[no subject]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I have an interesting scenario where a broadband user has Auth-Type=Reject configured as an attribute in the back-end database of FreeRADIUS, and this sppears to be working, as radtest and radclient confirm (the Access-Reject packet is received): [root@radius-one radius]# echo User-Name=mmelbourne@realm,Password=mypassword,Framed-Protocol=PPP | radclient -x -s 127.0.0.1 auth radius_secret Sending Access-Request of id 45 to 127.0.0.1 port 1812 User-Name = mmelbourne@realm Password = mypassword Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=73 Reply-Message = Your account has been disabled, please call support Total approved auths: 0 Total denied auths: 1 Total lost auths: 0 However, on the NAS (LNS), a radius debug shows that the authentication succeeds with an Access-Accept, even though the account disabled Reply-Message is received: May 23 14:12:28.076: RADIUS(00011A84): Send Access-Request to 213.x.x.x:1812 id 21793/12, len 107 May 23 14:12:28.076: RADIUS: authenticator 70 A9 8C A5 A8 79 A8 61 - 4D F6 99 37 F7 63 FE A5 May 23 14:12:28.076: RADIUS: Framed-Protocol [7] 6 PPP [1] May 23 14:12:28.076: RADIUS: User-Name [1] 21 mmelbourne@realm May 23 14:12:28.076: RADIUS: CHAP-Password [3] 19 * May 23 14:12:28.076: RADIUS: NAS-Port-Type [61] 6 Virtual [5] May 23 14:12:28.076: RADIUS: NAS-Port[5] 6 826 May 23 14:12:28.076: RADIUS: NAS-Port-Id [87] 17 Uniq-Sess-ID826 May 23 14:12:28.076: RADIUS: Service-Type[6] 6 Framed [2] May 23 14:12:28.076: RADIUS: NAS-IP-Address [4] 6 88.x.x.x May 23 14:12:28.084: RADIUS: Received from id 21793/12 213.x.x.x:1812, Access-Accept, len 157 May 23 14:12:28.084: RADIUS: authenticator 79 6C DA EB 1A CC AD CA - BB E3 C9 CE D1 C3 AC 47 May 23 14:12:28.084: RADIUS: Reply-Message [18] 53 May 23 14:12:28.084: RADIUS: 59 6F 75 72 20 61 63 63 6F 75 6E 74 20 68 61 73 [Your account has] May 23 14:12:28.084: RADIUS: 20 62 65 65 6E 20 64 69 73 61 62 6C 65 64 2C 20 [ been disabled, ] May 23 14:12:28.084: RADIUS: 70 6C 65 61 73 65 20 63 61 6C 6C 20 73 75 70 70 [please call supp] May 23 14:12:28.084: RADIUS: 6F 72 74 [ ort] May 23 14:12:28.084: RADIUS: Framed-IP-Address [8] 6 77.x.x.x May 23 14:12:28.084: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 May 23 14:12:28.084: RADIUS: Framed-Protocol [7] 6 PPP [1] May 23 14:12:28.084: RADIUS: Service-Type[6] 6 Framed [2] May 23 14:12:28.084: RADIUS: Vendor, Cisco [26] 54 May 23 14:12:28.084: RADIUS: Cisco AVpair [1] 48 ip:dns-servers=213.x.x.x 213.x.x.x May 23 14:12:28.084: RADIUS: Idle-Timeout[28] 6 28800 The only difference I can see is that the first example uses a plain-text password, and the RADIUS on the LNS is using CHAP? The backend database has = in the 'op' field (and not :=), so the returned attribute is Auth-Type = Reject and not Auth-Type := Reject, but it is correctly rejected using radtest/radclient, and I believe the = operand to be correct. Has anyone seen anything similar; the NAS is a 7206VXR running 12.2(31)SB2 and the backend is FreeRADIUS 1.1? -- Matthew Melbourne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi All I am create stored persedure in postgresql database named findout_cuncurrent_session_for_a_user_result that return Deny or Permit . I need to call this persidure in session section but it not working i check all policy that be explaned in unlang man page but this cod is not working : session { if ({%sql:select findout_cuncurrent_session_for_a_user_result ('%{User-Name}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}')} == Deny) { update control { Pool-Name := Exceeded-Concurrent-Session } } } What is the problem? Do i write sql query write ? (this query is work fine in sql.conf ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
in schema.sql for PostgreSQL we do not have any primary key for raduser group table. Is that normal or we have some problem ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, How can I replicate accounting packets to multiple servers when I have only one realm ? I have setup replicate and replicate-to realm in accounting section and also home_server and pool in proxy.conf but replication only works for the first home server. It wouldn't replicate accounting to the other server. This is how my proxy.conf config for replication looks. home_server remote_server { ipaddr = x.x.x.x port = 1813 type = acct secret = testing123 } home_server col_server { ipaddr = x.x.x.x port = 1813 type = acct secret = testing } home_server_pool remote_pool { type = fail-over home_server = remote_server } home_server_pool col_pool { type = fail-over home_server = col_server } DEFAULT { Replicate-To-Realm := remote } realm remote { acct_pool = remote_pool acct_pool = col_pool } I just see the replication accounting packets being sent only to remote_server and not to col_server. Thanks, Shreya. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I’m trying to deploy FreeRadius as an accounting solution in my network. my scenario is like this: [image attached] Fortigate Firewall is already integrated with Active Directory and may send authenticated requests to FreeRadius, which is as well integrated with Active Directory. The work to be done: 1. using NAS (Fortigate Firewall in this case) attributes to do the accounting; 2. Specifying special Active Directory groups in FreeRadius configuration to have Internet access. May you help me with the solution or at least give me some hints? Thanks, Alireza Goftari attachment: Scenario.png- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi all, I want to configure the free radius to return access- reject based on the value of a particular column in database . How do i do that ??? please help Thanks Regards, Yashaswini | Prod Engg | Tech Mahindra Ltd. 9 / 7 Hosur Road, Bangalore - 560029, India. (Office: +91 80 40243000, Extn: 3478 Mobile: +91 9611591177 www.techmahindra.com http://www.techmahindra.com/ Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/tim/disclaimer.html;http://tim.techmahindra.com/tim/disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, can we send accounting request using radeapclient ?? I am getting the following error: ** ** radeapclient -x 172.168.200.15 acct testing123 User-Name= testuser EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = testuser Message-Authenticator = 0x00 ** ** ** ** +++ About to send encoded packet: User-Name = testuser EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = testuser Message-Authenticator = 0x00 rlm_eap: EAP-Message not found +++ EAP decoded packet: ** Regards, Arpit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello everyone, in /etc/raddb/sql/mysql/counter.conf there is %b unix time value of beginning of reset period which makes things like sqlcounter counterChilliSpotMaxTotalOctetsDaily { counter-name = ChilliSpot-Max-Total-Octets-Daily check-name = CS-Total-Octets-Daily counter-type = data reply-name = ChilliSpot-Max-Total-Octets sqlmod-inst = sql key = User-Name reset = daily query = SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } possible how would i get the value of %b for a user from say PHP so i can calc and show them how much bandwidth they have left? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi people, i work at an university, we use Freeradius 2.1.10. We use Hotspot service on ruckus wireless network, and it works fine with our freeradius, but we are trying to put it as 802.1x and its not working, i fixed a few things.We use a sql base to get the info of the users.So i will paste the error here, so you guys can see. http://dpaste.com/833344/ So up in the link its the error. Thanks in advance guys.If you need anything else just tell me and ill get it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
hi, this error is showing while sending auth request.. ERROR ::Default value returned from sql_mysql.c auth function.!ERROR ::Means mysql server DOWN or problem in query execution what is wrong in radius??? please help me in this regards Qasim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi users, I've setup a new virtual FR 2.1.12 server on centos6. I have got the new server setup per the docs at freeradius.org. Radtest locally and NtradPing remotely are working. Now, I need FR to use a Perl script to authenticate against a proprietary DB. I have put in a bit of time researching how to use the Perl module. But, as a newbie to FR I can't seem to find any step-by-step documentation to use the Perl module. Could someone point me to such documentation? Here is the script that the old FR 1.13-1.6.el5 was using, I need this to run on the new FR server. sub authenticate { my $logfile = /dev/null; my $date = `/bin/date`; chomp $date; my $url = http://ProprietaryServer.PropritartyIssue.Bad:4500/PATRONAPI/; . $RAD_REQUEST{'User-Name'} . / . $RAD_REQUEST{'User-Password'} . /pintest; my $output = get($url); # For debugging purposes only # log_request_attributes; if ($output =~ /RETCOD=0/) { `echo $date : SUCCESS $RAD_REQUEST{'User-Name'} - $RAD_REQUEST{'User-Password'} $logfile`; $RAD_REPLY{'Reply-Message'} = Success; return RLM_MODULE_OK; } else { `echo $date : FAIL $RAD_REQUEST{'User-Name'} - $RAD_REQUEST{'User-Password'} $logfile`; $RAD_REPLY{'Reply-Message'} = Denied access by RADIUS; return RLM_MODULE_REJECT; } } Any help is appreciated... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Thank you for the reply Thomas, this is the results of searching for that: /usr/lib64/mysql/libmysqlclient.so.16 /usr/lib64/mysql/libmysqlclient.so.16.0.0 /usr/lib64/mysql/libmysqlclient_r.so.16 /usr/lib64/mysql/libmysqlclient_r.so.16.0.0 All of that is your standard libraries included in the RPM package and fairly common really so far as I can see. Hello Bryan, [root@radiusdev ~]# rpm -qa | grep mysql mysql-5.1.61-4.el6.x86_64 mysql-devel-5.1.61-4.el6.x86_64 mysql-libs-5.1.61-4.el6.x86_64 mysql-server-5.1.61-4.el6.x86_64 they all belong to same release. Do I need all of those or is one causing me the issue still with the faults? What does 'find /usr -name libmysql\*.so' say? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, i new bie in Freeradius i am facing problem that when i run radiusd with 'radiusd -X' command it it is genrating log of it in log file but when i run radiusd with 'radiusd' command it is not genrating it log in log file.. anyone please help me in this :( Regards, Rao - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
sir,actual problem is when i run with 'radiusd' log file save on location i defined in radiusd.conf prefix = /usr/localexec_prefix = ${prefix}sysconfdir = ${prefix}/etclocalstatedir = ${prefix}/varsbindir = ${exec_prefix}/sbinlogdir = ${localstatedir}/log/radius but when i run radius with 'radiusd -X' i save on location defined in radiusd.dat echo -n $Starting $prog: cd $binfolder daemon ./radiusd /var/log/radius`date '+%Y%m%d'`.log RETVAL=$? sleep 2 i want to save log file on same location in both cases... please help me in this Thanx.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
mapand...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello all, I'm trying to figure out how to access vendor specific attributes from JRADIUS via my FreeRADIUS server. I have defined the dictionary file and have included them in FreeRADIUS and JRADIUS. Using wireshark I can verify that the attributes that I've defined are included in the access-request packet that is sent to my FreeRADIUS server. There are no errors shown in the output, but I don't see an attribute of type 26, which I believe is the type used for VSA, being passed to JRADIUS. There doesn't appear to be an option in the jradius module file where you can specify what attributes should be included the exchange between FreeRADIUS and JRADIUS. Is there some configuration or code change that I need to make to get these attributes included in the packet that's sent to JRADIUS? Lester Houston 111 Boeing Research Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Is There a way to add the removal of delimiters such as - or : to the rewrite_calling_station_id section. Thanks, Joe -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Keep getting this error message when running make in my /raddb/certs directory I reinstalled openssl but to no avail. Any thoughts? /usr/bin/openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf ERROR: loading the config file 'xpextensions' 1149:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/b io/bss_file.c:126:fopen('xpextensions','rb') 1149:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bs s_file.c:129: 1149:error:0E078072:configuration file routines:DEF_LOAD:no such file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/c onf_def.c:197: *** Error code 1 Stop in /usr/local/etc/raddb/certs. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi All, I have searched high and low for a Radacct Terminate cause description for Freeradius, the terminate cause states Lost-Session , anyone know what it refers too? Regards Carl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I just installed freeradius 2.1.12 on ubuntu server from src file and got the following error: # radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory Thanks, ASM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (No subject)
ldconfig -v ?? alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://bestserv.ae/go.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, Is it possible to proxy based on a group the user belongs to? Or attribute? Or based on NAS from where the request was received? Aside from REALM, is there any other criteria that can be used to decide whether or not to proxy a request? Thanks, Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for TLS, TTLS and PEAP and subject validation
Hi Alan Am 11.08.11 23:13, schrieb Alan DeKok: The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS: if ((EAP-Type == EAP-TLS) \ (%{TLS-Client-Cert-Subject} !~ /\/O=MyCompany\//)) { ... Thank you very much. This works great. Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config for TLS, TTLS and PEAP and subject validation
Hi I currently run FreeRADIUS 2.1.6 and have a working configuration for EAP-TTLS and PEAP that is used for a WPA2 network. In addition to that, I would like to allow our users to use their user certificate from a public issuer to connect using EAP-TLS. This means that I have to check if the subject contains our organisation. I read in previous threads about checking the subject in the authenticate section: authenticate { Auth-Type eap { eap if (!%{TLS-Client-Cert-Subject} =~ /\/O=MyCompany\// ) { reject } } } I have two questions about that: - This would belong in the outer request as there is no inner request with EAP-TLS, right? - What happens to requests that don't provide a client certificate (the users who still use EAP-TTLS or PEAP)? In conclusion, is there a way to distinguish between EAP-TLS requests and EAP-TTLS or PEAP requests? And if so, can I use a different server section for EAP-TLS? Thanks for help. Best regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for TLS, TTLS and PEAP and subject validation
Daniel Bertolo wrote: I currently run FreeRADIUS 2.1.6 ... authenticate { Auth-Type eap { eap if (!%{TLS-Client-Cert-Subject} =~ /\/O=MyCompany\// ) { That won't work in 2.1.6. You need at least 2.1.10. - This would belong in the outer request as there is no inner request with EAP-TLS, right? Yes. - What happens to requests that don't provide a client certificate (the users who still use EAP-TTLS or PEAP)? The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS: if ((EAP-Type == EAP-TLS) \ (%{TLS-Client-Cert-Subject} !~ /\/O=MyCompany\//)) { ... In conclusion, is there a way to distinguish between EAP-TLS requests and EAP-TTLS or PEAP requests? And if so, can I use a different server section for EAP-TLS? Yes, and no. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
what's the role of Squid in a radius runnin server, i know its related to proxy thing but would like to 've more info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
what's the role of Squid in a radius running server, i know its related to proxy thing but would like to 've more info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
which is the latest version of php_radius.dll and pls post a link to it. Advance thnks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
We do have a question Is there anything in configuration that allows to turn off authentication We are running EAP-TTLS and would like instead of sending challenge on Access send Access accept always. (No authentication in fact) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
hi, 'm very new to freeradius, i want to setup radius server to authenticate another system connected through an access point. i'l b grateful if any1 can tell d steps 2 do this r give links 2 d related materials. Thnks in advance :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WildCard/Subject Alternative Names Cert Question
Well I was pounding my head against the wall on this as I couldn't find anything meaningful in the EAP logs. I then spoke to my CA about it and they said they've seen numerous problems with Wildcard certs and RADIUS, and that they normally just give a free normal common name cert for the RADIUS server when customers have this problem, so they gave me one. Seems like Microsoft's client just doesn't like their wildcard certs. When I put the normal cert they gave me into my FreeRADIUS server, it worked fine. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Saturday, April 16, 2011 9:58 AM To: freeradius-users@lists.freeradius.org Subject: RE: WildCard/Subject Alternative Names Cert Question Ok thank you. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Saturday, April 16, 2011 5:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/16/2011 02:42 AM, Casartello, Thomas wrote: When you say client EAP tracing do you mean on the Microsoft side, or Yes is there something you can do on the freeradius side? When I lookup No eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? You need to read them on a windows system, obviously. IIRC you need to use the tracerpt utility. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WildCard/Subject Alternative Names Cert Question
On 04/16/2011 02:42 AM, Casartello, Thomas wrote: When you say client EAP tracing do you mean on the Microsoft side, or Yes is there something you can do on the freeradius side? When I lookup No eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? You need to read them on a windows system, obviously. IIRC you need to use the tracerpt utility. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WildCard/Subject Alternative Names Cert Question
Ok thank you. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Saturday, April 16, 2011 5:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/16/2011 02:42 AM, Casartello, Thomas wrote: When you say client EAP tracing do you mean on the Microsoft side, or Yes is there something you can do on the freeradius side? When I lookup No eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? You need to read them on a windows system, obviously. IIRC you need to use the tracerpt utility. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WildCard/Subject Alternative Names Cert Question
Hello. I have a FreeRADIUS setup using PEAP/MSCHAPv2 to authenticate wireless clients against an Active Directory environment. We've recently purchased a new wildcard certificate from DigiCert for our organization. The RADIUS server is not covered by the wildcard common name on the certificate, however I have a subject alternative name specifying the RADIUS server hostname on it as well. On my new cert, connection to the system fails when I try validating the new cert (I have all the possible cert authorities checked off.) If I uncheck validate the cert, I am then able to connect. As soon as I place the old cert back in place validation works fine. The old cert was a free signal name cert from IPS CA. The new cert is a wildcard duplicate issued from DigiCert that has the server name as a subject alternative name as it is not covered by the wild card common name we are using - I generated the CSR for this certificate copy using the tools in freeradius (XPExtensions and whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. I tried including the CA Cert in a chain file and not including it and had the same results either way. I know the CA is trusted by Microsoft as this same wildcard cert works in our web applications. Tom Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University (413) 572-8245 Red Hat Certified Technician (RHCT) Cisco Certified Network Associate (CCNA) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WildCard/Subject Alternative Names Cert Question
On 04/15/2011 08:42 PM, Casartello, Thomas wrote: whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. This isn't really a FreeRADIUS question; it's down to the supplicant to permit or deny the cert. Anyway... Section 3.2.7.1 of MS-WSH says: If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames. i.e. it should honour subjectAltName. But Microsoft have a habit of ignoring their own standards, so if you're sure your certificate is good, then the only way to be sure is turn on client EAP tracing and dig in the logs to see why it's being refused. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WildCard/Subject Alternative Names Cert Question
When you say client EAP tracing do you mean on the Microsoft side, or is there something you can do on the freeradius side? When I lookup eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, April 15, 2011 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/15/2011 08:42 PM, Casartello, Thomas wrote: whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. This isn't really a FreeRADIUS question; it's down to the supplicant to permit or deny the cert. Anyway... Section 3.2.7.1 of MS-WSH says: If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames. i.e. it should honour subjectAltName. But Microsoft have a habit of ignoring their own standards, so if you're sure your certificate is good, then the only way to be sure is turn on client EAP tracing and dig in the logs to see why it's being refused. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
Matt Garretson wrote: Thanks. That's actually my goal. But unlang isn't allowed in authenticate{}, Yes, it is. You just need to put it into a subsection. See the comments around eap in the authenticate section for 2.1.10. and my attempts to sneak it into the authentication phase via the tls{} section in eap.conf didn't seem to work. Hmm... the tls section is a configuration section, and has nothing to do with the modules listed in the authenticate section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
Matt Garretson wrote: It works, but there are two non-ideal things about the way it works: 1) Windows XP doesn't seem to notice the rejection and keeps retrying for a minute or two, ultimately failing to show any failure/error message to the user. You're sending a *radius* reject. It doesn't include an EAP-Message with an *EAP* reject. So you need to create a fake one: update reply { EAP-Message := 0x04010004 } That can work sometimes... 2) The rejection is not logged in radiusd.log; rather, three Auth: Login OK lines are logged (the repetition is due to XP's retries) Put the unlang in the authenticate section, after eap: Auth-Type eap { eap if (...) { ... } } Is there any way I can address these two issues? I did try putting the above unlang into eap.conf's tls{} section (where check_cert_issuer and check_cert_cn would be), in hopes that the rejection would occur during the auth rather than after it, but the code doesn't seem to have any effect there. Unlang doesn't go in module configuration sections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 27/01/11 21:30, Matt Garretson wrote: On 1/27/2011 3:03 PM, Phil Mayers wrote: I've met this need (using 2.1.11 from git) with a simple bit of unlang in post-auth{}: if ( %{TLS-Client-Cert-Subject} =~ /OU=Evil/ ) { reject } Just put this in the authorize section? If it's early in the EAP conversation, TLS-Client-* won't be set so won't match, meaning this will succeed as soon as yo uget that far. I'm not sure I follow you here. Are you saying that there is a place in the authorize section where TLS-Client-* _would_ be accessible to unlang? I've tried it in a few places (before eap, after eap, at the top of the section, at the bottom of the section) and it seemed to have no effect. But it's entirely possible that I missed something during these tests. You're right, I'm wrong. EAP of course runs all its guts in the authenticate section, so nothing is available during the authorize section. Sorry for the noise. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field [RESOLVED]
On 1/28/2011 3:48 AM, Alan DeKok wrote: Put the unlang in the authenticate section, after eap: Auth-Type eap { eap if (...) { ... } } Thank you!! That did the trick. The entirety of my authenticate section is now: authenticate { Auth-Type Kerberos { krb5 } Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/OU=Evil\// ) { reject } } } And it works perfectly. Thank you! As for Windows XP dealing with the rejection You're sending a *radius* reject. It doesn't include an EAP-Message with an *EAP* reject. So you need to create a fake one: update reply { EAP-Message := 0x } That can work sometimes... Ah, thanks for the tip. I added this in the Post-Auth-Type REJECT section: if ( %{control:Auth-Type} == EAP ) { update reply { EAP-Message := 0x04010004 } } The code seems to work as expected, but Windows XP still doesn't seem to handle it sensibly. But I can live with that. Thank you, Alan! -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting EAP-TLS based on cert Subject field
For years, we've been doing simple EAP-TLS with various versions of FreeRADIUS. Now, a new requirement has come down to me such that radius will have to reject certain valid client certs based on a string in the Subject field of the client cert. I've met this need (using 2.1.11 from git) with a simple bit of unlang in post-auth{}: if ( %{TLS-Client-Cert-Subject} =~ /OU=Evil/ ) { reject } It works, but there are two non-ideal things about the way it works: 1) Windows XP doesn't seem to notice the rejection and keeps retrying for a minute or two, ultimately failing to show any failure/error message to the user. 2) The rejection is not logged in radiusd.log; rather, three Auth: Login OK lines are logged (the repetition is due to XP's retries) Is there any way I can address these two issues? I did try putting the above unlang into eap.conf's tls{} section (where check_cert_issuer and check_cert_cn would be), in hopes that the rejection would occur during the auth rather than after it, but the code doesn't seem to have any effect there. Thanks in advance for any clues... -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
hi, you are authenticating...and then rejecting in the post-auth stage. you really need to break the process in the authentication stage. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 1:14 PM, Alan Buxey wrote: you are authenticating...and then rejecting in the post-auth stage. you really need to break the process in the authentication stage. Thanks. That's actually my goal. But unlang isn't allowed in authenticate{}, and my attempts to sneak it into the authentication phase via the tls{} section in eap.conf didn't seem to work. Any other ways to do it? I'd thought of using rlm_perl, but couldn't see that the cert fields are passed to the module. Thanks, -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 01/27/2011 06:04 PM, Matt Garretson wrote: For years, we've been doing simple EAP-TLS with various versions of FreeRADIUS. Now, a new requirement has come down to me such that radius will have to reject certain valid client certs based on a string in the Subject field of the client cert. I've met this need (using 2.1.11 from git) with a simple bit of unlang in post-auth{}: if ( %{TLS-Client-Cert-Subject} =~ /OU=Evil/ ) { reject } Just put this in the authorize section? If it's early in the EAP conversation, TLS-Client-* won't be set so won't match, meaning this will succeed as soon as yo uget that far. It works, but there are two non-ideal things about the way it works: 1) Windows XP doesn't seem to notice the rejection and keeps retrying for a minute or two, ultimately failing to show any failure/error message to the user. 2) The rejection is not logged in radiusd.log; rather, three Auth: Login OK lines are logged (the repetition is due to XP's retries) Is there any way I can address these two issues? I did try putting the above unlang into eap.conf's tls{} section (where check_cert_issuer and check_cert_cn would be), in hopes that the rejection would occur during the auth rather than after it, but the code doesn't seem to have any effect there. Correct. Unlang is only processed in authorize-like steps, not arbitrary bits of the config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 1:24 PM, Matt Garretson wrote: Thanks. That's actually my goal. But unlang isn't allowed in authenticate{}, and my attempts to sneak it into the authentication phase via the tls{} section in eap.conf didn't seem to work. Any other ways to do it? Replying to myself here I got a bit closer to my goal by putting this in the verify{} subsection of tls{} : tmpdir = /tmp/radiusd client = /usr/local/bin/checkcert %{TLS-Client-Cert-Filename} Where /usr/local/bin/checkcert contains: #!/bin/sh if /usr/bin/openssl x509 -in $1 -noout -text | \ /bin/grep -q Subject:.* OU=Evil, ; then RC=1 else RC=0 fi exit $RC The XP client still tries three times (duh), but at least radius.log reflects a failure: Error: TLS_accept: error in SSLv3 read client certificate B Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip] Still, it would be nice if I could use unlang (or something) to match against %{TLS-Client-Cert-Subject} during the authenticate stage somehow. Is there a way that I'm missing? Thanks, -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 3:41 PM, Matt Garretson wrote: The XP client still tries three times (duh), but at least radius.log reflects a failure: Error: TLS_accept: error in SSLv3 read client certificate B Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip] *sigh* I left out the first (and most useful) logging line in the above: Auth: rlm_eap_tls: Certificate CN (eviluser) fails external verification! So, again, it's better than what I'd had before, but not as elegant as I was hoping. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 3:03 PM, Phil Mayers wrote: I've met this need (using 2.1.11 from git) with a simple bit of unlang in post-auth{}: if ( %{TLS-Client-Cert-Subject} =~ /OU=Evil/ ) { reject } Just put this in the authorize section? If it's early in the EAP conversation, TLS-Client-* won't be set so won't match, meaning this will succeed as soon as yo uget that far. I'm not sure I follow you here. Are you saying that there is a place in the authorize section where TLS-Client-* _would_ be accessible to unlang? I've tried it in a few places (before eap, after eap, at the top of the section, at the bottom of the section) and it seemed to have no effect. But it's entirely possible that I missed something during these tests. Correct. Unlang is only processed in authorize-like steps, not arbitrary bits of the config. I can understand that. But given that the eap module has access to some client cert fields during authentication (e.g. check_cert_issuer and check_cert_cn), it would be nice to be able to access these and other client cert fields with unlang (or something similar) at that stage. But, admittedly, I'm way over my head here :-) so I'll make do with one of the methods described earlier in this thread. Thanks, -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Does anyone has script to verify users session status with NAS, Actualy we are facing some missing Accounting information, and we can use radutmp module because we have multi radius servers and data is centralized in DB. Thank; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
How to manage customers Freeradiusd 2.10.1 Server, MAC filtering through, having an operating system Ubuntun 10? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
what is the syntax to register a mac address on file freeradius users in the Ubuntu operating system? the error I get is: parse errror (reply) for entry 00-1E-65-9C-2C-BC Errors reading /usr/local/etc/raddb/users /usr/local/ect/raddb/modules/files[7]:Instantiation failed for module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[124]:failed to load module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[47]:Errors parsing authorize section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
HELLO COULD TELL ME TO syntax to add client in freeradius and could tell me to sintax to add user in freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello I have already installed and configured freeradius in Ubuntu operating system, how to add users through my MAC address? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
COULD SOMEONE HELP ME TO KNOW WHAT ARE THE FILES THAT SHOULD CHANGE TO VALIDATE USER THROUGH THE MAC ADDRESS, AND I HAVE ALREADY INSTALLED FreeRADIUS 2.1.10 and am running the server on a Ubuntu operating system, HOW DO YOU ADD USER the server and validate MAC ADDRESS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
How to register a user in freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
i am new to this I really need the help of how to configure freeradius in ubuntu?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello everyone, Please help me I try to setup FreeRadius as proxy. I want to extract MSCHAPv2 auth from EAP-PEAP/MSCHAPv2 ,and proxy only MSCHAPv2 request to another radius server ,that does not work with a EAP-PEAP. changed only the following items: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://laramolino.it/und9.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://de3wpk.2010healthworld2.com/cap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi all, We upgrade freeradius from 1.1.6 to 2.1.18 recently. Looks 2.1.8 will reply a Access-Reject when [ldap] return fail, but 1.1.6 is just keep silence. Is there a way to let 2.1.8 reply nothing in the case? Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.155.20.85 port 32770, id=182, length=130 Service-Type = Authorize-Only NAS-Port-Type = Wireless-802.11 User-Name = test2008 MS-CHAP-Challenge = 0x766bb4f5ae93e28b4630b8fbc674e137 MS-CHAP2-Response = 0x3700e851effcf3aa3f7731204ca90dcbd9836c9248ca4d87e72d0b4a91dbd2672bb1f8f5b725187953ff NAS-IP-Address = 10.155.20.85 +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for test2008 [ldap] expand: (sAMAccountName=%{mschap:User-Name}) - (sAMAccountName=test2008) [ldap] expand: OU=Domain Controllers,dc=aero-hz,dc=cn - OU=Domain Controllers,dc=aerohive-hz,dc=cn [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.155.3.2:389, authentication 0 [ldap] bind as h...@aero-hz.cn/w200h to 10.155.3.2:389 [ldap] h...@aero-hz.cn bind to 10.155.3.2:389 failed: Can't contact LDAP server [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Sending Access-Reject of id 182 to 10.155.20.85 port 32770 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 182 with timestamp +10 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://hayesqeci.carpettediem.fr/fipugo.html Protect YourBe dDesir e Ovecrome ro'ds sofftness Your doze of male energy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Ssee ee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://jpd0.phenterminetabletspharmacy.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://knmc8.topapothecary.eu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi,guys.Anybody know how to complie freeradius 2.19 under cygwin.I feel the FreeRADIUS.net is out of date but lots of complie error make me mad.any proposal will be appreciated. _ 约会说不清地方?来试试微软地图最新msn互动功能! http://ditu.live.com/?form=TLswm=1- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Jasenko Sehanovic |t: + 387 33 768 000|f: + 387 33 768 001|m: + 387 61 103 444 Teleinformatica doo, Tvornička 3, 71000 Sarajevo, Bosnia and Herzegovina -- cid:part1.05030807.04020006@teleinformatica.ba image001.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
unsubscribe Magusero09= c.diegoraffae...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
after the addition of customers in the database sql, I assay to test a client in other computer by using radtest.but i had those lignes:# radtestLe programme 'radtest' peut être trouvé dans les paquets suivants :(that's means The program 'radtest' can be found in the following packages) * radiusd-livingston * yardradius * xtradius * freeradius all that a want that the client try to acced to the server.and all the document said that i may use radtest but it's just working only in serverthank you _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi. After installing Radius. i try to do some exemple.I d'ont know if it is correct because i'm new in it. I add on Users: sonia Auth-Type := Local, User-Password == salut Reply-Message = Hello, %u, Reply-Message = are you fine, %u And i add on Clients.conf: client 127.0.0.1 { secret = testing123 # notre clé partagée shortname = class nastype = other } when i do this command, i have: p...@pfe-laptop:~$ sudo radtest sonia salut 127.0.0.1:1812 1812 testing123 Sending Access-Request of id 11 to 127.0.0.1 port 1812 User-Name = sonia User-Password = salut NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=20 What is the problem please.is there someting messing in my test? Thank you _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://vepuxahu.angelfire.com/ _ Got a phone? Get Hotmail Messenger for mobile! http://go.microsoft.com/?linkid=9724464- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://nahoniha.t35.com/ _ Live connected. Get Hotmail Messenger on your phone. http://go.microsoft.com/?linkid=9724462- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://wepizil.t35.com/ _ Videos that have everyone talking! Now also in HD! http://go.microsoft.com/?linkid=9724465- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://hohewimi.tripod.com/ _ Live connected. Get Hotmail Messenger on your phone. http://go.microsoft.com/?linkid=9724462- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://mitglied.multimania.de/daziwaw/ _ Videos that have everyone talking! Now also in HD! http://go.microsoft.com/?linkid=9724465- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://uqosobupafiz.moy.su _ Videos that have everyone talking! Now also in HD! http://go.microsoft.com/?linkid=9724465- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://membres.multimania.fr/pmtwiik/ _ Hotmail Messenger. Get them on your phone now. http://go.microsoft.com/?linkid=9724463- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://penepymibasok.moy.su _ Got a phone? Get Hotmail Messenger for mobile! http://go.microsoft.com/?linkid=9724464- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://olepidinuqa.ucoz.es _ Live connected. Get Hotmail Messenger on your phone. http://go.microsoft.com/?linkid=9724462- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
www.Newviagrashop.neipdnalu.com _ Hotmail Messenger are available on your phone. Try now. http://go.microsoft.com/?linkid=9724461- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://pylydywijekovy.ucoz.ua _ Hotmail Messenger are available on your phone. Try now. http://go.microsoft.com/?linkid=9724461- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi ,I am happing problem that I couldn't resolve alone. If anyone in the list could help me will be appreciated. I have access point EnGenius 2610 and I run freeradius under RHEL5.RHEL5 have two ethernet card, eth0 : 192.168.1.4 to Internet, eth1 to Wifi Client with IP 192.168.0.1 (Client is Windows XP). Client authenticated with MS-Chapv2. I had installed ca_cert.der in XP. when I run radiusd -X everytime seem fine. Ready to process requests.rad_recv: Access-Request packet from host 192.168.0.3 port 1024, id=4, length=194User-Name = GRACELIA-4E4DD9\\gracelia NAS-IP-Address = 192.168.0.3NAS-Port = 0Called-Station-Id = 00-02-6C-5B-0A-A3:mars_netCalling-Station-Id = 00-80-A8-C1-C0-A3 Framed-MTU = 1400NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11bEAP-Message = 0x020d001d0147524143454c49412d344534395c67726163656c6961 Message-Authenticator = 0x5ad14aa7bbf1f169e0d16b594a0888ea+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop[suffix] No '@' in User-Name = GRACELIA-4E4DD9\gracelia, looking up realm NULL[suffix] No such realm NULL++[suffix] returns noop[eap] EAP packet type response id 13 length 29[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updated++[unix] returns notfound[files] users: Matched entry GRACELIA-4E4DD9\gracelia at line 94[files] expand: Hello, %{User-Name} - Hello, GRACELIA-4E4DD9\gracelia++[files] returns ok++[expiration] returns noop++[logintime] returns noop[pap] Found existing Auth-Type, not changing it.++[pap] returns noopFound Auth-Type = EAP+- entering group authenticate {...}[eap] EAP Identity[eap] processing type tls[tls] Initiate[tls] Start returned 1++[eap] returns handledSending Access-Challenge of id 4 to 192.168.0.3 port 1024Reply-Message = Hello, GRACELIA-4E4DD9\\graceliaEAP-Message = 0x010e00061920 Message-Authenticator = 0xState = 0x1b2c209a1b2239d39cc5bd6f4ac49d46Finished request 18.Going to the next requestWaking up in 4.9 seconds.Cleaning up request 18 ID 4 with timestamp +307Ready to process requests. But it keep looping Access-Challege and Access-Request without Access-Reject or authenticated. I believe the certificate already have OID. When I check with Access Point Log..here the output Jan 1 00:17:35 (none) daemon.debug setup.cgi[465]: main: process ./html/CM_SystemStatus.htm takes 2300 msJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: aborting authenticationJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: unauthorizing portJan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: received EAP packet (code=2 id=54 len=29) from STA: EAP Response-Identity (1)Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:x3 IEEE 802.1X: STA identity 'GRACELIA-4E4DD9\gracelia'Jan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Sending RADIUS message to authentication serverJan 1 00:17:42 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 3 seconds Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: STA 00:80:x8:x1:x0:c3 RADIUS: Resending RADIUS message (id=28)Jan 1 00:17:45 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 1 secondsJan 1 00:17:45 (none) daemon.debug setup.cgi[491]: cgi_setup::main()--HTTP_REFERER=http://192.168.0.3/setup.cgi?reqfile=./html/left.htm if I try to bind to eth1 or IP-Address, the server not receipt any request. Here the client.conf setting # -*- text -*- clients.conf -- client configuration directives $Id$ # Define RADIUS clients (usually a NAS, Access Point, etc.). ## Defines a RADIUS client.## '127.0.0.1' is another name for 'localhost'. It is enabled by default,# to allow testing of the server after an initial installation. If you# are not going to be permitting RADIUS queries from localhost, we suggest# that you delete, or comment out, this entry.## ## Each client has a short name that is used to distinguish it from# other clients.## In version 1.x, the string after the word client was the IP# address of the client. In 2.0, the IP address is configured via# the ipaddr or ipv6addr fields. For compatibility, the 1.x# format is still accepted.#client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname(radius.example.com)ipaddr = 192.168.1.4 # OR, you can use an IPv6 address, but not both# at the same time.# ipv6addr = :: # any. ::1 == localhost # # A note on DNS: We STRONGLY recommend using IP addresses # rather than host names. Using host names
[no subject]
http://www.advanza.com.br/aR7N4ClASY.html _ Take your contacts everywhere http://go.microsoft.com/?linkid=9712959- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://sites.google.com/site/thgnjk7oleghrj6/elvf5b _ Check your Hotmail from your phone. http://go.microsoft.com/?linkid=9712957 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://alitrader.net/r6ClBzJasl.html _ Check your Hotmail from your phone. http://go.microsoft.com/?linkid=9708121 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I want to have one computer just do mac authentication, instead of matching username and password. Can I just add this mac address to the mysql database. I am running chillispot also, I believe all I have to do is uncomment a line in the chilli.conf file to have it do mac authentication. Would this be the right way to do this? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
I'm trying configure the freeRADIUS on my wireless network but i'm having problems. My scnario: Debian Lenny+MySQL5.0+freeRADIUS 2.1.7 clients - ((( AP ))) [freeRADIUS server] When I execute the radiustest I get rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, length=20 and when I execute radclient I get Received response ID 146, code 2, length = 32 But when I try authenticate on my nootebook I get rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168 My debug output is on address: http://pastebin.com/f7e47862f. My clients.conf is on: http://pastebin.com/f30e4955d And my users is on: http://pastebin.com/f5d958f63 This is my initial configuration. I want migrate to MySQL or PostgreSQL when the server is ready, I don't need proxy, and i need provide/revoke digital certificates to my clients. Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello, from first time poster. Is there anyone on the list who has an actual working example of two factor authentication coded in perl using rlm_perl they would be willing to share? There are a number of incomplete examples, and a some hints as to errors in them, and I've taken all this on board and as a result can pass the challenge response back to the NAS. What I'm having difficulty with is keeping state, so I can determine if an Authorize request is the first hit (real password) or the second (the second factor). Thanks. Davey Jones. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I was wondering where to look in free radius, for something that is kicking the wireless clients off at a certain time. I have a backend mysql database that allows the clients certain times to login from. Where would the file be located that is telling the free radius server that there time is up and boot them off? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
hello, I am running slackware 12.1 as my OS. I am running freeradius version 2.1.4. I am also running Mysql as a backend server to freeradius. I made changed to the Msql database on what times the wireless internet will be available to clients. I wanted to test to see if the times that I set are working correctly, how would I do this? I thought about going to different sites and see if I could log in at the times I have set to not allow wireless clients not to be able to use it. Is there something I am missing here, how could I test this from one location? Thanks, jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello All, I am using Freeradius 2.1.6 with LDAP for authentication and mysql for accounting in FreeBSD 7.2. radcheck table for user is like below. However when user tries to connect radius log shows: Maximum never usage time has reached for this user. id | username | attribute | op | value | +--+---+++-- | 2002 | shrinagar | Max-All-Session | :=3D | 18| While calculating the total accounting time in radacct table it stil shows 9 seconds left for user shrinagar but still the user can't connect. What's wrong with freeradius can anybody tell me what I have done wrong. If I delete all the accounting session from radacct table for that user then he can connect. mysql select 18 - sum(acctsessiontime) from radacct where username=3D'shrinagar'; +---+ | 18 - sum(acctsessiontime) | +---+ | 9 | +---+ myhosting.com - Premium Microsoft® Windows® and Linux web and application hosting - http://link.myhosting.com/myhosting - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello, Could someone let me know if I can insert a new NAS in the following format insert into nas values('','xx.xx.xx.112/29','shortname',) Or do I have to insert each IP individually insert into nas values('','xx.xx.xx.112','shortname',) insert into nas values('','xx.xx.xx.113','shortname',) etc... Thank you for your help in advance. Kindest Regards, Irina NetAccess Systems Inc. ir...@nas.net === Hello, Sorry the same message (I posted yesterday) was posted today again. My emaiil program acted up. I will try to re-phrase of what I need I was given a set of new NASes (that I need to allow as 'NASNAME' in 'nas' table in MySQL) in the following format xx.xx.xx.112/29 xx.xx.xx.232/29 I am not sure if I can use it as it is in 'nas' table as 'nasname'. Or, do I have to enter each NAS IP individually? Kindest Regards, Irina NetAccess Systems Inc. ir...@nas.net === - Original Message - From: Irina To: freeradius-users@lists.freeradius.org Sent: Monday, August 17, 2009 10:54 AM Subject: NAS IPs Hello, I need to allow a block of 8 IP addresses in nasname column in NAS table. Can I use xx.xx.xx.112/29 Thank you for your help in advance Kindest Regards, Irina === - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello Gary, thank you very much for your reply. No, not the wildcards. Few IPs within the same class. I was not sure if I could use /29. Thanks again. Irina === If you're asking if you can use classless masks to represent a block of IP's, yes you can. If you're asking if you can use wildcards in the IP addresses - I don't know... I doubt it. -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Irina Sent: Thursday, August 20, 2009 9:52 AM To: freeradius-users@lists.freeradius.org Subject: Hello, Could someone let me know if I can insert a new NAS in the following format insert into nas values('','xx.xx.xx.112/29','shortname',) Or do I have to insert each IP individually insert into nas values('','xx.xx.xx.112','shortname',) insert into nas values('','xx.xx.xx.113','shortname',) etc... Thank you for your help in advance. Kindest Regards, Irina NetAccess Systems Inc. ir...@nas.net === Hello, Sorry the same message (I posted yesterday) was posted today again. My emaiil program acted up. I will try to re-phrase of what I need I was given a set of new NASes (that I need to allow as 'NASNAME' in 'nas' table in MySQL) in the following format xx.xx.xx.112/29 xx.xx.xx.232/29 I am not sure if I can use it as it is in 'nas' table as 'nasname'. Or, do I have to enter each NAS IP individually? Kindest Regards, Irina NetAccess Systems Inc. ir...@nas.net === - Original Message - From: Irina To: freeradius-users@lists.freeradius.org Sent: Monday, August 17, 2009 10:54 AM Subject: NAS IPs Hello, I need to allow a block of 8 IP addresses in 'nasname' column in NAS table. Can I use xx.xx.xx.112/29 Thank you for your help in advance Kindest Regards, Irina === - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi All, I have suffered enough, now I d like to expose my nightmare. Freeradius-server-2.1.6 + OpenLdap. Both of the servers work perfectly, there is no firewall between them or something that can block the traffic: All Correct! but the server still has no response with the weird radclient message ! At the radius debug , authentication is mentioned as successfully (bind was successfully) What's going on ? Best! -- JJohnny R. vasian...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Dear All! Have small problem with radclient. I use radclient for disconnect users: Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr- Key={SESSIONKEY}\nNAS-IP-Address=10.0.5.1 | radclient -x 10.0.5.1:3799 disconnect 123; Users disconnects well. But instead of successfull i receive this message: ad_recv: Disconnect-NAK packet from host 10.0.5.1:3799, id=236, length=47 Reply-Message = No Matching Session Error-Cause = Session-Context-Not-Found Logs from cisco: Aug 10 14:29:34 10.0.5.1 360982: 421932: Aug 10 14:26:00.414 AZST: POD: Received Acct-Session-Id of 0002A89C Aug 10 14:29:34 10.0.5.1 360983: 421933: Aug 10 14:26:00.414 AZST: POD: Converted to internal Session-Id of 0002A89C Aug 10 14:29:34 10.0.5.1 360984: 421934: Aug 10 14:26:00.414 AZST: POD: 10.0.5.2 user nadiritus 0.0.0.0 sessid 0x2A89C key 0x9F282A8D Aug 10 14:29:34 10.0.5.1 360985: 421935: Aug 10 14:26:00.414 AZST: POD: Line User IDB Session Id Key Aug 10 14:29:34 10.0.5.1 360986: 421936: Aug 10 14:26:00.414 AZST: POD: KILL Virtual- nadiritus 10.0.5.25 0x2A89C0x9F282A8D Aug 10 14:29:34 10.0.5.1 360987: 421937: Aug 10 14:26:00.418 AZST: POD: Added Reply Message: Session Not Removed Aug 10 14:29:34 10.0.5.1 360988: 421938: Aug 10 14:26:00.418 AZST: POD: Added NACK Error Cause: Session Context Not Removable Aug 10 14:29:34 10.0.5.1 360989: 421939: Aug 10 14:26:00.418 AZST: POD: Sending NAK from port 3799 to 10.0.5.2/54033 Anybody can help me? Why I reveice that session not removed? (but session removed) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
subject of emails....
07/22/2009 02:03 PM, Hanno Schupp:: When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi all, I've a strange problem with sql counter on freeradius both 1.1.7 and 2.1.5 versions. Actually executing SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mauro' from SQL Server Management Studio gives me 294841 (Yes, that's a lot of seconds, is a test user) while the output of radiusd -X (ver 2.1.5) is: rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{ User-Name}'' [sessioncounter]expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U serName='%{User-Name}' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam e='mauro' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa me='mauro'}' [sessioncounter] sql_xlat [sessioncounter]expand: %{User-Name} - mauro [sessioncounter] sql_set_user escaped user -- 'mauro' [sessioncounter]expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U serName='mauro' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='maur o' [sessioncounter]expand: /usr/var/log/radius/sqltrace.sql - /usr/var/log /radius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 3 query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='mauro' [sessioncounter] sql_xlat finished rlm_sql (sql): Released sql socket id: 3 [sessioncounter]expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W HERE UserName='mauro'} - 2948 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user mauro, check_item=3600, counter=2948 rlm_sqlcounter: Sent Reply-Item for user mauro, Type=Session-Timeout, value=652 ++[sessioncounter] returns ok That's' totally wrong since 294841 is much bigger than 3600 and not smaller... And this happens with users from different groups and with different SUM(AcctSessionTime). *Every* time SUM(AcctSessionTime) is bigger than it looses the fifth digit of the response, better it looses every digits after the fourth!!! What's wrong??? I'd appreciate any help or ideas. This happens on two different Slackware 12.1 and 12.2 machines both with freeradius 1.1.7 and a Slackware 12.2 with freeradius 2.1.5 Mauro Iorio. BEGIN:VCARD VERSION:2.1 N:Iorio;Mauro;;Ing. FN:Ing. Mauro Iorio (m.io...@smartsoft.it) TEL;WORK;VOICE:+39 (081) 5196606 TEL;CELL;VOICE:+39 3336334993 TEL;WORK;FAX:+39 (081) 5198939 ADR;WORK:;;Via Petrarca, 78;San Vitaliano;NA;80030;Italia LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Via Petrarca, 78=0D=0ASan Vitaliano, NA 80030=0D=0AItalia URL;WORK:http://www.smartsoft.it EMAIL;PREF;INTERNET:m.io...@smartsoft.it REV:20080923T101808Z END:VCARD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html