No authenticate method
Hello, I run FreeRadius 1.1.7 under Fedora core 8. Here is the radiusd.conf extract and below a session log. In the log I put a start at the beginning of lines which I don't understand. I want that the FreeRadius looks for user password in the ldap. Thanks you for your help radiusd.conf extracts modules { ... ldap ldap1 { ... } ldap ldap2 { ... } ... } authorize { ... Autz-Type ldap1 { ldap1 } Autz-Type ldap2 { ldap2 } ... } authenticate { ... Auth-Type ldap1 { ldap1 } Auth-Type ldap2 { ldap2 } ... } ... --- log extracts Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 256 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded Counter counter: filename = /etc/raddb/db.daily counter: key = User-Name counter: reset = daily counter: count-attribute = Acct-Session-Time counter: counter-name = Daily-Session-Time counter: check-name = Max-Daily-Session counter: allowed-servicetype = Framed-User counter: cache-size = 5000 rlm_counter: Counter attribute Daily-Session-Time is number 3001 rlm_counter: Current Time: 1210772270 [2008-05-14 15:37:50], Next reset 1210802400 [2008-05-15 00:00:00] Module: Instantiated counter (daily) Module: Loaded LDAP ldap: server = ldap1.XXX.fr ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = cn=ldapread,ou=special,dc=XXX,dc=fr ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = our_password ldap: basedn = dc=XXX,dc=fr ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = userPassword ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap1-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap1-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap1 rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP carLicense mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT conns: 0xbae7a380 Module: Instantiated ldap (ldap1) ldap: server = ldap2.XXX.fr ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = cn=ldapread,ou=special,dc=XXX,dc=fr ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = our_password ldap: basedn = dc=XXX,dc=fr ldap: filter =
Re: help need with mysql statement in freeradius
But my script is not working. How can I assign variables username and callingStationid in my script during authentication process. rlm_perl doc show %RAD_REQUEST{'User-name'} but it's not helping? That's because you havent mastered even more basic things such as how to concatenate a string. You also have difficulty distinguishing between the name of the variable and it's value, ie. you are trying to put names of the variables into the sql queries instead of their values. Tips: - have a look at example.pl and you will see how to log request attributes (if you suspect that there is something wrong with them) - use $query to build a query string and then print/log it in order to find out what queries are you trying to run - you can't use quotes within quotes if they are of the same type; actually you can, but the result won't be what you expect - parser does't know about these quotes are inside those quotes - first one it runs into will be the start of the quote, next one will be the end Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method
authorize { ... Autz-Type ldap1 { ldap1 } Autz-Type ldap2 { ldap2 } ... } .. rad_recv: Access-Request packet from host 11.12.13.14:1896, id=3, length=47 User-Name = xx User-Password = yy Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/141.115.16.72/auth-detail-20080514' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/141.115.16.72/auth-detail-20080514 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module daily returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 * auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user * auth: Failed to validate the user. * Login incorrect: [xx/yy] (from client z port 0) And how are you calling those Autz-Types (without files)? You probably want: authorize { .. ldap1 ldap2 .. } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS Authentication failing!!!! Unknown CA
Hi All, I am trying to use authenticate one embedded WLAN device with using freeRadius server 2.0.4 I have radiusd.conf,client.conf files as per my configuration. I have created certificates using bootstrap script.Values in ca.cnf,client.cnf and server.cnf have been modified accordingly. I have copied ca.pem, client.pem to device filesystem.Private key has been extracted from client.pem. Since last week I am trying to authenticate freeradius server but I am getting error like Unknown CA. Please see attached radius logs. When I verify client certificate using openssl verify -CApath ca.pem client.pem I see following error: Error 20 at depth 0 lookup : unable to get local issuer certificate. Device is already tested with Windows 2003 server's TLS(of course with different set of certificates :) ) and it is working fine. What will be possible reason behind this and where am I going wrong? Appreciate your help. Thanks and Regards, Avinash. NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020300060d00 NAS-IP-Address = 192.168.1.202 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = ttls, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled EAP-Message = 0x010402cd0d800aafccf9020b49263d2310a488bfd9b0fceb00498420a91d0649a4d9b0304ca8bf905e575fef160301020d0c0002090080b2f72f8891aa3dc35f1f4a7b84720c2231420c19d1ef3ed9c370cf15998c23f6154717aa1fa1dbc41eeeb2e849c67ec8a33153af1a89b9176e5b77219c7ad7a60a3711c8ef905b7f4f6c58f8f906d7d3ca47f336f9dd02a881fe26df88ef5061598810cb84de6af73246509e36b9bbe5009ebe4fd34a6a32fda99269054d4deb00010200802d3b669985b1de62a5963f89ed45302508f9b470eb4bfc14e8402ebfe818bdde521d2f8fa6045622ff544e00fde1f2d8f15f5af148cc3b0c961f565caeb440 EAP-Message = 0x6ece3b151f16aba0c5a5d00b65daa3fe6632eafe3eb1cd1397e84bc1fde8e7828764df86a10a4f3873f0e548b68deee887e908ee11b948ac1b03fc113f948f870d010015b933dc4a3ba5de954761525aff75ba8b48905029632c38ee64c07655a2a7f38f6ce47a141a8d08c64048d478a506fefbc8c6ed5dee82cec8ac3dc11ec2bf5da4eec7a38ac61ba22c457aff03a5cdbef5a65973f56ed168b2cc7adae11e3ec062aa16ed29816dab34dbc9a6ba66868261712a052a4e7d104c806c302f1ceaebe360d5163350f98f657985c3019315a2838428867d96dd05ffd25b03af9f743a0d89f20e9f0f5b1d24dc7b43bc15c75948d4d638ac8d3309b6e6 EAP-Message = 0x0d69ef9682c3799b8f937862abc892f9c762390a0636243884e4a19f82cee525441b702668c8324f65d6873ea2e66da74e2f0315ea3140ea4a697ef579582a06c1878fd704a816030100880d800403040102007900773075310b3009060355040613024b52310f300d06035504081306526164697573310e300c0603550407130553656f756c310c300a060355040a13034c47453122302006092a864886f70d0109011613726f6f74407261646975732e6663702e636f6d311330110603550403130a4578616d706c652043410e00 Message-Authenticator = 0x State = 0xc12f5c20c22b515967037c6c5beccf92 Finished request 125. Going to the next request Waking up in 4.0 seconds. Message-Authenticator = 0x166c2b12ab14ab768f5610222b8ba289 Service-Type = Framed-User User-Name = ttls\000 Framed-MTU = 1488 State = 0xc12f5c20c22b515967037c6c5beccf92 Called-Station-Id = 00-1E-C1-2D-D7-40:FCP_3COM Calling-Station-Id = 00-05-C9-A1-C9-70 NAS-Identifier = 3Com Access Point 7760 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020405340d0016030103580b00035400035100034e3082034a30820232020102300d06092a864886f70d01010405003076310b3009060355040613024b52310f300d06035504081306526164697573310c300a060355040a13034c4745312330210603550403131a4578616d706c65205365727665722043657274696669636174653123302106092a864886f70d010901161461646d696e407261646975732e6663702e636f6d301e170d3038303531343037343431335a170d3039303531343037343431335a3060310b3009060355040613024b52310f300d06035504081306526164697573310c300a060355040a13034c4745310d300b06035504 EAP-Message =
Re: help need with mysql statement in freeradius
PS. You should run your script in authorize. Ivan Kalik Kalik Informatika ISP Dana 15/5/2008, Bishal [EMAIL PROTECTED] piše: Hello Ivan, I came up with this scripts but looks like it;s not working. In radiusd.conf perl{ modules = /usr/local/etc/raddb/mac_check.pl } Instantiate { exec expr dailycounter noresetcounter perl } radius debug shows perl modules loaded. But my script is not working. How can I assign variables username and callingStationid in my script during authentication process. rlm_perl doc show %RAD_REQUEST{'User-name'} but it's not helping? #!/usr/bin/perl # Check for MAC Authentication is enable or not #$username = $ARGV[4]; #$username = %RAD_REQUEST{'User-Name'}; #$callerid = %RAD_REQUEST{'Calling-Station-Id'}; use DBI; $database = radius; $user = freeradius; $password = blaba2r; $option = localhost; $dsn = DBI:mysql:$database; $dsn = DBI:mysql:database=$database;$option; $dbh = DBI-connect($dsn, $user, $password); my $sql = $dbh-prepare( SELECT Usemac FROM radcheck WHERE UserName='$RAD_REQUEST{'User-Name'}' AND Attribute='Expiration' ); my $sql2 = $dbh-prepare( SELECT Value FROM radcheck WHERE Attribute='Calling-Station-Id' AND UserName='tori' ); my $sql3 = $dbh-prepare( INSERT INTO radcheck (id,UserName,Attribute,op,Value) VALUES('','$RAD_REQUEST{'User-Name'}','Calling-Statio n-Id','+=','$RAD_REQUEST{'Calling-Station-Id'}' ); $rowcount = $sql-execute or die Cannot execute SQL statement: $DBI::errstr\n; my @row; while ( @row = $sql-fetchrow_array() ) { $mac = $row[0]; chomp($mac); } # Check if MAC authentication is enabled or not if enabled then insert the mac if ($mac == 1 ){ $rowcount = $sql3-execute or die Cannot execute SQL Statement: $DBI::errstr\n; }else { exit; } $sql-finish; $dbh-disconnect() or warn Disconnection failed: $DBI::errstr\n; On 5/14/2008, Bishal [EMAIL PROTECTED] wrote: Any sample scripts IVAN? On 5/14/2008, Ivan Kalik [EMAIL PROTECTED] wrote: I am using sql for AAA. I have news for you - you are not. You are using it to store attributes. Can u give me some exaples how can I do that withl Rlm_perl modules.? Do Google: mysql perl tutorial. If it's not MySQL, replace that with the name of your sql server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Listen port problem
Hello, I have a strange problem since I updated my freeradius from 1.x to 2.x, from a simple rpm update. It binds to random ports ! Here is the dump of radiusd -X : FreeRADIUS Version 2.0.2, for host i386-redhat-linux-gnu, built on Mar 18 2008 at 13:16:44 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/raddb//radiusd.conf including configuration file /etc/raddb//clients.conf including configuration file /etc/raddb//snmp.conf including configuration file /etc/raddb//eap.conf including configuration file /etc/raddb//sql.conf including configuration file /etc/raddb//sql/mysql/dialup.conf including configuration file /etc/raddb//sql/mysql/counter.conf including configuration file /etc/raddb//policy.conf including files in directory /etc/raddb//sites-enabled/ including configuration file /etc/raddb//sites-enabled/default including dictionary file /etc/raddb//dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid user = radiusd group = radiusd checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = radiusbouffard nastype = other } client 192.168.0.0/16 { require_message_authenticator = no secret = radiusbouffard shortname = wifigates } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/radius/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /etc/raddb//certs/server.pem certificate_file = /etc/raddb//certs/server.pem CA_file = /etc/raddb//certs/ca.pem private_key_password = whatever dh_file = /etc/raddb//certs/dh random_file = /etc/raddb//certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /etc/raddb//certs/bootstrap } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 {
EAP TLS Authentication with eToken
Hello, anyone has used eToken Aladdin 64k with EAP-TLS authentication using wpa_supplicant ? thank you Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listen port problem
Hoggins! wrote: I have a strange problem since I updated my freeradius from 1.x to 2.x, from a simple rpm update. It binds to random ports ! Weird. Either re-build yourself from source, or just specify the ports in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to activate the accounting sub section in perl script
hi, I am doing my AAA in perl script for radius 2.0.3, can anybody please tell how do I activate my accounting subsection in my perl program, I didn't find any execution of my queries in the accounting sub section in my perl script. With Regards, Johnson Elangbam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listen port problem
Thanks, I'm already rebuilding from source, see what I can get. Specifying the ports in the radiusd.conf doesn't solve the problem. Very weird. Alan DeKok a écrit : Hoggins! wrote: I have a strange problem since I updated my freeradius from 1.x to 2.x, from a simple rpm update. It binds to random ports ! Weird. Either re-build yourself from source, or just specify the ports in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to activate the accounting sub section in perl script
List perl in accounting {}. That section is now in sites-enabled/default or whatever virtual server you are using for accounting. Ivan Kalik Kalik Informatika ISP Dana 15/5/2008, johnson elangbam [EMAIL PROTECTED] piše: hi, I am doing my AAA in perl script for radius 2.0.3, can anybody please tell how do I activate my accounting subsection in my perl program, I didn't find any execution of my queries in the accounting sub section in my perl script. With Regards, Johnson Elangbam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS + PAP with external script
authorize { preprocess suffix eap pap papauth } pap really should go at the end - i believe the default config mentions this...with maybe exclaimation marks or capital letters? alan How is this supposed to help me in any way to configure FR to do PAP authentication? Accordingly to documentation, PAP should be listed last in authorize section becouse need to check passwords added by previous modules and normalize them. In my case none previus modules (preprocess, suffix, eap) gives any known good password (and this is intended since i don't want the RADIUS server to know the real user password) su pap just give back NOOP. I can even comment out pap in authorize section since just respond noop in any case. Here are the log from radiusd -X in any case radiusd -X with pap and not papauth ** rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. ** Since eap is over (final step of ttls) and no modules are adding a known good password for the user, pap respond noop and there is no Auth-Type configured. radiusd -X with pap after papauth ** Exec-Program output: Auth-Type = PAP Exec-Program-Wait: value-pairs: Auth-Type = PAP Exec-Program: returned: 0 modcall[authorize]: module papauth returns ok for request 4 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 4 rad_check_password: Found Auth-Type PAP auth: type PAP The script set the Auth-Type and pap just answer noop. radiusd -X with pap before papauth ** rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 9 Exec-Program output: Auth-Type = PAP Exec-Program-Wait: value-pairs: Auth-Type = PAP Exec-Program: returned: 0 modcall[authorize]: module papauth returns ok for request 9 modcall: leaving group authorize (returns ok) for request 9 rad_check_password: Found Auth-Type PAP auth: type PAP ** Pap still answer with noop and do not set the Auth-Type but the script do the job setting the Auth-Type and letting the second script check the credentials. radiusd -X without pap in authorize ** Exec-Program output: Auth-Type = PAP Exec-Program-Wait: value-pairs: Auth-Type = PAP Exec-Program: returned: 0 modcall[authorize]: module papauth returns ok for request 9 modcall: leaving group authorize (returns ok) for request 9 rad_check_password: Found Auth-Type PAP auth: type PAP My question is which is the best way to correctly accomplish pap authentication WITHOUT using authorization checks. My solution was to force Auth-Type to PAP in case we have username and password in radius attributes. Another way is, i think, using a users file with DEFAULT Auth-Type = PAP but i read in many place NOT TO DO THAT. Another way could be to check if is present the Auth-Type and set it to PAP if os not set and list that script as last on authorize section. Which is the best solution? Btw, in config i see: *** radiusd.conf * # As of 1.1.4, you should list pap last in this section. # See man rlm_pap for more information. * So no exclamations and capitals, just a should. And i do read the man page to understand a little more about what i was going to do. Thanks in advance Bye Maccari Dario _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
Dario Maccari wrote: How is this supposed to help me in any way to configure FR to do PAP authentication? If you are configured the *server* to do PAP authentication, then the default configuration files should be used. Your module (exec/whatever) should supply a known good password. The server then uses that to authenticate the user. If *your module* is doing PAP authentication, then you need to list *your module* in the authenticate section. You need to force Auth-Type to be *your module*. And all other authentication types will fail. Accordingly to documentation, PAP should be listed last in authorize section becouse need to check passwords added by previous modules and normalize them. Yes. In my case none previus modules (preprocess, suffix, eap) gives any known good password (and this is intended since i don't want the RADIUS server to know the real user password) su pap just give back NOOP. Then your module needs to do the authentication. Any why do you care if the server knows the password? Is it for security? Are you aware that for TTLS + PAP, if your external script returns authenticated, the server *knows* that the PAP password is correct? So why not simplify your life, and give the server the real user password? Here are the log from radiusd -X in any case radiusd -X with pap and not papauth ** rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user i.e. you haven't told the server what the known good password is, and you haven't told the server how to authenticate the user. The script set the Auth-Type and pap just answer noop. Huh? You're setting Auth-Type to PAP in your script? Do you expect the PAP module to m I've deleted the other attempts at let's make random changes to see if it works. Stop making changes until you understand how the server works. Start with the default configuration, and then do this in the inner-tunnel virtual server. (i.e. also use 2.0.4) authorize { ... update control { Cleartext-Password := `/path/to/script %{User-Name}` } pap } The script should use the username to look up the known good password, and then print it to STDOUT. e.g. echo hello would be a good start. EAP-TTLS + PAP will then WORK. And YES, you will be giving the server the real user password. This is NOT a problem. If you think it's a problem, then you need to change your opinion. It's NOT a problem. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to activate the accounting sub section in perl script
Hi, hi, I am doing my AAA in perl script for radius 2.0.3, can anybody please tell how do I activate my accounting subsection in my perl program, I didn't find any execution of my queries in the accounting sub section in my perl script. add perl to the accouting section in whatever virtual server you are running, enable the accouting part in the perl config (in experimental.conf) and ensure you have an accounting subroutine in your perl module alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error binding to port for 0.0.0.0 port 1812
Hi Alan, I've installed FreeRadius-2.0.4 and I got some error saying ERROR: Failed to open socket: /usr/local/etc/raddb/radiusd.conf[210]: Error binding to port for 0.0.0.0 port 1812 but when I check in radiusd.conf ipaddr= * # interface = eth0 How can I fix this error? I have 2 ethernet cards, eth1 = 192.168.1.10 (DNS iptables), eth0 = 192.168.0.10 (Wifi) Here a few thing that I'd edited: (uncomment) clients.conf client 192.168.0.0/24 secret = testing123-1 shortname = private-network-1 users add MarsindNetClearText-Password:= testing123 Reply-Message := Hello, %{User-Name} eap.conf eap { default_eap_type = tls } tls { . fragment_size= 1024 include_length = yes } Next step I want to test Windows XP client but I couldn't find root.der cert-clt.p12 as previous version have. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS + PAP with external script
If you are configured the *server* to do PAP authentication, then the default configuration files should be used. Your module (exec/whatever) should supply a known good password. The server then uses that to authenticate the user. I configured the CLIENT to do EAP-TTLS with inner PAP. The server needs to fit inside a more complex structure in wich no known good password is available. User data are stored outside the radius server and can't be accessed in any other way than the ones that are given to me. Actually i can't ask for the password of a user so to provide this password to pap module. All i can do is to check if the pair username/password is correct and there is nothing i can do about that. That's why i can't provide a known good password to pap module and that's why pap module for authorization can not be used. If *your module* is doing PAP authentication, then you need to list *your module* in the authenticate section. You need to force Auth-Type to be *your module*. And all other authentication types will fail. That's very interesting and is something i haven't found in documentations (my fault). You mean that using a userfile file with DEFAULT Auth-Type = DONALDUCK and in radiusd.conf have something like (cutting out default stuff): ** modules { exec myauth { wait = yes program = /path/to/my/script input_pairs = request output_pairs = reply } } authorize { eap file } authenticate { Auth-Type DONALDUCK { myauth } } * Will work?. i.e. you haven't told the server what the known good password is, and you haven't told the server how to authenticate the user. Right, i can't provide the known good password as stated before Huh? You're setting Auth-Type to PAP in your script? That was my solution to force the pap authentication module to do the authentication. I've deleted the other attempts at let's make random changes to see if it works. It wasn't a let's make random changes to see if it works, it works since the beginning. I have even provided other possible solutions too. The tests where just there to point out that the response that pap really should go at the end with other annoing comments about exclaimation marks and capital letters were plain inappropriate. Stop making changes until you understand how the server works. Start with the default configuration, and then do this in the inner-tunnel virtual server. (i.e. also use 2.0.4) Unfortunatly even this is not an aoption. I can't switch to 2.0.4 and am forced to use 1.1.7 untill my company in cludev 2.0 in accepted software. It's not my fault and can't do much about it. The script should use the username to look up the known good password, and then print it to STDOUT. e.g. echo hello would be a good start. EAP-TTLS + PAP will then WORK. And YES, you will be giving the server the real user password. This is NOT a problem. If you think it's a problem, then you need to change your opinion. It's NOT a problem. It IS a problem for me since the external server owner will NOT give me any access other then the ability to check if the pair username/password is valid. And all it is now working, just asking what is the best solution between using a script to force Auth-Type, use a users file. Don't care if other authentication methods will not work. Bye and thanks again Maccari Dario _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I have the listen {} statements configured as follows: radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } main { snmp = no smux_password = snmp_write_access = no } Listening on authentication address * port 41045 Listening on accounting address * port 54893 Listening on proxy address * port 38374 Ready to process requests. However as you can see if always listens on random ports. What am I doing wrong? I am using version 2.0.2 which was distributed with Fedora 9. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 1:16 PM To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS 2 not listening on right port I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I have the listen {} statements configured as follows: radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } main { snmp = no smux_password = snmp_write_access = no } Listening on authentication address * port 41045 Listening on accounting address * port 54893 Listening on proxy address * port 38374 Ready to process requests. However as you can see if always listens on random ports. What am I doing wrong? I am using version 2.0.2 which was distributed with Fedora 9. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
You're not running NAT/PAT through iptables are you? It'll translate 1812/1813 inside to some high port/some high port outside. Not sure how the server will pick that up. Maybe the port after translation. If so you'll need to not port translate the radius ports. I can do it in a Pix, but haven't used iptables for translation in a long while. Mearl From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 12:31 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port Compiling from source did NOT solve the problem. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 1:16 PM To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS 2 not listening on right port I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I have the listen {} statements configured as follows: radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } main { snmp = no smux_password = snmp_write_access = no } Listening on authentication address * port 41045 Listening on accounting address * port 54893 Listening on proxy address * port 38374 Ready to process requests. However as you can see if always listens on random ports. What am I doing wrong? I am using version 2.0.2 which was distributed with Fedora 9. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
No I am not doing any kind of NAT. I actually have IPTables disabled right now. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danner, Mearl Sent: Thursday, May 15, 2008 1:42 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port You're not running NAT/PAT through iptables are you? It'll translate 1812/1813 inside to some high port/some high port outside. Not sure how the server will pick that up. Maybe the port after translation. If so you'll need to not port translate the radius ports. I can do it in a Pix, but haven't used iptables for translation in a long while. Mearl From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 12:31 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port Compiling from source did NOT solve the problem. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 1:16 PM To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS 2 not listening on right port I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I have the listen {} statements configured as follows: radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } main { snmp = no smux_password = snmp_write_access = no } Listening on authentication address * port 41045 Listening on accounting address * port 54893 Listening on proxy address * port 38374 Ready to process requests. However as you can see if always listens on random ports. What am I doing wrong? I am using version 2.0.2 which was distributed with Fedora 9. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Have you tried binding to a specific IP address rather than *? -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 12:44 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port No I am not doing any kind of NAT. I actually have IPTables disabled right now. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Danner, Mearl Sent: Thursday, May 15, 2008 1:42 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port You're not running NAT/PAT through iptables are you? It'll translate 1812/1813 inside to some high port/some high port outside. Not sure how the server will pick that up. Maybe the port after translation. If so you'll need to not port translate the radius ports. I can do it in a Pix, but haven't used iptables for translation in a long while. Mearl From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 12:31 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port Compiling from source did NOT solve the problem. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 1:16 PM To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS 2 not listening on right port I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I have the listen {} statements configured as follows: radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } main { snmp = no smux_password = snmp_write_access = no } Listening on authentication address * port 41045 Listening on accounting address * port 54893 Listening on proxy address * port 38374 Ready to process requests. However as you can see if always listens on random ports. What am I doing wrong? I am using version 2.0.2 which was distributed with Fedora 9. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Yes. Same result. I went back to 1.1.7 on the same box and its working fine now. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danner, Mearl Sent: Thursday, May 15, 2008 2:01 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port Have you tried binding to a specific IP address rather than *? -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 12:44 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port No I am not doing any kind of NAT. I actually have IPTables disabled right now. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Danner, Mearl Sent: Thursday, May 15, 2008 1:42 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port You're not running NAT/PAT through iptables are you? It'll translate 1812/1813 inside to some high port/some high port outside. Not sure how the server will pick that up. Maybe the port after translation. If so you'll need to not port translate the radius ports. I can do it in a Pix, but haven't used iptables for translation in a long while. Mearl From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 12:31 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2 not listening on right port Compiling from source did NOT solve the problem. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, May 15, 2008 1:16 PM To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS 2 not listening on right port I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I have the listen {} statements configured as follows: radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } main { snmp = no smux_password = snmp_write_access = no } Listening on authentication address * port 41045 Listening on accounting address * port 54893 Listening on proxy address * port 38374 Ready to process requests. However as you can see if always listens on random ports. What am I doing wrong? I am using version 2.0.2 which was distributed with Fedora 9. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote: Compiling from source did NOT solve the problem. It looks like Fedora is broken. The server code does this: if (port == 0) { call system function to look up radius port in /etc/services if (found ) { port = port found in /etc/services } else { port = 1812 } } The only way I can see it choosing random ports is if the lookup in /etc/services returns found, with a random port. I suggest hard-coding the port numbers (1812/1813) into the listen sections. Maybe also see if 'radius and radacct are defined in /etc/services. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS + PAP with external script
I configured the CLIENT to do EAP-TTLS with inner PAP. The server needs to fit inside a more complex structure in wich no known good password is available. User data are stored outside the radius server and can't be accessed in any other way than the ones that are given to me. So why do you bother with radius and EAP for authentication when you are not going to use them? Use captive portal and run that php script from the login page. If you need accounting use radius for that. Ivan Kalik Kalim Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
Dario Maccari wrote: I configured the CLIENT to do EAP-TTLS with inner PAP. Yes, you said that. The server needs to fit inside a more complex structure in wich no known good password is available. sigh That is NOT what you said before. .. Will work?. It should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
I tried hardcoding them in the listen section. Same result. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 2:16 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Casartello, Thomas wrote: Compiling from source did NOT solve the problem. It looks like Fedora is broken. The server code does this: if (port == 0) { call system function to look up radius port in /etc/services if (found ) { port = port found in /etc/services } else { port = 1812 } } The only way I can see it choosing random ports is if the lookup in /etc/services returns found, with a random port. I suggest hard-coding the port numbers (1812/1813) into the listen sections. Maybe also see if 'radius and radacct are defined in /etc/services. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote: I tried hardcoding them in the listen section. Same result. Weird. My guess, then, is that it seems to be a problem with the specific GCC version on Fedora. Please try the attached patch. If it doesn't work, then the only way to fix it is for me to get an SSH login to a fedora machine. Oh, and 2.0.4. works on Ubuntu, Debian, *BSD, Solaris... Alan DeKok. Index: src/lib/packet.c === RCS file: /source/radiusd/src/lib/packet.c,v retrieving revision 1.20 diff -u -r1.20 packet.c --- src/lib/packet.c 1 Jan 2008 17:29:12 - 1.20 +++ src/lib/packet.c 15 May 2008 19:34:22 - @@ -175,6 +175,7 @@ int fr_socket(fr_ipaddr_t *ipaddr, int port) { int sockfd; + uint16_t sport; struct sockaddr_storage salocal; socklen_t salen; @@ -185,6 +186,7 @@ sockfd = socket(ipaddr-af, SOCK_DGRAM, 0); if (sockfd 0) { + librad_log(cannot open socket: %s, strerror(errno)); return sockfd; } @@ -194,10 +196,13 @@ */ if (udpfromto_init(sockfd) != 0) { close(sockfd); + librad_log(cannot initialize udpfromto: %s, strerror(errno)); return -1; } #endif + sport = port; + sport = htons(sport); memset(salocal, 0, sizeof(salocal)); if (ipaddr-af == AF_INET) { struct sockaddr_in *sa; @@ -205,7 +210,7 @@ sa = (struct sockaddr_in *) salocal; sa-sin_family = AF_INET; sa-sin_addr = ipaddr-ipaddr.ip4addr; - sa-sin_port = htons((uint16_t) port); + sa-sin_port = sport; salen = sizeof(*sa); #ifdef HAVE_STRUCT_SOCKADDR_IN6 @@ -215,7 +220,7 @@ sa = (struct sockaddr_in6 *) salocal; sa-sin6_family = AF_INET6; sa-sin6_addr = ipaddr-ipaddr.ip6addr; - sa-sin6_port = htons((uint16_t) port); + sa-sin6_port = sport; salen = sizeof(*sa); #if 1 @@ -242,6 +247,7 @@ if (bind(sockfd, (struct sockaddr *) salocal, salen) 0) { close(sockfd); + librad_log(cannot bind socket: %s, strerror(errno)); return -1; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, I tried hardcoding them in the listen section. Same result. TBH, I've compiled release and CVS versions of freeradius 1.1.x and 2.0.x on centos, fedora core, RHEL3, ubuntu 7 and 8 and have never seen this issue before. you running SELinux or some sort of security tool? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, Casartello, Thomas wrote: I tried hardcoding them in the listen section. Same result. 64bit machine? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, Exact same problem here... Really thinking about reverting to v1.x Casartello, Thomas a écrit : I tried hardcoding them in the listen section. Same result. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 2:16 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Casartello, Thomas wrote: Compiling from source did NOT solve the problem. It looks like Fedora is broken. The server code does this: if (port == 0) { call system function to look up radius port in /etc/services if (found ) { port = port found in /etc/services } else { port = 1812 } } The only way I can see it choosing random ports is if the lookup in /etc/services returns found, with a random port. I suggest hard-coding the port numbers (1812/1813) into the listen sections. Maybe also see if 'radius and radacct are defined in /etc/services. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Casartello, Thomas a écrit : I tried hardcoding them in the listen section. Same result. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 2:16 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Casartello, Thomas wrote: Compiling from source did NOT solve the problem. It looks like Fedora is broken. The server code does this: if (port == 0) { call system function to look up radius port in /etc/services if (found ) { port = port found in /etc/services } else { port = 1812 } } The only way I can see it choosing random ports is if the lookup in /etc/services returns found, with a random port. I suggest hard-coding the port numbers (1812/1813) into the listen sections. Maybe also see if 'radius and radacct are defined in /etc/services. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
As am I. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hoggins! Sent: Thursday, May 15, 2008 4:05 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Casartello, Thomas a écrit : I tried hardcoding them in the listen section. Same result. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 2:16 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Casartello, Thomas wrote: Compiling from source did NOT solve the problem. It looks like Fedora is broken. The server code does this: if (port == 0) { call system function to look up radius port in /etc/services if (found ) { port = port found in /etc/services } else { port = 1812 } } The only way I can see it choosing random ports is if the lookup in /etc/services returns found, with a random port. I suggest hard-coding the port numbers (1812/1813) into the listen sections. Maybe also see if 'radius and radacct are defined in /etc/services. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
No luck on that patch. I'll try to get you a login sometime over the next couple days. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 3:32 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Casartello, Thomas wrote: I tried hardcoding them in the listen section. Same result. Weird. My guess, then, is that it seems to be a problem with the specific GCC version on Fedora. Please try the attached patch. If it doesn't work, then the only way to fix it is for me to get an SSH login to a fedora machine. Oh, and 2.0.4. works on Ubuntu, Debian, *BSD, Solaris... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. yep. havent tested FC9 - wonder what they've changed to make such a change in port behaviour.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi, Maybe someone running FC9 could try debugging the problem. as, no doubt, one of my systems will be FC9 in a short while I could look att his - what exactly should I be looking for? i'll dig around for the new features and changes they've made. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Install the freeradius rpm or install from source. It basically binds to a random port no matter what you do in the config files. Freeradius 1.1.7 works fine in Fedora 9. I'm going to try using 2.0.4 on Fedora 8 box. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 15, 2008 5:00 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hi, Maybe someone running FC9 could try debugging the problem. as, no doubt, one of my systems will be FC9 in a short while I could look att his - what exactly should I be looking for? i'll dig around for the new features and changes they've made. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Mac-Auth-Bypass with Freeradius 2.0.4
Hey, I just got this working on a test server finally using the users file and have a quick question. I was wondering is there a way where I don't have to type the last 3 lines of this everytime in my users file? I was thinking of using some kind of setup with a seperate file for each vlan containing only the first statement (with the mac address as the user/pass). Then $include each vlanfile in the users file with freeradius appending the correct tunnel statements depending on what vlanfile the mac address was in. Anyways I haven't quite wrapped my head around the syntax to do this or am sure this is the best way. If someone has any advice that would be great. 1234Cleartext-Password := 1234 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = Students By the way Freeradius rocks! Thanks, Austin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Mac-Auth-Bypass with Freeradius 2.0.4
You can create groups for use in users file by using passwd module. Have a look at explanations in radiusd.conf and man pages. You could then assign tunnel attributes with DEFAULT entries in users file checking Group-Name. Ivan Kalik Kalik Informatika ISP Dana 15/5/2008, MONTFORD, AUSTIN [EMAIL PROTECTED] piše: Hey, I just got this working on a test server finally using the users file and have a quick question. I was wondering is there a way where I don't have to type the last 3 lines of this everytime in my users file? I was thinking of using some kind of setup with a seperate file for each vlan containing only the first statement (with the mac address as the user/pass). Then $include each vlanfile in the users file with freeradius appending the correct tunnel statements depending on what vlanfile the mac address was in. Anyways I haven't quite wrapped my head around the syntax to do this or am sure this is the best way. If someone has any advice that would be great. 1234Cleartext-Password := 1234 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = Students By the way Freeradius rocks! Thanks, Austin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
So why do you bother with radius and EAP for authentication when you are not going to use them? Use captive portal and run that php script from the login page. If you need accounting use radius for that. I need to insert a wpa/wpa2 enterprise wlan, which do need eap and radius, side by side a prexisting unencrypted wlan wich authenticate with a captive portal. That's why that php script. It's basically the same used by the captive portal to authenticate the unencrypted wlan users with the externale server. Maybe i can port it in perl or even c/c++ to make it a real module and gain more control over its behaviuor and better performance but for now is just something more than a proof of concept ;) If all goes as it should i can even convince the external holder of the user database to setup a radius server where to proxy requests but this is a future project. The accounting is not made with radius too since it need to be hardware independant and unfortunatly not all access points used support radius accounting even if they do support wpa/wpa2 enterprise. I know, it's a wierd configuration but i have to deal with it :( Thanx Dario Maccari - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + PAP with external script
sigh That is NOT what you said before. Sorry, probably a language barrier. I think my english is not good enough to really explain what i was trying to accomplish. Thanks for your patience. It should. I'll try that solution than wich will lead at, at least, less misunderstanding with pap client-side and pap server-side. Thanks again for your help Bye Dario Maccari - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Shouldn't the maintainer of the specific FC9 freeradius package be aware of this critical issue ? I guess a newer release is for very soon. Casartello, Thomas a écrit : Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Mac-Auth-Bypass with Freeradius 2.0.4 [SEC=UNCLASSIFIED]
UNCLASSIFIED __ From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of MONTFORD, AUSTIN Sent: Friday, 16 May 2008 07:31 To: freeradius-users@lists.freeradius.org Subject: Cisco Mac-Auth-Bypass with Freeradius 2.0.4 Hey, I just got this working on a test server finally using the users file and have a quick question. I was wondering is there a way where I don't have to type the last 3 lines of this everytime in my users file? I was thinking of using some kind of setup with a seperate file for each vlan containing only the first statement (with the mac address as the user/pass). Then $include each vlanfile in the users file with freeradius appending the correct tunnel statements depending on what vlanfile the mac address was in. Anyways I haven't quite wrapped my head around the syntax to do this or am sure this is the best way. If someone has any advice that would be great. 1234Cleartext-Password := 1234 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = Students By the way Freeradius rocks! Thanks, Austin There is a couple of ways to do this. 1. Use groups. 2. Use Fall-Through and group you users file. Example: # Set boilerplate text DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Fall-Through = True # Staff systems DEFAULT Tunnel-Private-Group-Id := Staff, Fall-Through = True $INCLUDE staff.users # Student systems DEFAULT Tunnel-Private-Group-Id := Students, Fall-Through = True $INCLUDE student.users ... DEFAULT Auth-Type:=reject Student.users would have lines like: 1234Cleartext-Password := 1234 1235Cleartext-Password := 1235 and could be generated by a script. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
It's not just the Fedora package. Even if you compile the latest freeradius from source it still has the problem. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hoggins! Sent: Thursday, May 15, 2008 8:21 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Shouldn't the maintainer of the specific FC9 freeradius package be aware of this critical issue ? I guess a newer release is for very soon. Casartello, Thomas a écrit : Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help need with mysql statement in freeradius
I am getting core dumped while running that script. rlm_perl: perl_embed:: module = /usr/local/etc/raddb/mac_check.pl , func = authorize exit status= Undefined subroutine main::authorize called Segmentation fault (core dumped) ##Script part use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); $username = $RAD_REQUEST{'User-Name'}; $callerid = $RAD_REQUEST{'Calling-Station-Id'}; Is this the right process of getting value from the request ? How can I bypass perl function Authorization, authentication, accounting so that only MAC assignment process will be done by this script? Thanks On 5/15/2008, Ivan Kalik [EMAIL PROTECTED] wrote: PS. You should run your script in authorize. Ivan Kalik Kalik Informatika ISP Dana 15/5/2008, Bishal [EMAIL PROTECTED] pi¹e: Hello Ivan, I came up with this scripts but looks like it;s not working. In radiusd.conf perl{ modules = /usr/local/etc/raddb/mac_check.pl } Instantiate { exec expr dailycounter noresetcounter perl } radius debug shows perl modules loaded. But my script is not working. How can I assign variables username and callingStationid in my script during authentication process. rlm_perl doc show %RAD_REQUEST{'User-name'} but it's not helping? #!/usr/bin/perl # Check for MAC Authentication is enable or not #$username = $ARGV[4]; #$username = %RAD_REQUEST{'User-Name'}; #$callerid = %RAD_REQUEST{'Calling-Station-Id'}; use DBI; $database = radius; $user = freeradius; $password = blaba2r; $option = localhost; $dsn = DBI:mysql:$database; $dsn = DBI:mysql:database=$database;$option; $dbh = DBI-connect($dsn, $user, $password); my $sql = $dbh-prepare( SELECT Usemac FROM radcheck WHERE UserName='$RAD_REQUEST{'User-Name'}' AND Attribute='Expiration' ); my $sql2 = $dbh-prepare( SELECT Value FROM radcheck WHERE Attribute='Calling-Station-Id' AND UserName='tori' ); my $sql3 = $dbh-prepare( INSERT INTO radcheck (id,UserName,Attribute,op,Value) VALUES('','$RAD_REQUEST{'User-Name'}','Calling-Statio n-Id','+=','$RAD_REQUEST{'Calling-Station-Id'}' ); $rowcount = $sql-execute or die Cannot execute SQL statement: $DBI::errstr\n; my @row; while ( @row = $sql-fetchrow_array() ) { $mac = $row[0]; chomp($mac); } # Check if MAC authentication is enabled or not if enabled then insert the mac if ($mac == 1 ){ $rowcount = $sql3-execute or die Cannot execute SQL Statement: $DBI::errstr\n; }else { exit; } $sql-finish; $dbh-disconnect() or warn Disconnection failed: $DBI::errstr\n; On 5/14/2008, Bishal [EMAIL PROTECTED] wrote: Any sample scripts IVAN? On 5/14/2008, Ivan Kalik [EMAIL PROTECTED] wrote: I am using sql for AAA. I have news for you - you are not. You are using it to store attributes. Can u give me some exaples how can I do that withl Rlm_perl modules.? Do Google: mysql perl tutorial. If it's not MySQL, replace that with the name of your sql server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users..html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another possibility to reconcile?
Hi, I'm looking to implement the Simultaneous-User Value in radcheck. (FR 2.0.3) I'm having the issue that, for whatever reason (I'd blame the network in a heartbeat, not FR at all), the accounting for a logged in user never gets from a NULL acctstoptime to one filled in. At the current time, radwho on the server shows approximately 22 active users. In reality I think it'd be more like 1/2 of that. A SELECT count( * ) FROM radacct WHERE acctstoptime IS NULL ; shows 91 records. Due to the version of the NAS we are running (DD-WRT with Chillispot), we can't get checkrad to help true up the information. Is there another way to help keep everything in sync, so we don't have users who pay for a single ID, doing things like : lobnic14 00-13-02-25-8C- shell S1 Thu 17:3 192.168.7 192.168.182.3 lobnic14 00-1B-77-11-F4- shell S2 Thu 22:1 192.168.7 192.168.182.4 damrap600-0E-35-C0-16- shell S1 Thu 22:1 192.168.5 192.168.182.5 damrap600-11-24-8F-27- shell S3 Thu 20:2 192.168.5 192.168.182.10 damrap600-1B-77-06-2F- shell S4 Thu 20:2 192.168.5 192.168.182.11 Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS cert
Hi, I've installed FreeRadius-2.0.4 and run fine. Here a few thing I had editted. Clients.conf client 192.168.0.0/24 { secret= testing123-1 shortname= private-network-1 } eap { default_eap_type= tls } tls { fragment_size=1024 include_lenght= yes } users MarsindNetCleartext_Password:= hello Reply-Message = Hello, %{User-Name} Now..I want to test connecting with Windows XP but I could not find root.der or cert-clt.p12 like previous version has. What files should I copy and install into Windows XP as client certificate? Thanks in advance. Alan DeKok [EMAIL PROTECTED] wrote: Kwok Sianbin wrote: I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4. You should really use 2.0.4. Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request. ... Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 ... Going to the next request Waking up in 6 seconds... This is in the FAQ. It's also documented in the eap.conf file in 2.0.4. Here I post the CA.certs execution result as I suppect that the errors might be due to certificate error. When I run ./CA.certs and I got a few errors. 2.0.4 also contains new scripts for certificate creation. They're MUCH better than what's in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help need with mysql statement in freeradius
debug output of the radius Module: Instantiated detail (reply_log) Listening on authentication *:1645 Listening on accounting *:1646 Ready to process requests. rad_recv: Access-Request packet from host 202.xx.xx.xx:52743, id=81, length=151 NAS-Identifier = pppoe-test.lumbininet.com.np NAS-Port = 12 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 001a4daf4ead Called-Station-Id = WIFITEST User-Name = mobile CHAP-Password = 0x0102e814e5d756effb7319a534e354dcd2 CHAP-Challenge = 0xbb1e687616119cbcd0156169c9b45cb65bd4ce0daf99b5788e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radacct/202.xx.xx.xx/auth-detail-20080516' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/202.xx.xx.xx/auth-detail-20080516 modcall[authorize]: module auth_log returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 rlm_realm: No '@' in User-Name = mobile, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: 'mobile' rlm_sql (sql): sql_set_user escaped user -- 'mobile' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'mobile' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 28 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mobile' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'mobile' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'mobile' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 28 modcall[authorize]: module sql returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: 001a4daf4ead rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs modcall[authorize]: module checkval returns notfound for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module dailycounter returns noop for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module monthlycounter returns noop for request 0 rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}'' radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mobile'' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mobile'}' radius_xlat: Running registered xlat function of module sql for string 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mobile'' rlm_sql (sql): - sql_xlat radius_xlat: 'mobile' rlm_sql (sql): sql_set_user escaped user -- 'mobile' radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mobile'' rlm_sql (sql): Reserving sql socket id: 27 rlm_sql (sql): - sql_xlat finished rlm_sql (sql): Released sql socket id: 27 radius_xlat: '284499' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user mobile, check_item=42, counter=284499 rlm_sqlcounter: Sent Reply-Item for user mobile, Type=Session-Timeout, value=135501 modcall[authorize]: module noresetcounter returns ok for request 0 Using perl at 0x82220c0 rlm_perl: Added pair Reply-Message = MAC Auth not Enabled rlm_perl: Added pair Session-Timeout = 135501 rlm_perl: Added pair Filter-Id = 36/28 rlm_perl: Added pair mpd-limit = in#1=flt1 shape 256000 pass rlm_perl: Added pair mpd-limit = in#2=all shape 48000 rlm_perl: Added pair mpd-limit = out#1=flt2 shape 512000 pass rlm_perl: Added pair mpd-limit = out#2=all shape 48000 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Idle-Timeout = 200 rlm_perl: Added pair mpd-filter = 1#1=match dst 202.xx.xx.xx rlm_perl: Added pair mpd-filter = 2#1=match src 202.xx.xx.xx rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Expiration = Jul 3 2008 00:00:00 NPT rlm_perl: Added pair Max-All-Session = 42 rlm_perl: Added pair User-Password = computer rlm_perl: Added pair Simultaneous-Use = 2 rlm_perl: Added pair Auth-Type = CHAP modcall[authorize]: module perl
Re: FreeRADIUS 2 not listening on right port
I did a little looking into this this evening. This assessment looks to be correct as it looks to be related to compiler optimizations. With the optimizations disabled in Make.inc, FreeRADIUS will start up on the correct port. For the fr_socket function, gcc appears to be optimizing the arguments by sending them through the registers instead of the stack frame, but the port argument is being clobbered (optimized out) before the htons(port) call. Specifically, according to a step-through with GDB, after the first function call in fr_socket (which is to socket()), the port variable is gone (optimized out). --Mike On May 15, 2008, at 4:30 PM, Casartello, Thomas wrote: Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Michael Griego wrote: I did a little looking into this this evening. This assessment looks to be correct as it looks to be related to compiler optimizations. With the optimizations disabled in Make.inc, FreeRADIUS will start up on the correct port. For the fr_socket function, gcc appears to be optimizing the arguments by sending them through the registers instead of the stack frame, but the port argument is being clobbered (optimized out) before the htons(port) call. Specifically, according to a step-through with GDB, after the first function call in fr_socket (which is to socket()), the port variable is gone (optimized out). sigh I've started testing the server with other compilers. GCC is getting too ugly for my liking. I'll put a note on the main web page.: DON'T USE -O2 ON FEDORA! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html