Authentication via ntlm_auth with check the user group
Hi I try to configure authentication via ntlm_auth to check the user group. All authentication attempts are rejected The same configuration without checking groups is working correctly policy.conf: extract_ssid { if(Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i){ update request { Called-Station-SSID := %{7} } if (Called-Station-SSID == localnet1) { update request{ AD-Group := WiFisec } } else { update request{ AD-Group := WiFi-public } } } else { noop } } modules/mschap ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=POMORSU+%{AD-Group} sites-enabed/default authorize { preprocess extract_ssid freeradius 2.1.10+dfsg-2 debian squeeze smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
On Wed, Dec 7, 2011 at 4:11 PM, Сергей Усов us...@pomorsu.ru wrote: Hi I try to configure authentication via ntlm_auth to check the user group. All authentication attempts are rejected What does the debug log say when the authentications are rejected? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Thanks for your reply radiusd: Loading Virtual Servers server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module mschap from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=POMORSU+%{AD-Group} } Ready to process requests. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=0, length=210 Message-Authenticator = 0x76f5e1499b3c78689adf8fb623dc7c4e Service-Type = Framed-User User-Name = POMORSU\\rahs Framed-MTU = 1488 Called-Station-Id = 04-11-9A-D1-44-39:localnet1 Calling-Station-Id = 00-1F-3C-3D-DF-8C NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x021201504f4d4f5253555c75736f7773 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = STA port # 1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} - localnet1 [request] returns ok ? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) - TRUE ? if (Called-Station-SSID == localnet1) - TRUE - entering if (Called-Station-SSID == localnet1) {...} +[request] returns ok - if (Called-Station-SSID == localnet1) returns ok ... skipping else for request 0: Preceding if was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = POMORSU\rahs, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Flushing SSL sessions (of #0) [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.213.210 port 1067 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x140c0338140d1ab54c20eb7bf1588770 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=1, length=315 Message-Authenticator = 0x52b3370475dcad2571d8a4ef20d46246 Service-Type = Framed-User User-Name = POMORSU\\rahs Framed-MTU = 1488 State = 0x140c0338140d1ab54c20eb7bf1588770 Called-Station-Id = 04-11-9A-D1-44-39:localnet1 Calling-Station-Id = 00-1F-3C-3D-DF-8C NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020100691980005f160301005a015603014ede257a500dcb4913694c60469b783a7bdaa0d482ac13baa056619eb2d75c3718002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = STA port # 1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++? if
Re: Authentication via ntlm_auth with check the user group
You need to update the AD-Group in the inner-tunnel virtual server, not in the default one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: freeradius2 installation error
Dear All, i installed FR v 2.1.2 and mysql 5.1.55. user database is in mysql DB. 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. what can be a problem? thanks. 06 декабря 2011, 20:12 от Fajar A. Nugraha-2 [via FreeRadius] ml-node+s1045715n5052587...@n5.nabble.com: On Tue, Dec 6, 2011 at 10:51 PM, [hidden email] [hidden email] wrote: Dear Fajar, i failed to intergate FR + mysql, i was informed that my FR is without mysql module. then why didn't you ask that in the first place? It'd save lots of time. i am in process of building from the source. so, after: 1. i build mysql-server Not necessarily. Binary tar/package from http://dev.mysql.com/downloads/mysql should also work. Personally, I'd avoid having to build mysql from source. It takes a VERY long time. Also, you don't really need the server. FR only needs the client part (with corresponding headers/libs). Anyway, whatever method you use (build from ports, compile manually, installing binary package, whatever) you need to make sure that mysql headers and libraries are available. One way (though not the ONLY way) to verify this is by running mysql_config, then look at include and libs output, then see if the files are there. For example, on my Ubuntu box: #= $ mysql_config Usage: /usr/bin/mysql_config [OPTIONS] Options: --cflags [-I/usr/include/mysql -fno-omit-frame-pointer -g -pipe -Wno-uninitialized -DUNIV_LINUX] --include [-I/usr/include/mysql] --libs [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqlclient -L/usr/lib/ -lssl -lcrypto] --libs_r [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqlclient_r -L/usr/lib/ -lssl -lcrypto] --plugindir [/usr/lib/mysql/plugin] --socket [/var/run/mysqld/mysqld.sock] --port [0] --version [5.3.2-MariaDB-beta] --libmysqld-libs [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqld -ldl -lwrap -lrt -L/usr/lib/ -lssl -lcrypto] $ ls /usr/include/mysql/ client_plugin.h my_alloc.h my_getopt.h mysqld_ername.h my_valgrind.h services.h typelib.h decimal.h my_attribute.h my_global.h mysqld_error.h my_xml.h service_thd_alloc.h errmsg.h my_compiler.h my_list.h mysql_embed.h plugin_auth_common.h sql_common.h keycache.h my_config.h my_net.h mysql.h plugin_auth.h sql_state.h ma_dyncol.h my_dbug.h my_no_pthread.h mysql_time.h plugin.h sslopt-case.h m_ctype.h my_decimal_limits.h my_pthread.h mysql_version.h service_my_snprintf.h sslopt-longopts.h m_string.h my_dir.h mysql_com.h my_sys.h service_progress_report.h sslopt-vars.h $ ls /usr/lib /*mysqlclient* /usr/lib/libmysqlclient.a /usr/lib/libmysqlclient_r.so /usr/lib/libmysqlclient_r.so.16.0.0 /usr/lib/libmysqlclient.so.16 /usr/lib/libmysqlclient.la /usr/lib/libmysqlclient_r.so.15 /usr/lib/libmysqlclient.so /usr/lib/libmysqlclient.so.16.0.0 /usr/lib/libmysqlclient_r.a /usr/lib/libmysqlclient_r.so.15.0.0 /usr/lib/libmysqlclient.so.15 /usr/lib/libmysqlclient_r.la /usr/lib/libmysqlclient_r.so.16 /usr/lib/libmysqlclient.so.15.0.0 #= 2. install mysql driver for Rf correct? Just build freeradius following the simple instruction in the wiki. IF mysql headers and drivers are there, AND you have a working mysql_config somewhere (/usr/bin/, /usr/local/bin, whatever) then mysql support should be built in by default. However, IF the headers/libs are NOT in the default places, you might have to specify some parameters to configure: --with-mysql-include-dir=DIR Directory where the mysql includes may be found --with-mysql-lib-dir=DIR Directory where the mysql libraries may be found --with-mysql-dir=DIR Base directory where mysql is installed In any case, make sure you READ the output from ./configure. Hint: it's easier to do so if you redirect the output to a file, something like ./configure | tee configure-output.txt The output should show whether the configure script was able to find mysql headers/libs or not. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/freeradius2-installation-error-tp5052326p5052587.html To unsubscribe from freeradius2 installation error, click here. NAML
Re: Authentication via ntlm_auth with check the user group
I have changed inner_tunnel, but unsuccessfully server inner-tunnel { authorize { preprocess extract_ssid mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } expiration logintime pap } authenticate { Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } } 07.12.2011 15:36, Alan DeKok пишет: You need to update the AD-Group in the inner-tunnel virtual server, not in the default one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote: On Wed, Dec 7, 2011 at 1:15 PM, mic...@casa.co.cu wrote: google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same. Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password. Hi Fajar Thanks for reply me. If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server? Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql? Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentetication with mysql and NAS type= other
Dear All, i installed FR v 2.1.2 and mysql 5.1.55. user database is in mysql DB. 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. what can be a problem? thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5055689.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
Hi, After configuration and running the FreeRadius in debug mode, I see that binding with LDAP server is successful as : *[ldap] Bind was successful* Then it does searching of user with filter and gives the error as : *[ldap] ldap_search() failed: Operations error after* *[ldap] search failed* Is there anything I am missing due to which I am getting this error? Is this related to any configuration that needs to be done in LDAP server side or any change I need to do in /usr/local/etc/raddb/dictionary and /usr/local/etc/raddb/ldap.attrmap. I am doing Authentication using ntlm_auth as suggested by deployingradius.com, which is successful. Now, I am doing Authorization using LDAP. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-Active-Directory-LDAP-Authorization-tp5049129p5055785.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
On 07/12/11 14:22, suggestme wrote: Hi, After configuration and running the FreeRadius in debug mode, I see that binding with LDAP server is successful as : *[ldap] Bind was successful* Then it does searching of user with filter and gives the error as : *[ldap] ldap_search() failed: Operations error after* *[ldap] search failed* This is an LDAP error - check the LDAP filter syntax and search base. Or post the radiusd -X output, as requested a million times a day (or so it sometimes seems) on this list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: I have changed inner_tunnel, but unsuccessfully You didn't do what I said, so I'm not surprised it didn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentetication with mysql and NAS type= other
tolik_shavlov...@mail.ru wrote: 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. See the FAQ for it doesn't work 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. Without the debug log, it's impossible to know. what can be a problem? You didn't follow the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
suggestme wrote: Hi, After configuration and running the FreeRadius in debug mode, I see that binding with LDAP server is successful as : *[ldap] Bind was successful* Then it does searching of user with filter and gives the error as : *[ldap] ldap_search() failed: Operations error Upgrade to 2.1.12, and read raddb/modules/ldap. Look for operations error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linking Shared/Static library in Freeradius Module
I am trying to use src/modules/rlm_example/Makefile using configure files. In this makefile stated : # The RLM_LIBS definition should list ALL required libraries. # These libraries really should be pulled from the 'config.mak' # definitions, if at all possible. These definitions are also # echoed into another file in ../lib, where they're picked up by # ../main/Makefile for building the version of the server with # statically linked modules. Get it from autoconf. # Which file mentioned with These definitions are also # echoed into another file in ../lib, ? I could not find this file. As far as i understand, i have to add shared/static libraries ( which i link from my new module ) into this file . So freeradius can find them. I consider this because i get the error : /libexec/ld-elf.so.1: /usr/local/lib/freeradius-2.1.10/rlm_itap-2.1.10.so: Undefined symbol sendiccmsg when i run radiusserver and send an autorization message to server. On 12/06/2011 06:00 PM, Alan DeKok wrote: Mustafa Reşit Şahin wrote: I have followed the steps here : http://wiki.freeradius.org/Modules2#Testing Well, it's wrong. I'm not sure it was ever correct. I've deleted that example from the Wiki. Look at src/modules/rlm_example/Makefile. It works, and is correct. Edit it to build your module. It's a *lot* simpler. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mustafa Reşit Şahin Endersys İş Tel: 0216 470 94 23 Dahili:306 Cep Tel:0507 707 68 12 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linking Shared/Static library in Freeradius Module
Mustafa Reşit Şahin wrote: Which file mentioned with These definitions are also # echoed into another file in ../lib, ? Files automatically produced by the builds. I could not find this file. As far as i understand, i have to add shared/static libraries ( which i link from my new module ) into this file . So freeradius can find them. No. You just add them in the RLM_LIBS line. I consider this because i get the error : /libexec/ld-elf.so.1: /usr/local/lib/freeradius-2.1.10/rlm_itap-2.1.10.so: Undefined symbol sendiccmsg when i run radiusserver and send an autorization message to server. You probably need to re-build radiusd, too. Or... *show* what you did. This isn't hard. The current build process *can* link to static libraries, and *does* link to static libraries, and *works* when modules are linked to static libraries. If you follow the examples, it *should* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: authentetication with mysql and NAS type= other
here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 16:59:07 2011 ++[detail] returns ok ++[unix] returns fail Finished request 98. Cleaning up request 98 ID 10 with timestamp +570 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 16:59:12 2011 ++[detail] returns ok ++[unix] returns fail Finished request 99. Cleaning up request 99 ID 10 with timestamp +575 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:00:17 2011 ++[detail] returns ok ++[unix] returns fail Finished request 100. Cleaning up request 100 ID 11 with timestamp +640 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file
RE: Re[2]: authentetication with mysql and NAS type= other
The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of tolik_shavlov...@mail.ru Sent: Wednesday, December 07, 2011 10:05 AM To: freeradius-users@lists.freeradius.org Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 16:59:07 2011 ++[detail] returns ok ++[unix] returns fail Finished request 98. Cleaning up request 98 ID 10 with timestamp +570 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 16:59:12 2011 ++[detail] returns ok ++[unix] returns fail Finished request 99. Cleaning up request 99 ID 10 with timestamp +575 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:00:17 2011 ++[detail] returns ok ++[unix] returns fail Finished
Re[4]: authentetication with mysql and NAS type= other
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli )=== login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] ml-node+s1045715n5055966...@n5.nabble.com: The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 10:05 AM To: [hidden email] Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d
Re: Re[4]: authentetication with mysql and NAS type= other
On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: authentetication with mysql and NAS type= other
I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like da...@wimax.com David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of tolik_shavlov...@mail.ru Sent: Wednesday, December 07, 2011 11:03 AM To: freeradius-users@lists.freeradius.org Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5056103i=0 : The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 10:05 AM To: [hidden email] Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Angelica Delgado-2 wrote Freeradius, it gives NT_STATUS_WRONG_PASSWORD. I am having a similar issue to this. I have LDAP authentication working. However, my wireless controller, Nortel/Avaya 2382, will not work. Radius ping from the localhost and a server works fine. Radius log when I ran a ping from a server configured as a client in client.conf: [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=user [ntlm_auth] expand: --password=%{User-Password} - --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Radius log when I ran a ping from the wireless controller, which is also a client in the clients.conf: [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=user [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Eventually, it locks the acocunt in active directory: [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=user [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked out (0xc234) Exec-Program-Wait: plaintext: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked out (0xc234) I am not sure why the wireless controller will not send the password, or why FreeRADIUS is not seeing the password. Any help is very appreciated. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5056561.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: run radius in debug mode with screen
Hi, Alan Sorry, but I can not to not run because of: 1. FreeRadius stop working in not debug mode once or more time for a day 2. In debug mode it may work about week without problem 3. In debug mode I can run it only from console or in 'screen' 4. I run it on screen when it fails with help of monitord daemon like '/usr/local/bin/screen -d -m /usr/bin/nice -n -20 /r/radiusd debug' 5 Now with FreeRADIUS Version 2.1.10 because of it is detached from console is hard to fastrun to server and go to console and start radiusd by hand unlike 2.1.3 BUG: you must not detach from console when 'radiusd -X' actually it is /usr/local/etc/rc.d/radiusd debug AB well just dont run it like that - run the daemon directly...eg AB radiusd -X AB and if you want to trap the outut, just pipe it through eg 'tee', or use AB screen to capture the session -- С уважением, Коньков mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Hi, I am having a similar issue to this. I have LDAP authentication working. However, my wireless controller, Nortel/Avaya 2382, will not work. and what type of request is coming through? If its not a PAP type of request - as per from your server test, then you wont have %{User-Password} - check the mschap module to see the challenge response example and 'radiusd -X' for help does help... this little 4 line of output really says nothing alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
Thank you all for the suggestions. I have already installed FreeRadius 2.1.12 which I am running, an I have got ldap in file /usr/local/etc/raddb/modules/ldap; I have gone through it and I am still not sure where the problem lies. I have here included below the part of debug mode output that I have got running radiusd -X. I have illustrated the output part after Linked to module rlm_ldap Module: Linked to module rlm_ldap Module: Instantiating module ldap from file /usr/local/etc/raddb/modules/ldap ldap { server = Example.com port = 389 password = identity = net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = allow tls { start_tls = no require_cert = allow } basedn = dc=Example,dc=com filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) base_filter = (objectclass=radiusprofile) auto_header = no access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the authenticate section. rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x2853e2e0 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module acct_unique from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key =
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Alan Buxey wrote and what type of request is coming through? - check the mschap module to see the challenge response example and 'radiusd -X' for help does help... Alan, thank you, my wireless controller was set to send MSCHAP-v2. Changing the controller to PAP allows it to complete a successful radius ping. However, I have moved onto another problem, an 802.1x client will not authenticate sending EAP-PEAP/EAP-MSCHAP-v2. I received the following log output from radius: [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: root [mschap] Told to do MS-CHAPv2 for root with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. My mschap module is configured as follows: mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{% {Stripped-User-Name}:-%{mschap:User-Name:-None}} --challenge=% {mschap:Challenge:-00} –nt-response=%{mschap:NT-Response:-00} } I have also tried: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-domain.net} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Please let me know if you see my errors, or have thoughts. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5056976.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
lint wrote Alan, thank you, my wireless controller was set to send MSCHAP-v2. Changing the controller to PAP allows it to complete a successful radius ping. However, I have moved onto another problem, an 802.1x client will not authenticate sending EAP-PEAP/EAP-MSCHAP-v2. So, if I create a user in the users file, I can connect with that account over 802.1x. DEFAULT EAP-Message !* , Auth-Type := Accept test Cleartext-Password := password, MS-CHAP-Use-NTLM-Auth := 0 Doesn't the FreeRADIUS documentation mention that the users file is not required for NTLM to work with active directory? This doesn't make sense to me, why would I need to create users when they already live in active directory? I know that this means I am doing something wrong. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057027.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
You certainly dont need to set anything in your users file for 802.1X with an AD backend As already stated, where is your radiusd -X ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Alan Buxey wrote You certainly dont need to set anything in your users file for 802.1X with an AD backend As already stated, where is your radiusd -X ? I really apologize, I misunderstood you. Thank you so much! Here it is: FreeRADIUS Version 2.1.11, for host x86_64-redhat-linux-gnu, built on Sep 20 2011 at 13:55:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mschap.org including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/perl.rpmnew including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/packetfence.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/packetfence including configuration file /etc/raddb/sites-enabled/packetfence-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Hi, Ready to process requests. .and then nothing.the output is only useful if you show a failing request actually being handled :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Hi, Module: Instantiating module ntlm_auth from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=domain.net--username=%{mschap:User-Name} ^^ PS you have a typo alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Alan Buxey wrote Hi, Module: Instantiating module ntlm_auth from file /etc/raddb/modules/ntlm_auth exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=domain.net--username=%{mschap:User-Name} ^^ PS you have a typo alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan, sorry, I manually removed my domain and changed it to domain.net in the log. It is actually like this: program = /usr/bin/ntlm_auth --request-nt-key --domain=domain.net --username=%{mschap:User-Name} --password=%{User-Password} -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057246.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
The freeradius daemon reads ALL files in the modules directory. You have duplicates and eg .rpmnew . Remove those and things may just work nicely for you alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
On Thu, Dec 8, 2011 at 3:57 AM, suggestme samanaupadh...@hotmail.com wrote: Thank you all for the suggestions. I have already installed FreeRadius 2.1.12 which I am running, an I have got ldap in file /usr/local/etc/raddb/modules/ldap; I have gone through it and I am still not sure where the problem lies. Have you READ the file? #=== # The following two configuration items are for Active Directory # compatibility. If you see the helpful operations error # being returned to the LDAP module, uncomment the next # two lines. # # chase_referrals = yes # rebind = yes #=== -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
On Thu, Dec 8, 2011 at 6:11 AM, lint l...@pillclan.com wrote: Alan, here is the output of everything with a failed request: Did you read this? Module: Linked to module rlm_chap Module: Instantiating module chap from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module mschap from file /etc/raddb/modules/mschap.org mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } and http://deployingradius.com/documents/configuration/active_directory.html , section Configuring FreeRADIUS to use ntlm_auth for MS-CHAP: ... Then, fine the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default, and should be uncommented, and edited to be as follows ... you either have NOT edit it, or have a rogue file (/etc/raddb/modules/mschap.org?) that messed up your configuration. Fix it until the debug log shows mschap module is using ntlm_auth. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Fajar A. Nugraha-2 wrote Did you read this? Module: Linked to module rlm_chap Module: Instantiating module chap from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module mschap from file /etc/raddb/modules/mschap.org mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } and http://deployingradius.com/documents/configuration/active_directory.html , section Configuring FreeRADIUS to use ntlm_auth for MS-CHAP: ... Then, fine the mschap module in raddb/modules/mschap file, and look for the line containing ntlm_auth = . It is commented out by default, and should be uncommented, and edited to be as follows ... you either have NOT edit it, or have a rogue file (/etc/raddb/modules/mschap.org?) that messed up your configuration. Fix it until the debug log shows mschap module is using ntlm_auth. -- Fajar - Ah, that is clear now. I made backups of the files in modules before I modified them, as I always do with configuration files. I didn't realize that FreeRADIUS loads all modules. I will move the backups to my home directory and try again tomorrow. Thank you Alan and Fajar! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057512.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
On Thu, Dec 8, 2011 at 9:26 AM, lint l...@pillclan.com wrote: I made backups of the files in modules before I modified them, as I always do with configuration files. I didn't realize that FreeRADIUS loads all modules. I will move the backups to my home directory and try again tomorrow Somewhat off topic, did you know you can use git to keep track of configuration changes? Something like this should make your live a lot easier - cd /etc/raddb - git init - everytime you make a change, do git commit -a -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Fajar A. Nugraha-2 wrote Somewhat off topic, did you know you can use git to keep track of configuration changes? Something like this should make your live a lot easier - cd /etc/raddb - git init - everytime you make a change, do git commit -a -- Fajar I have heard of git in the past through github, but thought that it was really only used by programmers to collaborate on project changes. I will definitely start using this command. Seriously, Fajar, thank you for your time on this. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057558.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with LDAP Support
Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Thanks in Advance, Nick. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run radius in debug mode with screen
Hello. Евгений ufa-rad2:# screen -d -m freeradius -X -d /etc/freeradius/test/ Works without any problem on Linux But I guess you should find out the cause of problem and not try to workaround it by running FreeRADIUS in debug 1. FreeRadius stop working in not debug mode once or more time for a day First of all try to update FreeRADIUS to the last version. I too had crashes with 2.1.10. Had to update to 2.1.12 to get rid of crashes. -- С уважением, Волков Д.А. ЦТЭ ОАО Башинформсвязь, г.Уфа тел. +7(347)2001168 mailto:vol...@ufamts.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
packet in freeradius
Hi all, After authentication by Freeradius each and every packet is going through server. Or after authentication access point or router will handle all this thing. -- Warm Regards Harish Mandowara -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: packet in freeradius
Hi, after auth each packet will go throu NAS (Ap, Router) 08 декабря 2011, 10:28 от Harish Mandowara hari...@cdac.in: Hi all, After authentication by Freeradius each and every packet is going through server. Or after authentication access point or router will handle all this thing. -- Warm Regards Harish Mandowara -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: authentetication with mysql and NAS type= other
David, usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but for nonWiMAX band = 5 GHz. All Alvarion hexes username, like 97697...@wimax.com So, you just gess it was Extreme?)) 07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius] ml-node+s1045715n5056216...@n5.nabble.com: I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like [hidden email] David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 11:03 AM To: [hidden email] Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]: The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 10:05 AM To: [hidden email] Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop
Re[6]: authentetication with mysql and NAS type= other
Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user| Simultaneous-Use | := | 1| | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ user is for WiFi test and tes1 is for WimAX. all usernames are authenticated for WiFi. Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? when i used users file in FR with the same usernames, it was ok. I really use same usernames for auth in my Wimax CPEs. 07 декабря 2011, 20:17 от Fajar A. Nugraha l...@fajar.net: On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[6]: authentetication with mysql and NAS type= other
2011/12/8 Толик Шавловский tolik_shavlov...@mail.ru: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 1 | user | Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ There's no user called 'KeepAliveUserNameAndPassword' Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? Because the NAS sends it. If you think it shouldn't, examine the NAS config. Or ask the NAS vendor. The log doesn't lie. Did you ACTUALLY test authentication with a client connecting to the NAS? Or did you just start up FR in debug mode and hope there would be a packet from the NAS? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentetication with mysql and NAS type= other
Толик Шавловский wrote: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | Change that to Cleartext-Password and :=, like the other entries. all usernames are authenticated for WiFi. Wimax cannot. Post the debug output for WiMAX. Honestly, I don't see why *anyone* needs to be told this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run radius in debug mode with screen
Коньков Евгений wrote: BUG: you must not detach from console when 'radiusd -X' FreeRADIUS does *not* detach from the console when using radiusd -X. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
suggestme wrote: I have already installed FreeRadius 2.1.12 which I am running, an I have got ldap in file /usr/local/etc/raddb/modules/ldap; I have gone through it and I am still not sure where the problem lies. The problem is you. You were told to look for operations error in raddb/modules/ldap. Since you say you read that file, there are only two options: 1) you found it 2) you didn't find it. If you found it, you should have followed the instructions. If you didn't find it, you should SAY you didn't find it. We tell you to read documentation which exists. So if you can't find it, there's a problem in your local installation. But... your response didn't match option (1) or (2). It's like me asking are you running version 1 or version 2, and your response is my cat's name is mittens Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html