No authenticate method
Hello,
I run FreeRadius 1.1.7 under Fedora core 8. Here is the radiusd.conf
extract and below a session log. In the log I put a start at the
beginning of lines which I don't understand. I want that the FreeRadius
looks for user password in the ldap.
Thanks you for your help
radiusd.conf extracts
modules {
...
ldap ldap1 {
...
}
ldap ldap2 {
...
}
...
}
authorize {
...
Autz-Type ldap1 {
ldap1
}
Autz-Type ldap2 {
ldap2
}
...
}
authenticate {
...
Auth-Type ldap1 {
ldap1
}
Auth-Type ldap2 {
ldap2
}
...
}
...
--- log extracts
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 256
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Counter
counter: filename = /etc/raddb/db.daily
counter: key = User-Name
counter: reset = daily
counter: count-attribute = Acct-Session-Time
counter: counter-name = Daily-Session-Time
counter: check-name = Max-Daily-Session
counter: allowed-servicetype = Framed-User
counter: cache-size = 5000
rlm_counter: Counter attribute Daily-Session-Time is number 3001
rlm_counter: Current Time: 1210772270 [2008-05-14 15:37:50], Next reset
1210802400 [2008-05-15 00:00:00]
Module: Instantiated counter (daily)
Module: Loaded LDAP
ldap: server = ldap1.XXX.fr
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=ldapread,ou=special,dc=XXX,dc=fr
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = our_password
ldap: basedn = dc=XXX,dc=fr
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = userPassword
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap1-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap1-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap1
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP carLicense mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
conns: 0xbae7a380
Module: Instantiated ldap (ldap1)
ldap: server = ldap2.XXX.fr
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=ldapread,ou=special,dc=XXX,dc=fr
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = our_password
ldap: basedn = dc=XXX,dc=fr
ldap: filter =
Re: help need with mysql statement in freeradius
But my script is not working. How
can I assign variables username and callingStationid in my script during
authentication process. rlm_perl doc show %RAD_REQUEST{'User-name'}
but it's not helping?
That's because you havent mastered even more basic things such as how to
concatenate a string. You also have difficulty distinguishing between
the name of the variable and it's value, ie. you are trying to put
names of the variables into the sql queries instead of their values.
Tips:
- have a look at example.pl and you will see how to log request
attributes (if you suspect that there is something wrong with them)
- use $query to build a query string and then print/log it in order to
find out what queries are you trying to run
- you can't use quotes within quotes if they are of the same type;
actually you can, but the result won't be what you expect - parser
does't know about these quotes are inside those quotes - first one
it runs into will be the start of the quote, next one will be the end
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method
authorize {
...
Autz-Type ldap1 {
ldap1
}
Autz-Type ldap2 {
ldap2
}
...
}
..
rad_recv: Access-Request packet from host 11.12.13.14:1896, id=3, length=47
User-Name = xx
User-Password = yy
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/141.115.16.72/auth-detail-20080514'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/141.115.16.72/auth-detail-20080514
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
modcall[authorize]: module daily returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
* auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
* auth: Failed to validate the user.
* Login incorrect: [xx/yy] (from client z port 0)
And how are you calling those Autz-Types (without files)? You probably
want:
authorize {
..
ldap1
ldap2
..
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS Authentication failing!!!! Unknown CA
Hi All, I am trying to use authenticate one embedded WLAN device with using freeRadius server 2.0.4 I have radiusd.conf,client.conf files as per my configuration. I have created certificates using bootstrap script.Values in ca.cnf,client.cnf and server.cnf have been modified accordingly. I have copied ca.pem, client.pem to device filesystem.Private key has been extracted from client.pem. Since last week I am trying to authenticate freeradius server but I am getting error like Unknown CA. Please see attached radius logs. When I verify client certificate using openssl verify -CApath ca.pem client.pem I see following error: Error 20 at depth 0 lookup : unable to get local issuer certificate. Device is already tested with Windows 2003 server's TLS(of course with different set of certificates :) ) and it is working fine. What will be possible reason behind this and where am I going wrong? Appreciate your help. Thanks and Regards, Avinash. NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020300060d00 NAS-IP-Address = 192.168.1.202 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = ttls, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled EAP-Message = 0x010402cd0d800aafccf9020b49263d2310a488bfd9b0fceb00498420a91d0649a4d9b0304ca8bf905e575fef160301020d0c0002090080b2f72f8891aa3dc35f1f4a7b84720c2231420c19d1ef3ed9c370cf15998c23f6154717aa1fa1dbc41eeeb2e849c67ec8a33153af1a89b9176e5b77219c7ad7a60a3711c8ef905b7f4f6c58f8f906d7d3ca47f336f9dd02a881fe26df88ef5061598810cb84de6af73246509e36b9bbe5009ebe4fd34a6a32fda99269054d4deb00010200802d3b669985b1de62a5963f89ed45302508f9b470eb4bfc14e8402ebfe818bdde521d2f8fa6045622ff544e00fde1f2d8f15f5af148cc3b0c961f565caeb440 EAP-Message = 0x6ece3b151f16aba0c5a5d00b65daa3fe6632eafe3eb1cd1397e84bc1fde8e7828764df86a10a4f3873f0e548b68deee887e908ee11b948ac1b03fc113f948f870d010015b933dc4a3ba5de954761525aff75ba8b48905029632c38ee64c07655a2a7f38f6ce47a141a8d08c64048d478a506fefbc8c6ed5dee82cec8ac3dc11ec2bf5da4eec7a38ac61ba22c457aff03a5cdbef5a65973f56ed168b2cc7adae11e3ec062aa16ed29816dab34dbc9a6ba66868261712a052a4e7d104c806c302f1ceaebe360d5163350f98f657985c3019315a2838428867d96dd05ffd25b03af9f743a0d89f20e9f0f5b1d24dc7b43bc15c75948d4d638ac8d3309b6e6 EAP-Message = 0x0d69ef9682c3799b8f937862abc892f9c762390a0636243884e4a19f82cee525441b702668c8324f65d6873ea2e66da74e2f0315ea3140ea4a697ef579582a06c1878fd704a816030100880d800403040102007900773075310b3009060355040613024b52310f300d06035504081306526164697573310e300c0603550407130553656f756c310c300a060355040a13034c47453122302006092a864886f70d0109011613726f6f74407261646975732e6663702e636f6d311330110603550403130a4578616d706c652043410e00 Message-Authenticator = 0x State = 0xc12f5c20c22b515967037c6c5beccf92 Finished request 125. Going to the next request Waking up in 4.0 seconds. Message-Authenticator = 0x166c2b12ab14ab768f5610222b8ba289 Service-Type = Framed-User User-Name = ttls\000 Framed-MTU = 1488 State = 0xc12f5c20c22b515967037c6c5beccf92 Called-Station-Id = 00-1E-C1-2D-D7-40:FCP_3COM Calling-Station-Id = 00-05-C9-A1-C9-70 NAS-Identifier = 3Com Access Point 7760 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020405340d0016030103580b00035400035100034e3082034a30820232020102300d06092a864886f70d01010405003076310b3009060355040613024b52310f300d06035504081306526164697573310c300a060355040a13034c4745312330210603550403131a4578616d706c65205365727665722043657274696669636174653123302106092a864886f70d010901161461646d696e407261646975732e6663702e636f6d301e170d3038303531343037343431335a170d3039303531343037343431335a3060310b3009060355040613024b52310f300d06035504081306526164697573310c300a060355040a13034c4745310d300b06035504 EAP-Message =
Re: help need with mysql statement in freeradius
PS. You should run your script in authorize.
Ivan Kalik
Kalik Informatika ISP
Dana 15/5/2008, Bishal [EMAIL PROTECTED] piše:
Hello Ivan,
I came up with this scripts but looks like it;s not working. In
radiusd.conf
perl{
modules = /usr/local/etc/raddb/mac_check.pl
}
Instantiate {
exec
expr
dailycounter
noresetcounter
perl
}
radius debug shows perl modules loaded. But my script is not working. How
can I assign variables username and callingStationid in my script during
authentication process. rlm_perl doc show %RAD_REQUEST{'User-name'}
but it's not helping?
#!/usr/bin/perl
# Check for MAC Authentication is enable or not
#$username = $ARGV[4];
#$username = %RAD_REQUEST{'User-Name'};
#$callerid = %RAD_REQUEST{'Calling-Station-Id'};
use DBI;
$database = radius;
$user = freeradius;
$password = blaba2r;
$option = localhost;
$dsn = DBI:mysql:$database;
$dsn = DBI:mysql:database=$database;$option;
$dbh = DBI-connect($dsn, $user, $password);
my $sql = $dbh-prepare( SELECT Usemac FROM radcheck WHERE
UserName='$RAD_REQUEST{'User-Name'}' AND Attribute='Expiration'
);
my $sql2 = $dbh-prepare( SELECT Value FROM radcheck WHERE
Attribute='Calling-Station-Id' AND UserName='tori' );
my $sql3 = $dbh-prepare( INSERT INTO radcheck
(id,UserName,Attribute,op,Value)
VALUES('','$RAD_REQUEST{'User-Name'}','Calling-Statio
n-Id','+=','$RAD_REQUEST{'Calling-Station-Id'}' );
$rowcount = $sql-execute
or die Cannot execute SQL statement: $DBI::errstr\n;
my @row;
while ( @row = $sql-fetchrow_array() ) {
$mac = $row[0];
chomp($mac);
}
# Check if MAC authentication is enabled or not if enabled then insert
the mac
if ($mac == 1 ){
$rowcount = $sql3-execute
or die Cannot execute SQL Statement: $DBI::errstr\n;
}else {
exit;
}
$sql-finish;
$dbh-disconnect()
or warn Disconnection failed: $DBI::errstr\n;
On 5/14/2008, Bishal [EMAIL PROTECTED] wrote:
Any sample scripts IVAN?
On 5/14/2008, Ivan Kalik [EMAIL PROTECTED] wrote:
I am using sql for AAA.
I have news for you - you are not. You are using it to store attributes.
Can u give me some exaples how can I do that
withl Rlm_perl modules.?
Do Google: mysql perl tutorial. If it's not MySQL, replace that with the
name of your sql server.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Listen port problem
Hello,
I have a strange problem since I updated my freeradius from 1.x to 2.x,
from a simple rpm update. It binds to random ports !
Here is the dump of radiusd -X :
FreeRADIUS Version 2.0.2, for host i386-redhat-linux-gnu, built on Mar
18 2008 at 13:16:44
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb//radiusd.conf
including configuration file /etc/raddb//clients.conf
including configuration file /etc/raddb//snmp.conf
including configuration file /etc/raddb//eap.conf
including configuration file /etc/raddb//sql.conf
including configuration file /etc/raddb//sql/mysql/dialup.conf
including configuration file /etc/raddb//sql/mysql/counter.conf
including configuration file /etc/raddb//policy.conf
including files in directory /etc/raddb//sites-enabled/
including configuration file /etc/raddb//sites-enabled/default
including dictionary file /etc/raddb//dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
user = radiusd
group = radiusd
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = radiusbouffard
nastype = other
}
client 192.168.0.0/16 {
require_message_authenticator = no
secret = radiusbouffard
shortname = wifigates
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/radius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/raddb//certs/server.pem
certificate_file = /etc/raddb//certs/server.pem
CA_file = /etc/raddb//certs/ca.pem
private_key_password = whatever
dh_file = /etc/raddb//certs/dh
random_file = /etc/raddb//certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /etc/raddb//certs/bootstrap
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
EAP TLS Authentication with eToken
Hello, anyone has used eToken Aladdin 64k with EAP-TLS authentication using wpa_supplicant ? thank you Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listen port problem
Hoggins! wrote: I have a strange problem since I updated my freeradius from 1.x to 2.x, from a simple rpm update. It binds to random ports ! Weird. Either re-build yourself from source, or just specify the ports in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to activate the accounting sub section in perl script
hi, I am doing my AAA in perl script for radius 2.0.3, can anybody please tell how do I activate my accounting subsection in my perl program, I didn't find any execution of my queries in the accounting sub section in my perl script. With Regards, Johnson Elangbam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listen port problem
Thanks, I'm already rebuilding from source, see what I can get. Specifying the ports in the radiusd.conf doesn't solve the problem. Very weird. Alan DeKok a écrit : Hoggins! wrote: I have a strange problem since I updated my freeradius from 1.x to 2.x, from a simple rpm update. It binds to random ports ! Weird. Either re-build yourself from source, or just specify the ports in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to activate the accounting sub section in perl script
List perl in accounting {}. That section is now in sites-enabled/default
or whatever virtual server you are using for accounting.
Ivan Kalik
Kalik Informatika ISP
Dana 15/5/2008, johnson elangbam [EMAIL PROTECTED] piše:
hi,
I am doing my AAA in perl script for radius 2.0.3, can anybody please
tell how do I activate my accounting subsection in my perl program, I didn't
find any execution of my queries in the accounting sub section in my perl
script.
With Regards,
Johnson Elangbam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS + PAP with external script
authorize {
preprocess
suffix
eap
pap
papauth
}
pap really should go at the end - i believe the default
config mentions this...with maybe exclaimation marks or
capital letters?
alan
How is this supposed to help me in any way to configure FR to do PAP
authentication?
Accordingly to documentation, PAP should be listed last in authorize section
becouse need to check passwords added by previous modules and normalize them.
In my case none previus modules (preprocess, suffix, eap) gives any known good
password (and this is intended since i don't want the RADIUS server to know
the real user password) su pap just give back NOOP.
I can even comment out pap in authorize section since just respond noop in any
case.
Here are the log from radiusd -X in any case
radiusd -X with pap and not papauth **
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
modcall[authorize]: module pap returns noop for request 9
modcall: leaving group authorize (returns ok) for request 9
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
**
Since eap is over (final step of ttls) and no modules are adding a known good
password for the user, pap respond noop and there is no Auth-Type configured.
radiusd -X with pap after papauth **
Exec-Program output: Auth-Type = PAP
Exec-Program-Wait: value-pairs: Auth-Type = PAP
Exec-Program: returned: 0
modcall[authorize]: module papauth returns ok for request 4
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
modcall[authorize]: module pap returns noop for request 4
rad_check_password: Found Auth-Type PAP
auth: type PAP
The script set the Auth-Type and pap just answer noop.
radiusd -X with pap before papauth **
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
modcall[authorize]: module pap returns noop for request 9
Exec-Program output: Auth-Type = PAP
Exec-Program-Wait: value-pairs: Auth-Type = PAP
Exec-Program: returned: 0
modcall[authorize]: module papauth returns ok for request 9
modcall: leaving group authorize (returns ok) for request 9
rad_check_password: Found Auth-Type PAP
auth: type PAP
**
Pap still answer with noop and do not set the Auth-Type but the script do the
job setting the Auth-Type and letting the second script check the credentials.
radiusd -X without pap in authorize **
Exec-Program output: Auth-Type = PAP
Exec-Program-Wait: value-pairs: Auth-Type = PAP
Exec-Program: returned: 0
modcall[authorize]: module papauth returns ok for request 9
modcall: leaving group authorize (returns ok) for request 9
rad_check_password: Found Auth-Type PAP
auth: type PAP
My question is which is the best way to correctly accomplish pap authentication
WITHOUT using authorization checks.
My solution was to force Auth-Type to PAP in case we have username and
password in radius attributes.
Another way is, i think, using a users file with DEFAULT Auth-Type = PAP but
i read in many place NOT TO DO THAT.
Another way could be to check if is present the Auth-Type and set it to PAP if
os not set and list that script as last on authorize section.
Which is the best solution?
Btw, in config i see:
*** radiusd.conf *
# As of 1.1.4, you should list pap last in this section.
# See man rlm_pap for more information.
*
So no exclamations and capitals, just a should.
And i do read the man page to understand a little more about what i was going
to do.
Thanks in advance
Bye
Maccari Dario
_
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
Dario Maccari wrote:
How is this supposed to help me in any way to configure FR to do PAP
authentication?
If you are configured the *server* to do PAP authentication, then the
default configuration files should be used. Your module (exec/whatever)
should supply a known good password. The server then uses that to
authenticate the user.
If *your module* is doing PAP authentication, then you need to list
*your module* in the authenticate section. You need to force
Auth-Type to be *your module*. And all other authentication types will
fail.
Accordingly to documentation, PAP should be listed last in authorize
section becouse need to check passwords added by previous modules and
normalize them.
Yes.
In my case none previus modules (preprocess, suffix, eap) gives any
known good password (and this is intended since i don't want the RADIUS
server to know the real user password) su pap just give back NOOP.
Then your module needs to do the authentication. Any why do you care
if the server knows the password? Is it for security?
Are you aware that for TTLS + PAP, if your external script returns
authenticated, the server *knows* that the PAP password is correct?
So why not simplify your life, and give the server the real user password?
Here are the log from radiusd -X in any case
radiusd -X with pap and not papauth **
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 9
modcall: leaving group authorize (returns ok) for request 9
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
i.e. you haven't told the server what the known good password is,
and you haven't told the server how to authenticate the user.
The script set the Auth-Type and pap just answer noop.
Huh? You're setting Auth-Type to PAP in your script? Do you expect
the PAP module to m
I've deleted the other attempts at let's make random changes to see
if it works.
Stop making changes until you understand how the server works. Start
with the default configuration, and then do this in the inner-tunnel
virtual server. (i.e. also use 2.0.4)
authorize {
...
update control {
Cleartext-Password := `/path/to/script %{User-Name}`
}
pap
}
The script should use the username to look up the known good
password, and then print it to STDOUT. e.g. echo hello would be a
good start.
EAP-TTLS + PAP will then WORK. And YES, you will be giving the server
the real user password. This is NOT a problem. If you think it's a
problem, then you need to change your opinion. It's NOT a problem.
Alan Dekok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to activate the accounting sub section in perl script
Hi, hi, I am doing my AAA in perl script for radius 2.0.3, can anybody please tell how do I activate my accounting subsection in my perl program, I didn't find any execution of my queries in the accounting sub section in my perl script. add perl to the accouting section in whatever virtual server you are running, enable the accouting part in the perl config (in experimental.conf) and ensure you have an accounting subroutine in your perl module alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error binding to port for 0.0.0.0 port 1812
Hi Alan,
I've installed FreeRadius-2.0.4 and I got some error saying
ERROR: Failed to open socket:
/usr/local/etc/raddb/radiusd.conf[210]: Error binding to port for 0.0.0.0 port
1812
but when I check in radiusd.conf
ipaddr= *
# interface = eth0
How can I fix this error?
I have 2 ethernet cards, eth1 = 192.168.1.10 (DNS iptables), eth0 =
192.168.0.10 (Wifi)
Here a few thing that I'd edited:
(uncomment)
clients.conf
client 192.168.0.0/24
secret = testing123-1
shortname = private-network-1
users
add
MarsindNetClearText-Password:= testing123
Reply-Message := Hello, %{User-Name}
eap.conf
eap {
default_eap_type = tls
}
tls {
.
fragment_size= 1024
include_length = yes
}
Next step I want to test Windows XP client but I couldn't find
root.der cert-clt.p12 as previous version have.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS + PAP with external script
If you are configured the *server* to do PAP authentication, then the
default configuration files should be used. Your module (exec/whatever)
should supply a known good password. The server then uses that to
authenticate the user.
I configured the CLIENT to do EAP-TTLS with inner PAP.
The server needs to fit inside a more complex structure in wich no known
good password is available.
User data are stored outside the radius server and can't be accessed in any
other way than the ones that are given to me.
Actually i can't ask for the password of a user so to provide this password to
pap module.
All i can do is to check if the pair username/password is correct and there is
nothing i can do about that.
That's why i can't provide a known good password to pap module and that's why
pap module for authorization can not be used.
If *your module* is doing PAP authentication, then you need to list
*your module* in the authenticate section. You need to force
Auth-Type to be *your module*. And all other authentication types will
fail.
That's very interesting and is something i haven't found in documentations (my
fault).
You mean that using a userfile file with
DEFAULT Auth-Type = DONALDUCK
and in radiusd.conf have something like (cutting out default stuff):
**
modules {
exec myauth {
wait = yes
program = /path/to/my/script
input_pairs = request
output_pairs = reply
}
}
authorize {
eap
file
}
authenticate {
Auth-Type DONALDUCK {
myauth
}
}
*
Will work?.
i.e. you haven't told the server what the known good password is,
and you haven't told the server how to authenticate the user.
Right, i can't provide the known good password as stated before
Huh? You're setting Auth-Type to PAP in your script?
That was my solution to force the pap authentication module to do the
authentication.
I've deleted the other attempts at let's make random changes to see
if it works.
It wasn't a let's make random changes to see if it works, it works since the
beginning.
I have even provided other possible solutions too.
The tests where just there to point out that the response that pap really
should go at the end with other annoing comments about exclaimation marks and
capital letters were plain inappropriate.
Stop making changes until you understand how the server works. Start
with the default configuration, and then do this in the inner-tunnel
virtual server. (i.e. also use 2.0.4)
Unfortunatly even this is not an aoption. I can't switch to 2.0.4 and am forced
to use 1.1.7 untill my company in cludev 2.0 in accepted software.
It's not my fault and can't do much about it.
The script should use the username to look up the known good
password, and then print it to STDOUT. e.g. echo hello would be a
good start.
EAP-TTLS + PAP will then WORK. And YES, you will be giving the server
the real user password. This is NOT a problem. If you think it's a
problem, then you need to change your opinion. It's NOT a problem.
It IS a problem for me since the external server owner will NOT give me any
access other then the ability to check if the pair username/password is valid.
And all it is now working, just asking what is the best solution between using
a script to force Auth-Type, use a users file.
Don't care if other authentication methods will not work.
Bye and thanks again
Maccari Dario
_
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2
family. I have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I
doing wrong? I am using version 2.0.2 which was distributed with Fedora
9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Casartello, Thomas
Sent: Thursday, May 15, 2008 1:16 PM
To: freeradius-users@lists.freeradius.org
Subject: FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2
family. I have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I
doing wrong? I am using version 2.0.2 which was distributed with Fedora
9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
You're not running NAT/PAT through iptables are you?
It'll translate 1812/1813 inside to some high port/some high port outside.
Not sure how the server will pick that up. Maybe the port after translation.
If so you'll need to not port translate the radius ports. I can do it in a Pix,
but haven't used iptables for translation in a long while.
Mearl
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Thursday, May 15, 2008 12:31 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Thursday, May 15, 2008 1:16 PM
To: freeradius-users@lists.freeradius.org
Subject: FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I
have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I doing
wrong? I am using version 2.0.2 which was distributed with Fedora 9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
No I am not doing any kind of NAT. I actually have IPTables disabled right now.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danner, Mearl
Sent: Thursday, May 15, 2008 1:42 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
You're not running NAT/PAT through iptables are you?
It'll translate 1812/1813 inside to some high port/some high port outside.
Not sure how the server will pick that up. Maybe the port after translation.
If so you'll need to not port translate the radius ports. I can do it in a Pix,
but haven't used iptables for translation in a long while.
Mearl
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Thursday, May 15, 2008 12:31 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Thursday, May 15, 2008 1:16 PM
To: freeradius-users@lists.freeradius.org
Subject: FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I
have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I doing
wrong? I am using version 2.0.2 which was distributed with Fedora 9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Have you tried binding to a specific IP address rather than *?
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 12:44 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
No I am not doing any kind of NAT. I actually have IPTables disabled
right now.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Danner, Mearl
Sent: Thursday, May 15, 2008 1:42 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
You're not running NAT/PAT through iptables are you?
It'll translate 1812/1813 inside to some high port/some high port
outside.
Not sure how the server will pick that up. Maybe the port after
translation.
If so you'll need to not port translate the radius ports. I can do it
in a Pix, but haven't used iptables for translation in a long while.
Mearl
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 12:31 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 1:16 PM
To: freeradius-users@lists.freeradius.org
Subject: FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2
family. I have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I
doing wrong? I am using version 2.0.2 which was distributed with Fedora
9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Yes. Same result. I went back to 1.1.7 on the same box and its working fine now.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danner, Mearl
Sent: Thursday, May 15, 2008 2:01 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
Have you tried binding to a specific IP address rather than *?
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 12:44 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
No I am not doing any kind of NAT. I actually have IPTables disabled
right now.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Danner, Mearl
Sent: Thursday, May 15, 2008 1:42 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
You're not running NAT/PAT through iptables are you?
It'll translate 1812/1813 inside to some high port/some high port
outside.
Not sure how the server will pick that up. Maybe the port after
translation.
If so you'll need to not port translate the radius ports. I can do it
in a Pix, but haven't used iptables for translation in a long while.
Mearl
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 12:31 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 1:16 PM
To: freeradius-users@lists.freeradius.org
Subject: FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2
family. I have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I
doing wrong? I am using version 2.0.2 which was distributed with Fedora
9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
Compiling from source did NOT solve the problem.
It looks like Fedora is broken.
The server code does this:
if (port == 0) {
call system function to look up radius port in /etc/services
if (found ) {
port = port found in /etc/services
} else {
port = 1812
}
}
The only way I can see it choosing random ports is if the lookup in
/etc/services returns found, with a random port.
I suggest hard-coding the port numbers (1812/1813) into the listen
sections. Maybe also see if 'radius and radacct are defined in
/etc/services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS + PAP with external script
I configured the CLIENT to do EAP-TTLS with inner PAP. The server needs to fit inside a more complex structure in wich no known good password is available. User data are stored outside the radius server and can't be accessed in any other way than the ones that are given to me. So why do you bother with radius and EAP for authentication when you are not going to use them? Use captive portal and run that php script from the login page. If you need accounting use radius for that. Ivan Kalik Kalim Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
Dario Maccari wrote: I configured the CLIENT to do EAP-TTLS with inner PAP. Yes, you said that. The server needs to fit inside a more complex structure in wich no known good password is available. sigh That is NOT what you said before. .. Will work?. It should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
I tried hardcoding them in the listen section. Same result.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Thursday, May 15, 2008 2:16 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
Compiling from source did NOT solve the problem.
It looks like Fedora is broken.
The server code does this:
if (port == 0) {
call system function to look up radius port in /etc/services
if (found ) {
port = port found in /etc/services
} else {
port = 1812
}
}
The only way I can see it choosing random ports is if the lookup in
/etc/services returns found, with a random port.
I suggest hard-coding the port numbers (1812/1813) into the listen
sections. Maybe also see if 'radius and radacct are defined in
/etc/services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
I tried hardcoding them in the listen section. Same result.
Weird.
My guess, then, is that it seems to be a problem with the specific GCC
version on Fedora.
Please try the attached patch. If it doesn't work, then the only way
to fix it is for me to get an SSH login to a fedora machine.
Oh, and 2.0.4. works on Ubuntu, Debian, *BSD, Solaris...
Alan DeKok.
Index: src/lib/packet.c
===
RCS file: /source/radiusd/src/lib/packet.c,v
retrieving revision 1.20
diff -u -r1.20 packet.c
--- src/lib/packet.c 1 Jan 2008 17:29:12 - 1.20
+++ src/lib/packet.c 15 May 2008 19:34:22 -
@@ -175,6 +175,7 @@
int fr_socket(fr_ipaddr_t *ipaddr, int port)
{
int sockfd;
+ uint16_t sport;
struct sockaddr_storage salocal;
socklen_t salen;
@@ -185,6 +186,7 @@
sockfd = socket(ipaddr-af, SOCK_DGRAM, 0);
if (sockfd 0) {
+ librad_log(cannot open socket: %s, strerror(errno));
return sockfd;
}
@@ -194,10 +196,13 @@
*/
if (udpfromto_init(sockfd) != 0) {
close(sockfd);
+ librad_log(cannot initialize udpfromto: %s, strerror(errno));
return -1;
}
#endif
+ sport = port;
+ sport = htons(sport);
memset(salocal, 0, sizeof(salocal));
if (ipaddr-af == AF_INET) {
struct sockaddr_in *sa;
@@ -205,7 +210,7 @@
sa = (struct sockaddr_in *) salocal;
sa-sin_family = AF_INET;
sa-sin_addr = ipaddr-ipaddr.ip4addr;
- sa-sin_port = htons((uint16_t) port);
+ sa-sin_port = sport;
salen = sizeof(*sa);
#ifdef HAVE_STRUCT_SOCKADDR_IN6
@@ -215,7 +220,7 @@
sa = (struct sockaddr_in6 *) salocal;
sa-sin6_family = AF_INET6;
sa-sin6_addr = ipaddr-ipaddr.ip6addr;
- sa-sin6_port = htons((uint16_t) port);
+ sa-sin6_port = sport;
salen = sizeof(*sa);
#if 1
@@ -242,6 +247,7 @@
if (bind(sockfd, (struct sockaddr *) salocal, salen) 0) {
close(sockfd);
+ librad_log(cannot bind socket: %s, strerror(errno));
return -1;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, I tried hardcoding them in the listen section. Same result. TBH, I've compiled release and CVS versions of freeradius 1.1.x and 2.0.x on centos, fedora core, RHEL3, ubuntu 7 and 8 and have never seen this issue before. you running SELinux or some sort of security tool? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, Casartello, Thomas wrote: I tried hardcoding them in the listen section. Same result. 64bit machine? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi,
Exact same problem here... Really thinking about reverting to v1.x
Casartello, Thomas a écrit :
I tried hardcoding them in the listen section. Same result.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Thursday, May 15, 2008 2:16 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
Compiling from source did NOT solve the problem.
It looks like Fedora is broken.
The server code does this:
if (port == 0) {
call system function to look up radius port in /etc/services
if (found ) {
port = port found in /etc/services
} else {
port = 1812
}
}
The only way I can see it choosing random ports is if the lookup in
/etc/services returns found, with a random port.
I suggest hard-coding the port numbers (1812/1813) into the listen
sections. Maybe also see if 'radius and radacct are defined in
/etc/services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
I'm running FC9, by the way... maybe that explains this sudden amount of
same problems, since the FC9 release was on tuesday.
Casartello, Thomas a écrit :
I tried hardcoding them in the listen section. Same result.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Thursday, May 15, 2008 2:16 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
Compiling from source did NOT solve the problem.
It looks like Fedora is broken.
The server code does this:
if (port == 0) {
call system function to look up radius port in /etc/services
if (found ) {
port = port found in /etc/services
} else {
port = 1812
}
}
The only way I can see it choosing random ports is if the lookup in
/etc/services returns found, with a random port.
I suggest hard-coding the port numbers (1812/1813) into the listen
sections. Maybe also see if 'radius and radacct are defined in
/etc/services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
As am I.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hoggins!
Sent: Thursday, May 15, 2008 4:05 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS 2 not listening on right port
I'm running FC9, by the way... maybe that explains this sudden amount of
same problems, since the FC9 release was on tuesday.
Casartello, Thomas a écrit :
I tried hardcoding them in the listen section. Same result.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Thursday, May 15, 2008 2:16 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
Compiling from source did NOT solve the problem.
It looks like Fedora is broken.
The server code does this:
if (port == 0) {
call system function to look up radius port in /etc/services
if (found ) {
port = port found in /etc/services
} else {
port = 1812
}
}
The only way I can see it choosing random ports is if the lookup in
/etc/services returns found, with a random port.
I suggest hard-coding the port numbers (1812/1813) into the listen
sections. Maybe also see if 'radius and radacct are defined in
/etc/services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
No luck on that patch. I'll try to get you a login sometime over the next couple days. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 3:32 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Casartello, Thomas wrote: I tried hardcoding them in the listen section. Same result. Weird. My guess, then, is that it seems to be a problem with the specific GCC version on Fedora. Please try the attached patch. If it doesn't work, then the only way to fix it is for me to get an SSH login to a fedora machine. Oh, and 2.0.4. works on Ubuntu, Debian, *BSD, Solaris... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. yep. havent tested FC9 - wonder what they've changed to make such a change in port behaviour.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, Maybe someone running FC9 could try debugging the problem. as, no doubt, one of my systems will be FC9 in a short while I could look att his - what exactly should I be looking for? i'll dig around for the new features and changes they've made. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Install the freeradius rpm or install from source. It basically binds to a random port no matter what you do in the config files. Freeradius 1.1.7 works fine in Fedora 9. I'm going to try using 2.0.4 on Fedora 8 box. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 15, 2008 5:00 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hi, Maybe someone running FC9 could try debugging the problem. as, no doubt, one of my systems will be FC9 in a short while I could look att his - what exactly should I be looking for? i'll dig around for the new features and changes they've made. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Mac-Auth-Bypass with Freeradius 2.0.4
Hey, I just got this working on a test server finally using the users file and have a quick question. I was wondering is there a way where I don't have to type the last 3 lines of this everytime in my users file? I was thinking of using some kind of setup with a seperate file for each vlan containing only the first statement (with the mac address as the user/pass). Then $include each vlanfile in the users file with freeradius appending the correct tunnel statements depending on what vlanfile the mac address was in. Anyways I haven't quite wrapped my head around the syntax to do this or am sure this is the best way. If someone has any advice that would be great. 1234Cleartext-Password := 1234 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = Students By the way Freeradius rocks! Thanks, Austin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Mac-Auth-Bypass with Freeradius 2.0.4
You can create groups for use in users file by using passwd module. Have a look at explanations in radiusd.conf and man pages. You could then assign tunnel attributes with DEFAULT entries in users file checking Group-Name. Ivan Kalik Kalik Informatika ISP Dana 15/5/2008, MONTFORD, AUSTIN [EMAIL PROTECTED] piše: Hey, I just got this working on a test server finally using the users file and have a quick question. I was wondering is there a way where I don't have to type the last 3 lines of this everytime in my users file? I was thinking of using some kind of setup with a seperate file for each vlan containing only the first statement (with the mac address as the user/pass). Then $include each vlanfile in the users file with freeradius appending the correct tunnel statements depending on what vlanfile the mac address was in. Anyways I haven't quite wrapped my head around the syntax to do this or am sure this is the best way. If someone has any advice that would be great. 1234Cleartext-Password := 1234 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = Students By the way Freeradius rocks! Thanks, Austin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
So why do you bother with radius and EAP for authentication when you are not going to use them? Use captive portal and run that php script from the login page. If you need accounting use radius for that. I need to insert a wpa/wpa2 enterprise wlan, which do need eap and radius, side by side a prexisting unencrypted wlan wich authenticate with a captive portal. That's why that php script. It's basically the same used by the captive portal to authenticate the unencrypted wlan users with the externale server. Maybe i can port it in perl or even c/c++ to make it a real module and gain more control over its behaviuor and better performance but for now is just something more than a proof of concept ;) If all goes as it should i can even convince the external holder of the user database to setup a radius server where to proxy requests but this is a future project. The accounting is not made with radius too since it need to be hardware independant and unfortunatly not all access points used support radius accounting even if they do support wpa/wpa2 enterprise. I know, it's a wierd configuration but i have to deal with it :( Thanx Dario Maccari - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
sigh That is NOT what you said before. Sorry, probably a language barrier. I think my english is not good enough to really explain what i was trying to accomplish. Thanks for your patience. It should. I'll try that solution than wich will lead at, at least, less misunderstanding with pap client-side and pap server-side. Thanks again for your help Bye Dario Maccari - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Shouldn't the maintainer of the specific FC9 freeradius package be aware of this critical issue ? I guess a newer release is for very soon. Casartello, Thomas a écrit : Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Mac-Auth-Bypass with Freeradius 2.0.4 [SEC=UNCLASSIFIED]
UNCLASSIFIED __ From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of MONTFORD, AUSTIN Sent: Friday, 16 May 2008 07:31 To: freeradius-users@lists.freeradius.org Subject: Cisco Mac-Auth-Bypass with Freeradius 2.0.4 Hey, I just got this working on a test server finally using the users file and have a quick question. I was wondering is there a way where I don't have to type the last 3 lines of this everytime in my users file? I was thinking of using some kind of setup with a seperate file for each vlan containing only the first statement (with the mac address as the user/pass). Then $include each vlanfile in the users file with freeradius appending the correct tunnel statements depending on what vlanfile the mac address was in. Anyways I haven't quite wrapped my head around the syntax to do this or am sure this is the best way. If someone has any advice that would be great. 1234Cleartext-Password := 1234 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = Students By the way Freeradius rocks! Thanks, Austin There is a couple of ways to do this. 1. Use groups. 2. Use Fall-Through and group you users file. Example: # Set boilerplate text DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Fall-Through = True # Staff systems DEFAULT Tunnel-Private-Group-Id := Staff, Fall-Through = True $INCLUDE staff.users # Student systems DEFAULT Tunnel-Private-Group-Id := Students, Fall-Through = True $INCLUDE student.users ... DEFAULT Auth-Type:=reject Student.users would have lines like: 1234Cleartext-Password := 1234 1235Cleartext-Password := 1235 and could be generated by a script. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
It's not just the Fedora package. Even if you compile the latest freeradius from source it still has the problem. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hoggins! Sent: Thursday, May 15, 2008 8:21 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Shouldn't the maintainer of the specific FC9 freeradius package be aware of this critical issue ? I guess a newer release is for very soon. Casartello, Thomas a écrit : Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help need with mysql statement in freeradius
I am getting core dumped while running that script.
rlm_perl: perl_embed:: module = /usr/local/etc/raddb/mac_check.pl , func
= authorize exit status= Undefined subroutine main::authorize called
Segmentation fault (core dumped)
##Script part
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
$username = $RAD_REQUEST{'User-Name'};
$callerid = $RAD_REQUEST{'Calling-Station-Id'};
Is this the right process of getting value from the request ? How can I
bypass perl function Authorization, authentication, accounting so that
only MAC assignment process will be done by this script?
Thanks
On 5/15/2008, Ivan Kalik [EMAIL PROTECTED] wrote:
PS. You should run your script in authorize.
Ivan Kalik
Kalik Informatika ISP
Dana 15/5/2008, Bishal [EMAIL PROTECTED] pi¹e:
Hello Ivan,
I came up with this scripts but looks like it;s not working. In
radiusd.conf
perl{
modules = /usr/local/etc/raddb/mac_check.pl
}
Instantiate {
exec
expr
dailycounter
noresetcounter
perl
}
radius debug shows perl modules loaded. But my script is not working. How
can I assign variables username and callingStationid in my script during
authentication process. rlm_perl doc show %RAD_REQUEST{'User-name'}
but it's not helping?
#!/usr/bin/perl
# Check for MAC Authentication is enable or not
#$username = $ARGV[4];
#$username = %RAD_REQUEST{'User-Name'};
#$callerid = %RAD_REQUEST{'Calling-Station-Id'};
use DBI;
$database = radius;
$user = freeradius;
$password = blaba2r;
$option = localhost;
$dsn = DBI:mysql:$database;
$dsn = DBI:mysql:database=$database;$option;
$dbh = DBI-connect($dsn, $user, $password);
my $sql = $dbh-prepare( SELECT Usemac FROM radcheck WHERE
UserName='$RAD_REQUEST{'User-Name'}' AND Attribute='Expiration'
);
my $sql2 = $dbh-prepare( SELECT Value FROM radcheck WHERE
Attribute='Calling-Station-Id' AND UserName='tori' );
my $sql3 = $dbh-prepare( INSERT INTO radcheck
(id,UserName,Attribute,op,Value)
VALUES('','$RAD_REQUEST{'User-Name'}','Calling-Statio
n-Id','+=','$RAD_REQUEST{'Calling-Station-Id'}' );
$rowcount = $sql-execute
or die Cannot execute SQL statement: $DBI::errstr\n;
my @row;
while ( @row = $sql-fetchrow_array() ) {
$mac = $row[0];
chomp($mac);
}
# Check if MAC authentication is enabled or not if enabled then insert
the mac
if ($mac == 1 ){
$rowcount = $sql3-execute
or die Cannot execute SQL Statement: $DBI::errstr\n;
}else {
exit;
}
$sql-finish;
$dbh-disconnect()
or warn Disconnection failed: $DBI::errstr\n;
On 5/14/2008, Bishal [EMAIL PROTECTED] wrote:
Any sample scripts IVAN?
On 5/14/2008, Ivan Kalik [EMAIL PROTECTED] wrote:
I am using sql for AAA.
I have news for you - you are not. You are using it to store attributes.
Can u give me some exaples how can I do that
withl Rlm_perl modules.?
Do Google: mysql perl tutorial. If it's not MySQL, replace that with the
name of your sql server.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users..html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another possibility to reconcile?
Hi, I'm looking to implement the Simultaneous-User Value in radcheck. (FR 2.0.3) I'm having the issue that, for whatever reason (I'd blame the network in a heartbeat, not FR at all), the accounting for a logged in user never gets from a NULL acctstoptime to one filled in. At the current time, radwho on the server shows approximately 22 active users. In reality I think it'd be more like 1/2 of that. A SELECT count( * ) FROM radacct WHERE acctstoptime IS NULL ; shows 91 records. Due to the version of the NAS we are running (DD-WRT with Chillispot), we can't get checkrad to help true up the information. Is there another way to help keep everything in sync, so we don't have users who pay for a single ID, doing things like : lobnic14 00-13-02-25-8C- shell S1 Thu 17:3 192.168.7 192.168.182.3 lobnic14 00-1B-77-11-F4- shell S2 Thu 22:1 192.168.7 192.168.182.4 damrap600-0E-35-C0-16- shell S1 Thu 22:1 192.168.5 192.168.182.5 damrap600-11-24-8F-27- shell S3 Thu 20:2 192.168.5 192.168.182.10 damrap600-1B-77-06-2F- shell S4 Thu 20:2 192.168.5 192.168.182.11 Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS cert
Hi,
I've installed FreeRadius-2.0.4 and run fine.
Here a few thing I had editted.
Clients.conf
client 192.168.0.0/24 {
secret= testing123-1
shortname= private-network-1
}
eap {
default_eap_type= tls
}
tls {
fragment_size=1024
include_lenght= yes
}
users
MarsindNetCleartext_Password:= hello
Reply-Message = Hello, %{User-Name}
Now..I want to test connecting with Windows XP but I could not find
root.der or cert-clt.p12 like previous version has.
What files should I copy and install into Windows XP as client certificate?
Thanks in advance.
Alan DeKok [EMAIL PROTECTED] wrote: Kwok Sianbin wrote:
I am newbie to linux and recently I try to implement wireless
connnection with EAP-TLS encryption. I am using Freeradius-1.1.7
installed into Red Hat Enterprise 4.
You should really use 2.0.4.
Here I encounter problems that I can't solve it alone hence I need
advice guru from this forum.
the problem is client just can't get connected and keep request.
...
Sending Access-Challenge of id 15 to 192.168.0.206 port 1025
...
Going to the next request
Waking up in 6 seconds...
This is in the FAQ. It's also documented in the eap.conf file in 2.0.4.
Here I post the CA.certs execution result as I suppect that the errors
might be due to certificate error.
When I run ./CA.certs and I got a few errors.
2.0.4 also contains new scripts for certificate creation. They're
MUCH better than what's in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help need with mysql statement in freeradius
debug output of the radius
Module: Instantiated detail (reply_log)
Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.
rad_recv: Access-Request packet from host 202.xx.xx.xx:52743, id=81,
length=151
NAS-Identifier = pppoe-test.lumbininet.com.np
NAS-Port = 12
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 001a4daf4ead
Called-Station-Id = WIFITEST
User-Name = mobile
CHAP-Password = 0x0102e814e5d756effb7319a534e354dcd2
CHAP-Challenge =
0xbb1e687616119cbcd0156169c9b45cb65bd4ce0daf99b5788e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radacct/202.xx.xx.xx/auth-detail-20080516'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/202.xx.xx.xx/auth-detail-20080516
modcall[authorize]: module auth_log returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
rlm_realm: No '@' in User-Name = mobile, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
radius_xlat: 'mobile'
rlm_sql (sql): sql_set_user escaped user -- 'mobile'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'mobile' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 28
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mobile' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'mobile' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'mobile' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 28
modcall[authorize]: module sql returns ok for request 0
rlm_checkval: Item Name: Calling-Station-Id, Value: 001a4daf4ead
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
modcall[authorize]: module checkval returns notfound for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module dailycounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module monthlycounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='mobile''
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='mobile'}'
radius_xlat: Running registered xlat function of module sql for string
'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mobile''
rlm_sql (sql): - sql_xlat
radius_xlat: 'mobile'
rlm_sql (sql): sql_set_user escaped user -- 'mobile'
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='mobile''
rlm_sql (sql): Reserving sql socket id: 27
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 27
radius_xlat: '284499'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user mobile, check_item=42, counter=284499
rlm_sqlcounter: Sent Reply-Item for user mobile, Type=Session-Timeout,
value=135501
modcall[authorize]: module noresetcounter returns ok for request 0
Using perl at 0x82220c0
rlm_perl: Added pair Reply-Message = MAC Auth not Enabled
rlm_perl: Added pair Session-Timeout = 135501
rlm_perl: Added pair Filter-Id = 36/28
rlm_perl: Added pair mpd-limit = in#1=flt1 shape 256000 pass
rlm_perl: Added pair mpd-limit = in#2=all shape 48000
rlm_perl: Added pair mpd-limit = out#1=flt2 shape 512000 pass
rlm_perl: Added pair mpd-limit = out#2=all shape 48000
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Idle-Timeout = 200
rlm_perl: Added pair mpd-filter = 1#1=match dst 202.xx.xx.xx
rlm_perl: Added pair mpd-filter = 2#1=match src 202.xx.xx.xx
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Expiration = Jul 3 2008 00:00:00 NPT
rlm_perl: Added pair Max-All-Session = 42
rlm_perl: Added pair User-Password = computer
rlm_perl: Added pair Simultaneous-Use = 2
rlm_perl: Added pair Auth-Type = CHAP
modcall[authorize]: module perl
Re: FreeRADIUS 2 not listening on right port
I did a little looking into this this evening. This assessment looks to be correct as it looks to be related to compiler optimizations. With the optimizations disabled in Make.inc, FreeRADIUS will start up on the correct port. For the fr_socket function, gcc appears to be optimizing the arguments by sending them through the registers instead of the stack frame, but the port argument is being clobbered (optimized out) before the htons(port) call. Specifically, according to a step-through with GDB, after the first function call in fr_socket (which is to socket()), the port variable is gone (optimized out). --Mike On May 15, 2008, at 4:30 PM, Casartello, Thomas wrote: Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Michael Griego wrote: I did a little looking into this this evening. This assessment looks to be correct as it looks to be related to compiler optimizations. With the optimizations disabled in Make.inc, FreeRADIUS will start up on the correct port. For the fr_socket function, gcc appears to be optimizing the arguments by sending them through the registers instead of the stack frame, but the port argument is being clobbered (optimized out) before the htons(port) call. Specifically, according to a step-through with GDB, after the first function call in fr_socket (which is to socket()), the port variable is gone (optimized out). sigh I've started testing the server with other compilers. GCC is getting too ugly for my liking. I'll put a note on the main web page.: DON'T USE -O2 ON FEDORA! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
