Authentication via ntlm_auth with check the user group
Hi
I try to configure authentication via ntlm_auth to check the user group.
All authentication attempts are rejected
The same configuration without checking groups is working correctly
policy.conf:
extract_ssid {
if(Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i){
update request {
Called-Station-SSID := %{7}
}
if (Called-Station-SSID == localnet1) {
update request{
AD-Group := WiFisec
}
}
else {
update request{
AD-Group := WiFi-public
}
}
}
else {
noop
}
}
modules/mschap
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=POMORSU+%{AD-Group}
sites-enabed/default
authorize {
preprocess
extract_ssid
freeradius 2.1.10+dfsg-2 debian squeeze
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
On Wed, Dec 7, 2011 at 4:11 PM, Сергей Усов us...@pomorsu.ru wrote: Hi I try to configure authentication via ntlm_auth to check the user group. All authentication attempts are rejected What does the debug log say when the authentications are rejected? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Thanks for your reply
radiusd: Loading Virtual Servers
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating module mschap from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=POMORSU+%{AD-Group}
}
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067,
id=0, length=210
Message-Authenticator = 0x76f5e1499b3c78689adf8fb623dc7c4e
Service-Type = Framed-User
User-Name = POMORSU\\rahs
Framed-MTU = 1488
Called-Station-Id = 04-11-9A-D1-44-39:localnet1
Calling-Station-Id = 00-1F-3C-3D-DF-8C
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x021201504f4d4f5253555c75736f7773
NAS-IP-Address = 192.168.213.210
NAS-Port = 1
NAS-Port-Id = STA port # 1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
- TRUE
+++? if (Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
- TRUE
+++- entering if (Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
{...}
expand: %{7} - localnet1
[request] returns ok
? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) - TRUE
? if (Called-Station-SSID == localnet1) - TRUE
- entering if (Called-Station-SSID == localnet1) {...}
+[request] returns ok
- if (Called-Station-SSID == localnet1) returns ok
... skipping else for request 0: Preceding if was taken
+++- if (Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
returns ok
+++ ... skipping else for request 0: Preceding if was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = POMORSU\rahs, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.213.210 port 1067
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x140c0338140d1ab54c20eb7bf1588770
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067,
id=1, length=315
Message-Authenticator = 0x52b3370475dcad2571d8a4ef20d46246
Service-Type = Framed-User
User-Name = POMORSU\\rahs
Framed-MTU = 1488
State = 0x140c0338140d1ab54c20eb7bf1588770
Called-Station-Id = 04-11-9A-D1-44-39:localnet1
Calling-Station-Id = 00-1F-3C-3D-DF-8C
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x020100691980005f160301005a015603014ede257a500dcb4913694c60469b783a7bdaa0d482ac13baa056619eb2d75c3718002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100
NAS-IP-Address = 192.168.213.210
NAS-Port = 1
NAS-Port-Id = STA port # 1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
- TRUE
+++? if
Re: Authentication via ntlm_auth with check the user group
You need to update the AD-Group in the inner-tunnel virtual server, not in the default one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: freeradius2 installation error
Dear All, i installed FR v 2.1.2 and mysql 5.1.55. user database is in mysql DB. 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. what can be a problem? thanks. 06 декабря 2011, 20:12 от Fajar A. Nugraha-2 [via FreeRadius] ml-node+s1045715n5052587...@n5.nabble.com: On Tue, Dec 6, 2011 at 10:51 PM, [hidden email] [hidden email] wrote: Dear Fajar, i failed to intergate FR + mysql, i was informed that my FR is without mysql module. then why didn't you ask that in the first place? It'd save lots of time. i am in process of building from the source. so, after: 1. i build mysql-server Not necessarily. Binary tar/package from http://dev.mysql.com/downloads/mysql should also work. Personally, I'd avoid having to build mysql from source. It takes a VERY long time. Also, you don't really need the server. FR only needs the client part (with corresponding headers/libs). Anyway, whatever method you use (build from ports, compile manually, installing binary package, whatever) you need to make sure that mysql headers and libraries are available. One way (though not the ONLY way) to verify this is by running mysql_config, then look at include and libs output, then see if the files are there. For example, on my Ubuntu box: #= $ mysql_config Usage: /usr/bin/mysql_config [OPTIONS] Options: --cflags [-I/usr/include/mysql -fno-omit-frame-pointer -g -pipe -Wno-uninitialized -DUNIV_LINUX] --include [-I/usr/include/mysql] --libs [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqlclient -L/usr/lib/ -lssl -lcrypto] --libs_r [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqlclient_r -L/usr/lib/ -lssl -lcrypto] --plugindir [/usr/lib/mysql/plugin] --socket [/var/run/mysqld/mysqld.sock] --port [0] --version [5.3.2-MariaDB-beta] --libmysqld-libs [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqld -ldl -lwrap -lrt -L/usr/lib/ -lssl -lcrypto] $ ls /usr/include/mysql/ client_plugin.h my_alloc.h my_getopt.h mysqld_ername.h my_valgrind.h services.h typelib.h decimal.h my_attribute.h my_global.h mysqld_error.h my_xml.h service_thd_alloc.h errmsg.h my_compiler.h my_list.h mysql_embed.h plugin_auth_common.h sql_common.h keycache.h my_config.h my_net.h mysql.h plugin_auth.h sql_state.h ma_dyncol.h my_dbug.h my_no_pthread.h mysql_time.h plugin.h sslopt-case.h m_ctype.h my_decimal_limits.h my_pthread.h mysql_version.h service_my_snprintf.h sslopt-longopts.h m_string.h my_dir.h mysql_com.h my_sys.h service_progress_report.h sslopt-vars.h $ ls /usr/lib /*mysqlclient* /usr/lib/libmysqlclient.a /usr/lib/libmysqlclient_r.so /usr/lib/libmysqlclient_r.so.16.0.0 /usr/lib/libmysqlclient.so.16 /usr/lib/libmysqlclient.la /usr/lib/libmysqlclient_r.so.15 /usr/lib/libmysqlclient.so /usr/lib/libmysqlclient.so.16.0.0 /usr/lib/libmysqlclient_r.a /usr/lib/libmysqlclient_r.so.15.0.0 /usr/lib/libmysqlclient.so.15 /usr/lib/libmysqlclient_r.la /usr/lib/libmysqlclient_r.so.16 /usr/lib/libmysqlclient.so.15.0.0 #= 2. install mysql driver for Rf correct? Just build freeradius following the simple instruction in the wiki. IF mysql headers and drivers are there, AND you have a working mysql_config somewhere (/usr/bin/, /usr/local/bin, whatever) then mysql support should be built in by default. However, IF the headers/libs are NOT in the default places, you might have to specify some parameters to configure: --with-mysql-include-dir=DIR Directory where the mysql includes may be found --with-mysql-lib-dir=DIR Directory where the mysql libraries may be found --with-mysql-dir=DIR Base directory where mysql is installed In any case, make sure you READ the output from ./configure. Hint: it's easier to do so if you redirect the output to a file, something like ./configure | tee configure-output.txt The output should show whether the configure script was able to find mysql headers/libs or not. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/freeradius2-installation-error-tp5052326p5052587.html To unsubscribe from freeradius2 installation error, click here. NAML
Re: Authentication via ntlm_auth with check the user group
I have changed inner_tunnel, but unsuccessfully
server inner-tunnel {
authorize {
preprocess
extract_ssid
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
}
07.12.2011 15:36, Alan DeKok пишет:
You need to update the AD-Group in the inner-tunnel virtual server,
not in the default one.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote: On Wed, Dec 7, 2011 at 1:15 PM, mic...@casa.co.cu wrote: google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same. Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password. Hi Fajar Thanks for reply me. If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server? Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql? Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentetication with mysql and NAS type= other
Dear All, i installed FR v 2.1.2 and mysql 5.1.55. user database is in mysql DB. 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. what can be a problem? thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5055689.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
Hi, After configuration and running the FreeRadius in debug mode, I see that binding with LDAP server is successful as : *[ldap] Bind was successful* Then it does searching of user with filter and gives the error as : *[ldap] ldap_search() failed: Operations error after* *[ldap] search failed* Is there anything I am missing due to which I am getting this error? Is this related to any configuration that needs to be done in LDAP server side or any change I need to do in /usr/local/etc/raddb/dictionary and /usr/local/etc/raddb/ldap.attrmap. I am doing Authentication using ntlm_auth as suggested by deployingradius.com, which is successful. Now, I am doing Authorization using LDAP. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-Active-Directory-LDAP-Authorization-tp5049129p5055785.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
On 07/12/11 14:22, suggestme wrote: Hi, After configuration and running the FreeRadius in debug mode, I see that binding with LDAP server is successful as : *[ldap] Bind was successful* Then it does searching of user with filter and gives the error as : *[ldap] ldap_search() failed: Operations error after* *[ldap] search failed* This is an LDAP error - check the LDAP filter syntax and search base. Or post the radiusd -X output, as requested a million times a day (or so it sometimes seems) on this list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: I have changed inner_tunnel, but unsuccessfully You didn't do what I said, so I'm not surprised it didn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentetication with mysql and NAS type= other
tolik_shavlov...@mail.ru wrote: 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. See the FAQ for it doesn't work 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. Without the debug log, it's impossible to know. what can be a problem? You didn't follow the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
suggestme wrote: Hi, After configuration and running the FreeRadius in debug mode, I see that binding with LDAP server is successful as : *[ldap] Bind was successful* Then it does searching of user with filter and gives the error as : *[ldap] ldap_search() failed: Operations error Upgrade to 2.1.12, and read raddb/modules/ldap. Look for operations error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linking Shared/Static library in Freeradius Module
I am trying to use src/modules/rlm_example/Makefile using configure files. In this makefile stated : # The RLM_LIBS definition should list ALL required libraries. # These libraries really should be pulled from the 'config.mak' # definitions, if at all possible. These definitions are also # echoed into another file in ../lib, where they're picked up by # ../main/Makefile for building the version of the server with # statically linked modules. Get it from autoconf. # Which file mentioned with These definitions are also # echoed into another file in ../lib, ? I could not find this file. As far as i understand, i have to add shared/static libraries ( which i link from my new module ) into this file . So freeradius can find them. I consider this because i get the error : /libexec/ld-elf.so.1: /usr/local/lib/freeradius-2.1.10/rlm_itap-2.1.10.so: Undefined symbol sendiccmsg when i run radiusserver and send an autorization message to server. On 12/06/2011 06:00 PM, Alan DeKok wrote: Mustafa Reşit Şahin wrote: I have followed the steps here : http://wiki.freeradius.org/Modules2#Testing Well, it's wrong. I'm not sure it was ever correct. I've deleted that example from the Wiki. Look at src/modules/rlm_example/Makefile. It works, and is correct. Edit it to build your module. It's a *lot* simpler. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mustafa Reşit Şahin Endersys İş Tel: 0216 470 94 23 Dahili:306 Cep Tel:0507 707 68 12 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linking Shared/Static library in Freeradius Module
Mustafa Reşit Şahin wrote: Which file mentioned with These definitions are also # echoed into another file in ../lib, ? Files automatically produced by the builds. I could not find this file. As far as i understand, i have to add shared/static libraries ( which i link from my new module ) into this file . So freeradius can find them. No. You just add them in the RLM_LIBS line. I consider this because i get the error : /libexec/ld-elf.so.1: /usr/local/lib/freeradius-2.1.10/rlm_itap-2.1.10.so: Undefined symbol sendiccmsg when i run radiusserver and send an autorization message to server. You probably need to re-build radiusd, too. Or... *show* what you did. This isn't hard. The current build process *can* link to static libraries, and *does* link to static libraries, and *works* when modules are linked to static libraries. If you follow the examples, it *should* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: authentetication with mysql and NAS type= other
here is debug:
ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 16:59:07 2011
++[detail] returns ok
++[unix] returns fail
Finished request 98.
Cleaning up request 98 ID 10 with timestamp +570
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 16:59:12 2011
++[detail] returns ok
++[unix] returns fail
Finished request 99.
Cleaning up request 99 ID 10 with timestamp +575
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 17:00:17 2011
++[detail] returns ok
++[unix] returns fail
Finished request 100.
Cleaning up request 100 ID 11 with timestamp +640
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file
RE: Re[2]: authentetication with mysql and NAS type= other
The only requests I see are User-Name = KeepAliveUserNameAndPassword
This is just a keep-alive packet all Alvarion Extreme base stations send out.
I do not see the CPE attempting to authenticate.
David
From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org]
On Behalf Of tolik_shavlov...@mail.ru
Sent: Wednesday, December 07, 2011 10:05 AM
To: freeradius-users@lists.freeradius.org
Subject: Re[2]: authentetication with mysql and NAS type= other
here is debug:
ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 16:59:07 2011
++[detail] returns ok
++[unix] returns fail
Finished request 98.
Cleaning up request 98 ID 10 with timestamp +570
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 16:59:12 2011
++[detail] returns ok
++[unix] returns fail
Finished request 99.
Cleaning up request 99 ID 10 with timestamp +575
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 17:00:17 2011
++[detail] returns ok
++[unix] returns fail
Finished
Re[4]: authentetication with mysql and NAS type= other
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 17:57:06 2011
++[detail] returns ok
++[unix] returns fail
Finished request 247.
Cleaning up request 247 ID 56 with timestamp +1802
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177,
length=181
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523
Acct-Session-Id = KeepAliveSessionId
User-Password = KeepAliveUserNameAndPassword
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} - KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User KeepAliveUserNameAndPassword not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword]
(from client 10.152.98.23/16 port 0 cli )===
login and password are correct!
ow did you jnow that its extreme by NAS identifirer?
07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius]
ml-node+s1045715n5055966...@n5.nabble.com:
The only requests I see are User-Name = KeepAliveUserNameAndPassword
This is just a keep-alive packet all Alvarion Extreme base stations send out.
I do not see the CPE attempting to authenticate.
David
From: freeradius-users-bounces+david.peterson=[hidden email]
[mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of
[hidden email]
Sent: Wednesday, December 07, 2011 10:05 AM
To: [hidden email]
Subject: Re[2]: authentetication with mysql and NAS type= other
here is debug:
ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d
Re: Re[4]: authentetication with mysql and NAS type= other
On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: authentetication with mysql and NAS type= other
I know it’s Extreme because we sell Alvarion WiMax for all of North America J
Keepaliveusernameandpassword is a generic request coming from the BTS which can
either be accepted or denied. Either response is fine.
The Extreme uses EAP-TTLS as does all WiMax so the username should be something
like da...@wimax.com
David
From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org]
On Behalf Of tolik_shavlov...@mail.ru
Sent: Wednesday, December 07, 2011 11:03 AM
To: freeradius-users@lists.freeradius.org
Subject: Re[4]: authentetication with mysql and NAS type= other
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 17:57:06 2011
++[detail] returns ok
++[unix] returns fail
Finished request 247.
Cleaning up request 247 ID 56 with timestamp +1802
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177,
length=181
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523
Acct-Session-Id = KeepAliveSessionId
User-Password = KeepAliveUserNameAndPassword
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} - KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User KeepAliveUserNameAndPassword not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword]
(from client 10.152.98.23/16 port 0 cli )
===
login and password are correct!
ow did you jnow that its extreme by NAS identifirer?
07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]
http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5056103i=0 :
The only requests I see are User-Name = KeepAliveUserNameAndPassword
This is just a keep-alive packet all Alvarion Extreme base stations send out.
I do not see the CPE attempting to authenticate.
David
From: freeradius-users-bounces+david.peterson=[hidden email]
[mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of
[hidden email]
Sent: Wednesday, December 07, 2011 10:05 AM
To: [hidden email]
Subject: Re[2]: authentetication with mysql and NAS type= other
here is debug:
ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = KeepAliveSessionId
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Angelica Delgado-2 wrote
Freeradius, it gives NT_STATUS_WRONG_PASSWORD.
I am having a similar issue to this. I have LDAP authentication working.
However, my wireless controller, Nortel/Avaya 2382, will not work.
Radius ping from the localhost and a server works fine.
Radius log when I ran a ping from a server configured as a client in
client.conf:
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=user
[ntlm_auth] expand: --password=%{User-Password} - --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Radius log when I ran a ping from the wireless controller, which is also a
client in the clients.conf:
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=user
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc06a)
Eventually, it locks the acocunt in active directory:
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=user
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked out
(0xc234)
Exec-Program-Wait: plaintext: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked
out (0xc234)
I am not sure why the wireless controller will not send the password, or why
FreeRADIUS is not seeing the password.
Any help is very appreciated.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5056561.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: run radius in debug mode with screen
Hi, Alan Sorry, but I can not to not run because of: 1. FreeRadius stop working in not debug mode once or more time for a day 2. In debug mode it may work about week without problem 3. In debug mode I can run it only from console or in 'screen' 4. I run it on screen when it fails with help of monitord daemon like '/usr/local/bin/screen -d -m /usr/bin/nice -n -20 /r/radiusd debug' 5 Now with FreeRADIUS Version 2.1.10 because of it is detached from console is hard to fastrun to server and go to console and start radiusd by hand unlike 2.1.3 BUG: you must not detach from console when 'radiusd -X' actually it is /usr/local/etc/rc.d/radiusd debug AB well just dont run it like that - run the daemon directly...eg AB radiusd -X AB and if you want to trap the outut, just pipe it through eg 'tee', or use AB screen to capture the session -- С уважением, Коньков mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Hi,
I am having a similar issue to this. I have LDAP authentication working.
However, my wireless controller, Nortel/Avaya 2382, will not work.
and what type of request is coming through? If its not a PAP
type of request - as per from your server test, then you wont have
%{User-Password} - check the mschap module to see the challenge response
example and 'radiusd -X' for help does help... this little 4 line of output
really says nothing
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
Thank you all for the suggestions.
I have already installed FreeRadius 2.1.12 which I am running, an I have got
ldap in file /usr/local/etc/raddb/modules/ldap; I have gone through it and I
am still not sure where the problem lies.
I have here included below the part of debug mode output that I have got
running radiusd -X. I have illustrated the output part after Linked to
module rlm_ldap
Module: Linked to module rlm_ldap
Module: Instantiating module ldap from file
/usr/local/etc/raddb/modules/ldap
ldap {
server = Example.com
port = 389
password =
identity =
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=Example,dc=com
filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the authenticate section.
rlm_ldap: reading ldap-radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x2853e2e0
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module acct_unique from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key =
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Alan Buxey wrote
and what type of request is coming through? - check the mschap module
to see the challenge response
example and 'radiusd -X' for help does help...
Alan, thank you, my wireless controller was set to send MSCHAP-v2. Changing
the controller to PAP allows it to complete a successful radius ping.
However, I have moved onto another problem, an 802.1x client will not
authenticate sending EAP-PEAP/EAP-MSCHAP-v2.
I received the following log output from radius:
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: root
[mschap] Told to do MS-CHAPv2 for root with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
My mschap module is configured as follows:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%
{Stripped-User-Name}:-%{mschap:User-Name:-None}} --challenge=%
{mschap:Challenge:-00} –nt-response=%{mschap:NT-Response:-00}
}
I have also tried:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-domain.net}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Please let me know if you see my errors, or have thoughts.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5056976.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
lint wrote Alan, thank you, my wireless controller was set to send MSCHAP-v2. Changing the controller to PAP allows it to complete a successful radius ping. However, I have moved onto another problem, an 802.1x client will not authenticate sending EAP-PEAP/EAP-MSCHAP-v2. So, if I create a user in the users file, I can connect with that account over 802.1x. DEFAULT EAP-Message !* , Auth-Type := Accept test Cleartext-Password := password, MS-CHAP-Use-NTLM-Auth := 0 Doesn't the FreeRADIUS documentation mention that the users file is not required for NTLM to work with active directory? This doesn't make sense to me, why would I need to create users when they already live in active directory? I know that this means I am doing something wrong. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057027.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
You certainly dont need to set anything in your users file for 802.1X with an AD backend As already stated, where is your radiusd -X ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Alan Buxey wrote
You certainly dont need to set anything in your users file for 802.1X with
an AD backend
As already stated, where is your radiusd -X ?
I really apologize, I misunderstood you. Thank you so much!
Here it is:
FreeRADIUS Version 2.1.11, for host x86_64-redhat-linux-gnu, built on Sep 20
2011 at 13:55:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mschap.org
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/perl.rpmnew
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/packetfence.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/packetfence
including configuration file /etc/raddb/sites-enabled/packetfence-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
run_dir = /var/run/radiusd
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Hi, Ready to process requests. .and then nothing.the output is only useful if you show a failing request actually being handled :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Hi,
Module: Instantiating module ntlm_auth from file
/etc/raddb/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key
--domain=domain.net--username=%{mschap:User-Name}
^^
PS you have a typo
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Alan Buxey wrote
Hi,
Module: Instantiating module ntlm_auth from file
/etc/raddb/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key
--domain=domain.net--username=%{mschap:User-Name}
^^
PS you have a typo
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Alan, sorry, I manually removed my domain and changed it to domain.net in
the log. It is actually like this:
program = /usr/bin/ntlm_auth --request-nt-key --domain=domain.net
--username=%{mschap:User-Name} --password=%{User-Password}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057246.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
The freeradius daemon reads ALL files in the modules directory. You have duplicates and eg .rpmnew . Remove those and things may just work nicely for you alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
On Thu, Dec 8, 2011 at 3:57 AM, suggestme samanaupadh...@hotmail.com wrote: Thank you all for the suggestions. I have already installed FreeRadius 2.1.12 which I am running, an I have got ldap in file /usr/local/etc/raddb/modules/ldap; I have gone through it and I am still not sure where the problem lies. Have you READ the file? #=== # The following two configuration items are for Active Directory # compatibility. If you see the helpful operations error # being returned to the LDAP module, uncomment the next # two lines. # # chase_referrals = yes # rebind = yes #=== -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
On Thu, Dec 8, 2011 at 6:11 AM, lint l...@pillclan.com wrote:
Alan, here is the output of everything with a failed request:
Did you read this?
Module: Linked to module rlm_chap
Module: Instantiating module chap from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module mschap from file
/etc/raddb/modules/mschap.org
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
and http://deployingradius.com/documents/configuration/active_directory.html
, section Configuring FreeRADIUS to use ntlm_auth for MS-CHAP:
... Then, fine the mschap module in raddb/modules/mschap file, and
look for the line containing ntlm_auth = . It is commented out by
default, and should be uncommented, and edited to be as follows ...
you either have NOT edit it, or have a rogue file
(/etc/raddb/modules/mschap.org?) that messed up your configuration.
Fix it until the debug log shows mschap module is using ntlm_auth.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Fajar A. Nugraha-2 wrote
Did you read this?
Module: Linked to module rlm_chap
Module: Instantiating module chap from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module mschap from file
/etc/raddb/modules/mschap.org
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
and
http://deployingradius.com/documents/configuration/active_directory.html
, section Configuring FreeRADIUS to use ntlm_auth for MS-CHAP:
... Then, fine the mschap module in raddb/modules/mschap file, and
look for the line containing ntlm_auth = . It is commented out by
default, and should be uncommented, and edited to be as follows ...
you either have NOT edit it, or have a rogue file
(/etc/raddb/modules/mschap.org?) that messed up your configuration.
Fix it until the debug log shows mschap module is using ntlm_auth.
--
Fajar
-
Ah, that is clear now. I made backups of the files in modules before I
modified them, as I always do with configuration files. I didn't realize
that FreeRADIUS loads all modules. I will move the backups to my home
directory and try again tomorrow. Thank you Alan and Fajar!
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057512.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
On Thu, Dec 8, 2011 at 9:26 AM, lint l...@pillclan.com wrote: I made backups of the files in modules before I modified them, as I always do with configuration files. I didn't realize that FreeRADIUS loads all modules. I will move the backups to my home directory and try again tomorrow Somewhat off topic, did you know you can use git to keep track of configuration changes? Something like this should make your live a lot easier - cd /etc/raddb - git init - everytime you make a change, do git commit -a -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth
Fajar A. Nugraha-2 wrote Somewhat off topic, did you know you can use git to keep track of configuration changes? Something like this should make your live a lot easier - cd /etc/raddb - git init - everytime you make a change, do git commit -a -- Fajar I have heard of git in the past through github, but thought that it was really only used by programmers to collaborate on project changes. I will definitely start using this command. Seriously, Fajar, thank you for your time on this. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Getting-NT-STATUS-WRONG-PASSWORD-Wrong-Password-0xc06a-when-using-ntlm-auth-tp5040204p5057558.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with LDAP Support
Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Thanks in Advance, Nick. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run radius in debug mode with screen
Hello. Евгений ufa-rad2:# screen -d -m freeradius -X -d /etc/freeradius/test/ Works without any problem on Linux But I guess you should find out the cause of problem and not try to workaround it by running FreeRADIUS in debug 1. FreeRadius stop working in not debug mode once or more time for a day First of all try to update FreeRADIUS to the last version. I too had crashes with 2.1.10. Had to update to 2.1.12 to get rid of crashes. -- С уважением, Волков Д.А. ЦТЭ ОАО Башинформсвязь, г.Уфа тел. +7(347)2001168 mailto:vol...@ufamts.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
packet in freeradius
Hi all, After authentication by Freeradius each and every packet is going through server. Or after authentication access point or router will handle all this thing. -- Warm Regards Harish Mandowara -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: packet in freeradius
Hi, after auth each packet will go throu NAS (Ap, Router) 08 декабря 2011, 10:28 от Harish Mandowara hari...@cdac.in: Hi all, After authentication by Freeradius each and every packet is going through server. Or after authentication access point or router will handle all this thing. -- Warm Regards Harish Mandowara -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: authentetication with mysql and NAS type= other
David,
usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but
for nonWiMAX band = 5 GHz. All Alvarion hexes username, like 97697...@wimax.com
So, you just gess it was Extreme?))
07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius]
ml-node+s1045715n5056216...@n5.nabble.com:
I know it’s Extreme because we sell Alvarion WiMax for all of North America J
Keepaliveusernameandpassword is a generic request coming from the BTS which can
either be accepted or denied. Either response is fine.
The Extreme uses EAP-TTLS as does all WiMax so the username should be something
like [hidden email]
David
From: freeradius-users-bounces+david.peterson=[hidden email]
[mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of
[hidden email]
Sent: Wednesday, December 07, 2011 11:03 AM
To: [hidden email]
Subject: Re[4]: authentetication with mysql and NAS type= other
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 17:57:06 2011
++[detail] returns ok
++[unix] returns fail
Finished request 247.
Cleaning up request 247 ID 56 with timestamp +1802
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177,
length=181
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523
Acct-Session-Id = KeepAliveSessionId
User-Password = KeepAliveUserNameAndPassword
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} - KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User KeepAliveUserNameAndPassword not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword]
(from client 10.152.98.23/16 port 0 cli )
===
login and password are correct!
ow did you jnow that its extreme by NAS identifirer?
07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]:
The only requests I see are User-Name = KeepAliveUserNameAndPassword
This is just a keep-alive packet all Alvarion Extreme base stations send out.
I do not see the CPE attempting to authenticate.
David
From: freeradius-users-bounces+david.peterson=[hidden email]
[mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of
[hidden email]
Sent: Wednesday, December 07, 2011 10:05 AM
To: [hidden email]
Subject: Re[2]: authentetication with mysql and NAS type= other
here is debug:
ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Re[6]: authentetication with mysql and NAS type= other
Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user| Simultaneous-Use | := | 1| | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ user is for WiFi test and tes1 is for WimAX. all usernames are authenticated for WiFi. Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? when i used users file in FR with the same usernames, it was ok. I really use same usernames for auth in my Wimax CPEs. 07 декабря 2011, 20:17 от Fajar A. Nugraha l...@fajar.net: On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[6]: authentetication with mysql and NAS type= other
2011/12/8 Толик Шавловский tolik_shavlov...@mail.ru: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 1 | user | Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ There's no user called 'KeepAliveUserNameAndPassword' Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? Because the NAS sends it. If you think it shouldn't, examine the NAS config. Or ask the NAS vendor. The log doesn't lie. Did you ACTUALLY test authentication with a client connecting to the NAS? Or did you just start up FR in debug mode and hope there would be a packet from the NAS? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentetication with mysql and NAS type= other
Толик Шавловский wrote: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | Change that to Cleartext-Password and :=, like the other entries. all usernames are authenticated for WiFi. Wimax cannot. Post the debug output for WiMAX. Honestly, I don't see why *anyone* needs to be told this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run radius in debug mode with screen
Коньков Евгений wrote: BUG: you must not detach from console when 'radiusd -X' FreeRADIUS does *not* detach from the console when using radiusd -X. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
suggestme wrote: I have already installed FreeRadius 2.1.12 which I am running, an I have got ldap in file /usr/local/etc/raddb/modules/ldap; I have gone through it and I am still not sure where the problem lies. The problem is you. You were told to look for operations error in raddb/modules/ldap. Since you say you read that file, there are only two options: 1) you found it 2) you didn't find it. If you found it, you should have followed the instructions. If you didn't find it, you should SAY you didn't find it. We tell you to read documentation which exists. So if you can't find it, there's a problem in your local installation. But... your response didn't match option (1) or (2). It's like me asking are you running version 1 or version 2, and your response is my cat's name is mittens Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
