1027, id=159, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 0 modcall: leaving group authorize (returns userlock) for request 0 Invalid user (rlm_ldap: Access Attribute denies access): [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 159 to 127.0.0.1 port 1027 Waking up in 3 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 159 with timestamp 45ffa841 Nothing to do. Sleeping until we see a request. But the Ldap database work good! the User peppeska have the password and the direct access to ldap database work! what I must do? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/6qQkA6hcnFZI/YRAlRfAKDVYKu8MkY8QSz80gnaJTkGgtnttACbBaPU wPIiKiVRmzm2c91/6a6jSjA= =ZqNs -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with rlm_pap
Deramus, Chris wrote: This no longer seems to work, as FreeRADIUS seems to be attempting to compare the clear-text password with the MD5 password returned from the database. I'm guessing it's an oversight on my end, and wanted to see if anyone on this list noticed anything. I have included portions of my radiusd.conf and users files which are pertinent to this issue. Can you post what's in your SQL database? i.e. attribute name, operator, and value. I suspect that the contents of the User-Password are the MD5 hash, rather than the {md5} header followed by the MD5 hash. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounts disappears!
Marwan Sultan wrote: This system is up and running since september 2006, last week, we start to see a strange problem some account are disappearing from the system!! FreeRADIUS doesn't do SQL writes to delete accounts. The problem lies elsewhere. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nested VSA
Nitin Naveen wrote: Hi, I want to add new VSA parameters to freeradius. This means that I need to add a new dictionary file. But I am not able to understand is how do I add attributes whose value is another attribute. For eg. I have no idea what you mean by that. The dictionary files are heavily commented. The man dictionary page describes the format of the dictionary files. Read them, and follow the instructions there. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius, ldap error - HELP ME!
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de peppeska Envoyé : mardi 20 mars 2007 10:34 À : FreeRadius users mailing list Objet : freeradius, ldap error - HELP ME! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please freeradius User... HELP ME! So, I use a pppoe-freeradius-ldap system for access and autenticate user.. but some go wrong.. and when I try to connect me appare this error... what's wrong in my configuration? look this! this is the freeradius output rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default Comment this line in your ldap section of radiusd.conf: # access_attr = dialupAccess HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
deepak kumar wrote: ... but even after client authentication from certificate. the router(chillispot) prompts for a username and password and then does authentication using UAM. Please tell me why this is asking for login name password after client certificate validation. Because chillispot is configured to do that. It's not a RADIUS problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : freeradius, ldap error - HELP ME!
rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: no dialupAccess attribute - access denied by default Comment this line in your ldap section of radiusd.conf: # access_attr = dialupAccess And comment this one too, like this : # access_attr_used_for_allow = yes HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying Eap Requests in round robbin.
Hi, I have two backend RADIUS servers with a front end proxy server. All servers are running 1.1.5. Authentication type is EAP-PEAP. On the front end i've got a stripped down radiusd.conf just doing Realm detection and proxying. And a proxy.conf realm sussex.ac.uk { type = RADIUS authhost = radius1.uscs.susx.ac.uk:1812 accthost = radius1.uscs.susx.ac.uk:1813 secret = 31charhashedsecret ldflag = round_robin nostrip } realm sussex.ac.uk { type = RADIUS authhost = radius2.uscs.susx.ac.uk:1812 accthost = radius2.uscs.susx.ac.uk:1813 secret = 31charhashedsecret ldflag = round_robin nostrip } Whats happening if the first round of authentication will go to radius1.uscs.susx.ac.uk Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know about the previous request and bails out with. modcall: entering group authenticate for request 0 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request So firstly is EAP proxying actually possible ? Secondly is there something really stupid i've missed ? There are two ways I can see this working, either the proxy server directs all the authentication rounds for one session to one proxy server. Or the eap module on either backend instance figures out what the previous part of the conversation was. Also I noticed this entry in eap.conf # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 Anyone know where this list actually exists ? If it's just in memory or an actual file ? Thanks, Arran Cudbard-Bell -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
Hi Alan thanks for your prompt reply. can you tell me how to modify chillispot to work with EAP-TLS. my radius server, Router and Xsupplicant all are supporting EAP-TLS. deepak On 3/20/07, Alan DeKok [EMAIL PROTECTED] wrote: deepak kumar wrote: ... but even after client authentication from certificate. the router(chillispot) prompts for a username and password and then does authentication using UAM. Please tell me why this is asking for login name password after client certificate validation. Because chillispot is configured to do that. It's not a RADIUS problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Eap Requests in round robbin.
Arran Cudbard-Bell wrote: Whats happening if the first round of authentication will go to radius1.uscs.susx.ac.uk Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know about the previous request and bails out with. Round robin EAP don't work together very well. So firstly is EAP proxying actually possible ? Yes. Many people are using it. Round-robin, on the other hand, isn't currently possible. It would require additional code in the server. It's not hard, but it hasn't been done yet. Secondly is there something really stupid i've missed ? Nope. There are two ways I can see this working, either the proxy server directs all the authentication rounds for one session to one proxy server. Or the eap module on either backend instance figures out what the previous part of the conversation was. If it's proxying, the EAP module isn't being used. Also I noticed this entry in eap.conf # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 Anyone know where this list actually exists ? If it's just in memory or an actual file ? It's in the EAP module. And it's only used when the server is doing the EAP authentication. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with rlm_pap
Alan, Thanks so much for the response, I wasn't aware that the (md5) header needed to be in the database. The requested information is below: UserNameAttribute Value op test.user Password c1dd8z473d9gf5c13b0d89b32d15333 := -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 20, 2007 5:43 AM To: FreeRadius users mailing list Subject: Re: Issues with rlm_pap Deramus, Chris wrote: This no longer seems to work, as FreeRADIUS seems to be attempting to compare the clear-text password with the MD5 password returned from the database. I'm guessing it's an oversight on my end, and wanted to see if anyone on this list noticed anything. I have included portions of my radiusd.conf and users files which are pertinent to this issue. Can you post what's in your SQL database? i.e. attribute name, operator, and value. I suspect that the contents of the User-Password are the MD5 hash, rather than the {md5} header followed by the MD5 hash. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on Accounting Proxy Features?
Hi Folks, I am newbie to Freeradius and considering using it. However, I have a specific requirement, which I cannot find any info on either on Web Search or Wiki or FAQ. I wish to use Freeradius as an Accounting Proxy, essentially to copy a Accounting Request to a server. The Freeradius box will be placed after an existing Radius box which will send the accounting info to it. However, there are some requirements. 1. Freeradius needs to proxy accounting to another server 2. Freeradius needs to provide an accounting response to the first radius box, without waiting for a response from the proxied Server Is this possible with Freeradius today? Thanks Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
deepak kumar wrote: Hi Alan thanks for your prompt reply. can you tell me how to modify chillispot to work with EAP-TLS. This isn't the chillispot list. Go ask them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Alexander V. Klepikov wrote: I applied the patch and it does not work. It seemes to me, it's becuase SQL socket may be unconnected and sqlsocket-conn != NULL, That sounds like a bug to me. so I think it's better to check sqlsocket-state . Corrected patch is attached. OK. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with rlm_pap
Deramus, Chris wrote: Thanks so much for the response, I wasn't aware that the (md5) header needed to be in the database. See the README the comments above the pap section in radiusd.conf. They say to read man rlm_pap, which explains this. If you don't want to update the value field to add {md5}, you can change the attribute name to MD5-Password. If you don't want to do either, change the PAP configuration back to what you had in 1.1.3. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Accounting Proxy Features?
WRIGHT Alan wrote: However, there are some requirements. 1. Freeradius needs to proxy accounting to another server 2. Freeradius needs to provide an accounting response to the first radius box, without waiting for a response from the proxied Server Is this possible with Freeradius today? Yes. Configure the proxying server to log to the detail file, and *not* do proxying. Then, run radrelay, which will send the contents of the detail file to the other server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius don't start!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 peppeska wrote: Martin Gadbois ha scritto: peppeska wrote: freeradius.pid not found ??? what??? Start it like this, as root: # radiusd -X k I don't have radiud but work with #freeradius -X Thank! The -X only tells you to start it in the foreground with full debug (it does not check for the .pid file). It ususally tells you what's wrong. See the man page (man radiusd (or freeradius on your system?)) for more information. - -- == +--+ Martin Gadbois | Windows might take you from 0 to 60 faster, | S/W Developer | but to go to 100 you need Unix.| Colubris Networks Inc. +--+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/9iD9Y3/iTTCEDkRAob1AJ4sf3TYXdDvvdwsxf6TyXquEUhz8wCeMS+j mUWnkyuzN5AjjbFxdbA/cDs= =mQCJ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with rlm_sql or mysql-server ?
Hi everybody, I have a problem with freeradius 1.0.2 and mysql 4.0.24, on a debian stable, used for about 1700 clients. I often have (about 10 times an hour) errors like these: Tue Mar 20 12:21:29 2007 : Auth: Login incorrect: [/Y] (from client port 0) Tue Mar 20 12:21:40 2007 : Info: rlm_sql (sql): No matching entry in the database for request from user [X] Tue Mar 20 12:21:40 2007 : Auth: Login incorrect: [X/Y] (from client port 0) Tue Mar 20 12:22:00 2007 : Info: rlm_sql (sql): No matching entry in the database for request from user [X] Tue Mar 20 12:22:00 2007 : Auth: Login incorrect: [X/Y] (from client port 0) Tue Mar 20 12:22:21 2007 : Auth: Login OK: [X/Y] (from client port 0) whereas, of course, the username exists, and the pass didn't change... is this a problem with the freeradius config, or is the mysqlserver too busy? thanks for your answers, Mathieu begin:vcard fn:Mathieu Lemaitre n:Lemaitre;Mathieu org:Walan adr:;;46 rue Jean Sans Peur;Lille;;59000;France email;internet:[EMAIL PROTECTED] title;quoted-printable:Ing=C3=A9nieur tel;work:03 20 78 24 23 tel;fax:03 20 77 58 11 x-mozilla-html:FALSE url:https://www.walan.fr version:2.1 end:vcard smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error while starting radiusd on FreeBSD 6.1
Dear all, I just did a fresh install of freeradius-1.1.5 on a FreeBSD 6.1-RELEASE. Installation was sucessful. Then I tried to start the radiusd with radiusd -X and got following error: radiusd in free(): error: chunk is already free - # /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd in free(): error: chunk is already free Abort (core dumped) And output of gdb on Core is as follows: - * 1 LWP 100079 0x282b9363 in kill () from /lib/libc.so.6 Thread 1 (LWP 100079): #0 0x282b9363 in kill () from /lib/libc.so.6 No symbol table info available. #1 0x280941e2 in raise () from /usr/lib/libpthread.so.2 No symbol table info available. #2 0x282b8014 in abort () from /lib/libc.so.6 No symbol table info available. #3 0x2825e4d3 in _UTF8_init () from /lib/libc.so.6 No symbol table info available. #4 0xbfbfee02 in ?? () No symbol table info available. #5 0x282bf4d7 in sys_nsig () from /lib/libc.so.6 No symbol table info available. #6 0x282bf3d7 in sys_nsig () from /lib/libc.so.6 No symbol table info available. #7 0x282bf434 in sys_nsig () from /lib/libc.so.6 No symbol table info available. #8 0x in ?? () No symbol table info available. #9 0x282c9508 in ?? () from /lib/libc.so.6 No symbol table info available. #10 0xbfbfd548 in ?? () No symbol table info available. #11 0x2825e501 in _UTF8_init () from /lib/libc.so.6 No symbol table info available. #12 0x282c9508 in ?? () from /lib/libc.so.6 No symbol table info available. #13 0x282dbf64 in _nsyyin () from /lib/libc.so.6 No symbol table info available. #14 0xbfbfd5f8 in ?? () No symbol table info available. #15 0x2825f261 in _UTF8_init () from /lib/libc.so.6 No symbol table info available. #16 0x0017 in ?? () No symbol table info available. #17 0x08130300 in ?? () No symbol table info available. #18 0x280e56e4 in __JCR_LIST__ () from /usr/local/lib/libltdl.so.4 No symbol table info available. #19 0x280e03cb in rpl_argz_next (argz=0x282bf434 chunk is already free\n, argz_len=135087152, entry=0x0) at ltdl.c:751 No locals. What could be the cause of this error and how to resolve it? Many thanks in advance Ricakn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with rlm_sql or mysql-server ?
Mathieu Lemaitre wrote: I have a problem with freeradius 1.0.2 and mysql 4.0.24, on a debian stable, used for about 1700 clients. I often have (about 10 times an hour) errors like these: Tue Mar 20 12:21:29 2007 : Auth: Login incorrect: [/Y] (from client port 0) Tue Mar 20 12:21:40 2007 : Info: rlm_sql (sql): No matching entry in the database for request from user [X] That likely means that you have User-Password == foo in the SQL database, and the user entered a different password. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
Sam Schultz wrote: I have set a DEFAULT entry that sets the User-Name attribute via ':=', but I still end up with two User-Name attributes (anonymous identity real identity). This is especially strange, since use_tunneled_reply copy_request_to_tunnel are both enabled as well. Then it may be a bug. My tests look like they work, so I'm not sure what the difference is with your configuration. If I understand correctly, := should replace the anonymous (first) User-Name value with the real (second) value permitting they are in the same session. Upon looking back at the debug output, it looks like the tunneled request is actually handled as if it were a seperate request than the one containing it (request-eap module-(unpack)- new request). Yes. This would explain why two User-Name attributes are showing up in the final response. Not entirely. If you have use_tunneled_reply = yes, AND you're doing: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}` Then that name should be copied to the outer tunnel, AND the outer tunnel SHOULD NOT add the anonymous username in the reply, because it sees the User-Name copied from the tunnel. See src/modules/rlm_eap/*.c P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated. See the Wiki. If you have good experiences, add them to the Wiki. We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box. Return them as broken. Cisco AP350's seems to be pretty solid. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error while starting radiusd on FreeBSD 6.1
rickan wrote: Dear all, I just did a fresh install of freeradius-1.1.5 on a FreeBSD 6.1-RELEASE. Installation was sucessful. Then I tried to start the radiusd with radiusd -X and got following error: radiusd in free(): error: chunk is already free It's been noted already. Grab -r branch_1_1 from CVS, which has a fix. I guess 1.1.6 should be released soon. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying/Rewriting Accounting Packets
Greetings. First I'd like to thank everyone who works on this project. Freeradius is amazing. For our issue, I have browsed the online documentation, faq, and mailing lists. We have a need to alter the accounting records that we proxy to another company. The attribute that we need to rewrite is the Calling-Station-Id. Basically what we need to do is have Freeradius do a database query (via a script) to lookup the new number that it should use in place of the original value for Calling-Station-Id. Here is what I have tried: In radiusd.conf: ##Added by Jason attr_rewrite mintomdn { searchin = packet attribute = Calling-Station-Id searchfor = %i #replacewith = %{exec:/usr/local/freeradius/bin/mdn_lookup.sh %{Calling-Station-Id}} replacewith = %{exec:/usr/local/freeradius/bin/mdn_lookup.sh %i} #This works #replacewith = %{callingstationid}jasontest ignore_case = no new_attribute = no max_matches = 1 append = no } ##End Added by Jason ... and in the pre_proxy stage: pre-proxy { #Added by Jason mintomdn #End Added by Jason pre_proxy_log } Here are the debug results: radius_xlat: '0210xxx' radius_xlat: Running registered xlat function of module exec for string '/usr/local/freeradius/bin/mdn_lookup.sh' rlm_exec (exec): Executing /usr/local/freeradius/bin/mdn_lookup.sh rlm_exec (exec): result 0 radius_xlat: '' rlm_attr_rewrite: xlat on replace string failed. Thoughts? What have I missed? Any assistance on this would be greatly appreciated. Thanks in advance for your time. Regards, Jason 8:00? 8:25? 8:40? Find a flick in no time with the Yahoo! Search movie showtime shortcut. http://tools.search.yahoo.com/shortcuts/#news - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error while starting radiusd on FreeBSD 6.1
Hi Alan, thanks a lot for your hint. Yes, the branch_1_1 is working fine! Best regards Rickan On 3/20/07, Alan DeKok [EMAIL PROTECTED] wrote: rickan wrote: Dear all, I just did a fresh install of freeradius-1.1.5 on a FreeBSD 6.1-RELEASE. Installation was sucessful. Then I tried to start the radiusd with radiusd -X and got following error: radiusd in free(): error: chunk is already free It's been noted already. Grab -r branch_1_1 from CVS, which has a fix. I guess 1.1.6 should be released soon. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
Looking for some help on configuring pam_radius_auth with linux for pop3 and imap services. Anyone have any clues? I currently have my /etc/pam.d/pop3 and imap files showing: auth sufficient /lib/security/pam_radius_auth.so try_first_pass accountsufficient /lib/security/pam_radius_auth.so try_first_pass When I authtest -s pop3 user1 password1 it will pass (this is a management account) However if I authtest -s pop3 user2 password2, it fails authentication saying the passwords did not match (when I know they did) Whats even stranger is that when I pass user2 with no password, it passes authentication... I am not using freeradius that I know of (the radius server is on a OpenVMS machine) and this linux box is just a client. Any help would be appreciated Thank you Dan Delaney - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Eap Requests in round robbin
Message: 2 Date: Tue, 20 Mar 2007 12:30:47 +0100 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Proxying Eap Requests in round robbin. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Arran Cudbard-Bell wrote: Whats happening if the first round of authentication will go to radius1.uscs.susx.ac.uk Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know about the previous request and bails out with. Round robin EAP don't work together very well. So firstly is EAP proxying actually possible ? Yes. Many people are using it. Round-robin, on the other hand, isn't currently possible. It would require additional code in the server. It's not hard, but it hasn't been done yet. Secondly is there something really stupid i've missed ? Nope. There are two ways I can see this working, either the proxy server directs all the authentication rounds for one session to one proxy server. Or the eap module on either backend instance figures out what the previous part of the conversation was. If it's proxying, the EAP module isn't being used. Also I noticed this entry in eap.conf # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 Anyone know where this list actually exists ? If it's just in memory or an actual file ? It's in the EAP module. And it's only used when the server is doing the EAP authentication. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog Damn, so theres no way to do load balancing with radius packets containing EAP attributes ? Completely different topic, but is it normal for freeRADIUS to authorize the user in each round of authentication ? Can it not cache the credentials from the LDAP / SQL database ? Or is it doing that already transparently? Thankyou very much for your quick response anyway, saved me hours of head scratching. Regards, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Eap Requests in round robbin
Arran Cudbard-Bell wrote: Damn, so theres no way to do load balancing with radius packets containing EAP attributes ? As always, patches are welcome. :) Completely different topic, but is it normal for freeRADIUS to authorize the user in each round of authentication ? Can it not cache the credentials from the LDAP / SQL database ? Or is it doing that already transparently? It's normal. It's not caching the credentials. The problem is that it's difficult for the EAP module to say now I need authentication information. So it's easier to just always query the DB, even though it's inefficient. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool management and Re-authentication
Hi, I'm using a system (openvpn) with 'radiusplugin' to let FR authenticate users and manage IP Pools. Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. Do you know a standard Radius attribute that could be used for this ? As far as you know, are there other NASes using such a quirk ? Does this make sense ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool management and Re-authentication
Thibault Le Meur wrote: Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). So why isn't the radiusplugin telling FreeRADIUS what the old IP address was? I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. Do you know a standard Radius attribute that could be used for this ? As far as you know, are there other NASes using such a quirk ? Does this make sense ? It makes sense. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Thanks for your reply, Thibault Le Meur wrote: Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). So why isn't the radiusplugin telling FreeRADIUS what the old IP address was? Because It's still beta ;-), I can fix this I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. Sorry for the mistake, I meant Access-Request of course If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. I get you right, my patch may be as easy as to make radiusplugin add the Framed-IP-Address attribute in the Access-Request packet with the already assigned IP Address when it is a renegotiation. Thanks a lot Alan. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 23, Issue 90
As always, patches are welcome. :) Yes I'm already putting one together the sql module, honestly who hardcodes sql queries :P No i don't want to select * from nas.. gah Am I right in thinking that for radius to be able to proxy eap successfully, the request_list module would have to be updated to hold information as to which home radius server the session was being handled by. With the sessions id being the unique acct id (which could be recorded at the same time as the eap start message), and then direct future packets to that server for an arbitrary length of time, say as long as the nas's authentication timeout and/or until it detected a accept/reject packet for that authentication session. Or is there some hidden complexity ? -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
Does anyone know how to change the service type that pam_radius_auth passes to the server? Currently, it is sending an interactive login, but I need to change it to a network login. This is using pam.d on a FC6 system. Thank you Dan Delaney - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
On Tue, 20 Mar 2007 09:38:25 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Sam Schultz wrote: I have set a DEFAULT entry that sets the User-Name attribute via ':=', but I still end up with two User-Name attributes (anonymous identity real identity). This is especially strange, since use_tunneled_reply copy_request_to_tunnel are both enabled as well. Then it may be a bug. My tests look like they work, so I'm not sure what the difference is with your configuration. It worked for me right out of the box at one time, too. I have a feeling it was using either freeradius 1.1.3 or 1.0.3 (or whatever FC2 came pre-packaged with). I'll probably test my configuration against an earlier version later see if I can establish it as a bug. The version I've been trying to coerce into working is 1.1.4, which was compiled from source. If I understand correctly, := should replace the anonymous (first) User-Name value with the real (second) value permitting they are in the same session. Upon looking back at the debug output, it looks like the tunneled request is actually handled as if it were a seperate request than the one containing it (request-eap module-(unpack)- new request). Yes. This would explain why two User-Name attributes are showing up in the final response. Not entirely. If you have use_tunneled_reply = yes, AND you're doing: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}` Then that name should be copied to the outer tunnel, AND the outer tunnel SHOULD NOT add the anonymous username in the reply, because it sees the User-Name copied from the tunnel. See src/modules/rlm_eap/*.c I may do this as a last resort. In my experience, code dependent on openssl tends to be ugly hard to follow/understand. P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated. See the Wiki. If you have good experiences, add them to the Wiki. We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box. Return them as broken. I planned on it as soon as I get replacements. It doesn't look like 3com even has a bug reporting system of any kind. Well, at least not for customers who don't have a support contract with them, anyway. Cisco AP350's seems to be pretty solid. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on adult education and start making $150k/ year http://tagline.hushmail.com/fc/CAaCXv1S62SI4Y7VFkw7r5uPb1smYR4R/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Address based proxy forward
Yes you're right, I saw this wrong information in a non official radius forum, Is there a way or another to check on a network basis like 192.168.2.100/30 ? In our productive architecture, the number of ip addresses should be a /21 subnet (2046 hosts)... I can write one line per ip but maybe there is a better way to configure it ? Thanks, Philippe Bacquaert Alan DeKok a écrit : freeradius wrote: ... The users file contains : johnClient-IP-Address == 192.168.2.100/30, Proxy-To-Realm := proxy Nothing in the documentation or examples says that the IP/mask format is valid. It's not. The server won't understand it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Address based proxy forward
You can use = and =. johnClient-IP-Address = 192.168.2.100, Client-IP-Address = 192.168.2.103, Proxy-To-Realm := proxy Ivan Kalik Kalik Informatika ISP Dana 20/3/2007, freeradius [EMAIL PROTECTED] piše: Yes you're right, I saw this wrong information in a non official radius forum, Is there a way or another to check on a network basis like 192.168.2.100/30 ? In our productive architecture, the number of ip addresses should be a /21 subnet (2046 hosts)... I can write one line per ip but maybe there is a better way to configure it ? Thanks, Philippe Bacquaert Alan DeKok a écrit : freeradius wrote: ... The users file contains : johnClient-IP-Address == 192.168.2.100/30, Proxy-To-Realm := proxy Nothing in the documentation or examples says that the IP/mask format is valid. It's not. The server won't understand it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PHP issues with PHP 4.3.9 and dialup_admin
I've been digging around all day and I've seen other people describe the same symptoms I'm having, but the follow-ups typical asy Oh, I fixed it, but don't describe the fix. It seems that something resembling my symptoms goes back to the version of dialup_admin that shipped with freeRADIUS 1.0.1, so I am not convinced what I'm seeing is _specifically_ a PHP 4.3 problem, but given the changes with registers_global from 4.1.0 to 4.2.0, I thought it would be prudent to mention that. My setup is... CentOS 4.4.2 (RHEL 4 without the RedHat trademarks and graphics) Apache 2.0.52 PHP 4.3.9 mysql 4.1.20 freeRADIUS 1.1.5 dialup_admin ? (CVS snapshot 20070320) firefox 1.5.0.10 I have freeRADIUS installed and working with users stuffed into a flat file, verified with 'radtest'. I can get the main page of dialup_admin to come up, but I get blank screens and lots of PHP errors logged when I try to invoke nearly any button. My radius database has tables, but no rows, since I was trying to set up dialup_admin to start inserting users and groups. I have set PHP's registers_global to 'on' via /etc/php.ini and verified that it's on with phpinfo(), and I still get dozens of errors per mouse-click... Here's a typical example - the output is generated when clicking on the 'new group' button: a long list of 'undefined constant', 'undefined variable', and 'undefined index' following the warning that there's no prefix on a function call to say what its namespace is. I'm putting the error dump at the bottom to keep it from creating a huge gulf between sections of this query. I know it must look familar because I've found several references to errors that look just like this in the mailing list archives. What's lacking is the solution. Am I just missing a setup step somewhere? Am I running servers and packages that are just too new and untested? Thanks, -ethan [client 127.0.0.1] PHP Notice: import_request_variables(): No prefix specified - possible security hazard in /usr/local/dialup_admin/conf/config.php3 on line 8, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_use_session - assumed 'general_use_session' in /usr/local/dialup_admin/conf/config.php3 on line 66, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 73, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Undefined variable: login in /usr/local/dialup_admin/conf/config.php3 on line 76, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_username_mappings_file - assumed 'general_username_mappings_file' in /usr/local/dialup_admin/conf/config.php3 on line 86, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_username_mappings_file - assumed 'general_username_mappings_file' in /usr/local/dialup_admin/conf/config.php3 on line 87, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant name - assumed 'name' in /usr/local/dialup_admin/conf/config.php3 on line 100, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_use_session - assumed 'general_use_session' in /usr/local/dialup_admin/conf/config.php3 on line 106, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Undefined variable: show in /usr/local/dialup_admin/htdocs/group_new.php3 on line 3, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_lib_type - assumed 'general_lib_type' in /usr/local/dialup_admin/htdocs/group_new.php3 on line 8, referer: http://localhost/dialup/buttons.php3 [client 127.0.0.1] PHP Notice: Use of undefined constant general_user_edit_attrs_file - assumed 'general_user_edit_attrs_file' in /usr/local/dialup_admin/lib/attrshow.php3 on line 8, referer: http
Problems with PAP, upgrading from 1.1.3
Hi everyone, I'm having a hell of a time upgrading from 1.1.3 to 1.1.4 due to PAP. First of all, leaving my settings as they are doesn't work at all. I'm beginning to wonder if my 1.1.3 configuration shouldn't work at all yet somehow magically does what I want it to. I currently (1.1.3) don't have a *-Password attribute. The table has a password field in it that I use in a crazy SQL query. It fakes a row with the User-Password attribute. The passwords are all SHA1 hashed. This is what happens when using the 1.1.3 config (encryption_scheme = sha1): rad_recv: Access-Request packet from host 192.168.0.10:54288, id=46, length=56 User-Name = test User-Password = qwertyuiop1 NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' ... modcall[authorize]: module sql returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 1 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: No password configured for the user. Cannot do authentication modcall[authenticate]: module pap returns fail for request 1 modcall: leaving group PAP (returns fail) for request 1 auth: Failed to validate the user. Login incorrect: [test] (from client localhost port 1) This is where I get lost, radiusd.conf: modules { pap { encryption_scheme = sha1 } ... } ... authorize { sql } authenticate { Auth-Type PAP { pap } } I know the rlm_pap man page talks about putting pap into authorize{}, so maybe that is what is preventing it from working, though it does seem to get to into rlm_pap above. Adding the header onto the password in the DB doesn't help (though I didn't expect it to). So at this point I tried making things the way they should be: modules { pap { #encryption_scheme = sha1 auto_header = yes } ... } Didn't work with non-prefixed password (duh). This is what I get after prepending {sha1} to the password: Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: Using clear text password. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 0 modcall: leaving group PAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] (from client localhost port 1) Okay, so it didn't pick up the header, so I put pap into authorize{} after sql as the man page says and now I get: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' ... modcall[authorize]: module sql returns ok for request 0 rlm_pap: Found unknown header {{sha1}}: Not doing anything rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: Using clear text password. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 0 modcall: leaving group PAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] (from client localhost port 1) Now it says unknown header {{sha1}}. I dunno what this means, maybe it wasn't compiled correctly, or I'm specifying the header wrong? I have {sha1}ar3h8ir4r4a3r... in the field. I tried skipping this (according to my understanding of the man page) by changing User-Password to SHA1-Password, but that breaks my SQL driver: rlm_sql: Failed to create the pair: Unknown attribute SHA1-Password rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user I'm kinda lost now. I'm guessing that if the header was known, things would work, but for some reason it doesn't understand the {sha1} prefix... Thanks, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
Hi, It worked for me right out of the box at one time, too. I have a feeling it was using either freeradius 1.1.3 or 1.0.3 (or whatever FC2 came pre-packaged with). I'll probably test my configuration against an earlier version later see if I can establish it as a bug. The version I've been trying to coerce into working is 1.1.4, which was compiled from source. confirm tha EAP-TTLS userid's used to work with freeradius (1.0.5 era through to 1.1.3) but then only anonymous was seen. i've been following this User-Name = %{User-Name} etc thread with interest alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thibault Le Meur ha scritto: Comment this line in your ldap section of radiusd.conf: # access_attr = dialupAccess And comment this one too, like this : # access_attr_used_for_allow = yes I do it! and now there is the following error: rad_recv: Access-Request packet from host 127.0.0.1:1027, id=118, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 1 seconds... - --- Walking the entire request list --- Sending Access-Reject of id 118 to 127.0.0.1 port 1027 Waking up in 3 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 118 with timestamp 4600073d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:1027, id=119, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = peppeska NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = peppeska, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 1 modcall: leaving group MS-CHAP (returns reject) for request 1 auth: Failed to validate the user. Login incorrect: [peppeska/no User-Password attribute] (from client localhost port 0) Delaying
Apache2 - PAM - freeRADIUS - users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hey, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: rad_recv: Access-Request packet from host 127.0.0.1:11970, id=92, length=94 User-Name = micmes User-Password = ** NAS-IP-Address = 192.168.2.12 NAS-Identifier = apache2 NAS-Port = 10945 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 192.168.2.103 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 68 modcall[authorize]: module preprocess returns ok for request 68 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20070321' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detai l-20070321 modcall[authorize]: module auth_log returns ok for request 68 modcall[authorize]: module chap returns noop for request 68 modcall[authorize]: module mschap returns noop for request 68 rlm_realm: No '@' in User-Name = micmes, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 68 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 68 users: Matched entry micmes at line 250 modcall[authorize]: module files returns ok for request 68 modcall: leaving group authorize (returns ok) for request 68 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: 'Hello, micmes' Login OK: [micmes/**] (from client localhost port 10945 cli 192.168.2.103) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 68 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20070321' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-det ail-20070321 modcall[post-auth]: module reply_log returns ok for request 68 modcall: leaving group post-auth (returns ok) for request 68 Sending Access-Accept of id 92 to 127.0.0.1 port 11970 Filter-Id == Enterasys:version=1:mgmt=su:policy=Admin-Policy Reply-Message = Hello, micmes Finished request 68 Going to the next request - --- Walking the entire request list --- also pam gives me the message that the user is authenticated: Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Got user name micmes Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Sending RADIUS request code 1 Mar 21 00:07:07 debianmike apache2: pam_radius_auth: Got RADIUS response code 2 Mar 21 00:07:07 debianmike apache2: pam_radius_auth: authentication succeeded and the apache log gives me this last information: [Wed Mar 21 00:07:07 2007] [error] [client 192.168.2.103] PAM: user 'micmes' - invalid account: Authentication service cannot retrieve authentication info. my browser displays: Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. the .htaccess: cat /var/www/apache2-default/.htaccess AuthType basic AuthName Radius Authentication AuthPAM_Enabled on Require valid-user some information: freeradius -v freeradius: FreeRADIUS Version 1.1.4, for host i386-pc-linux-gnu, built on Feb 16 2007 at 21:35:11Copyright (C) 2000-2006 The FreeRADIUS server project.There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE.You may redistribute copies of FreeRADIUS under the terms of theGNU General Public License.For more information about these matters, see the file named COPYRIGHT. apache2 -v Server version: Apache/2.0.54Server built: Jul 28 2006 09:04:55 libpam-radius-auth 1.3.16-3 on a debian stable with all patches any ideas whats going wrong? thanks for any help ca mIke -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAGslyUY4xkIcFVQRAgA5AKDg64L+9T9zX/C2h9gB29xT6KV77gCgyYUo X4pCc64EWq4nO+QrOZwl8Ok= =0gqo -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Double entries in Radacct - FreeRadius + MT
Hello, I have a MikroTik router that is passing accounting data to the freeradius database. I look in radacct and every entry is has duplicates with the exact same information. Does anyone know if this is the MikroTik causing this or freeradius? How do I fix this? Thanks, Matt Neumark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html