Re: PAM error on reboot of the RADIUS client
Deepti kulkarni wrote: Authentication and accounting works fine after I configure the above on the client. As soon as I reboot client, login fails with error - cannot make/remove an entry for the specified session. Cannot login into the client. Unfortunately, this is a PAM problem. I have no idea how to fix this. I suggest asking the PAM people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM error on reboot of the RADIUS client
Thanks. PAM doesnt support authorization either right? What radius client do you prefer that can support authentication, authorization and accounting for linux machines? Thanks On Tue, Feb 5, 2013 at 7:15 AM, Alan DeKok al...@deployingradius.comwrote: Deepti kulkarni wrote: Authentication and accounting works fine after I configure the above on the client. As soon as I reboot client, login fails with error - cannot make/remove an entry for the specified session. Cannot login into the client. Unfortunately, this is a PAM problem. I have no idea how to fix this. I suggest asking the PAM people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM error on reboot of the RADIUS client
Deepti kulkarni wrote: Thanks. PAM doesnt support authorization either right? What radius client do you prefer that can support authentication, authorization and accounting for linux machines? There is nothing else. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM error on reboot of the RADIUS client
Hello, I have a debian machine that acts as RADIUS client talking with the Freeradius server. I have configured PAM on the client, so made following changes. 1 - Added radiusd to /etc/pam.d which contains - @include common-auth @include common-account @include common-password @include common-session 2 - Added following line to /etc/pam.d/common_auth auth sufficient pam_radius_auth.so 3 - Added following line to /etc/pam.d/common_account account required pam_radius_auth.so 4- Added following line to /etc/pam.d/common_session session required pam_radius_auth.so 5 - Added server-ip and secret key to /etc/pam_radius_auth.conf Authentication and accounting works fine after I configure the above on the client. As soon as I reboot client, login fails with error - cannot make/remove an entry for the specified session. Cannot login into the client. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM error on reboot of the RADIUS client
If I dont configure step 4, I am not locked out on the client. 4- Added following line to /etc/pam.d/common_session session required pam_radius_auth.so Thanks On Mon, Feb 4, 2013 at 4:47 PM, Deepti kulkarni deepti.kde...@gmail.comwrote: Hello, I have a debian machine that acts as RADIUS client talking with the Freeradius server. I have configured PAM on the client, so made following changes. 1 - Added radiusd to /etc/pam.d which contains - @include common-auth @include common-account @include common-password @include common-session 2 - Added following line to /etc/pam.d/common_auth auth sufficient pam_radius_auth.so 3 - Added following line to /etc/pam.d/common_account account required pam_radius_auth.so 4- Added following line to /etc/pam.d/common_session session required pam_radius_auth.so 5 - Added server-ip and secret key to /etc/pam_radius_auth.conf Authentication and accounting works fine after I configure the above on the client. As soon as I reboot client, login fails with error - cannot make/remove an entry for the specified session. Cannot login into the client. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compliance testing of Free Radius Client
Hi All, Please help!!! Query #1: *I want to perform RFC compliance testing of FreeRadius client (not server) available with freeradius package.* In other words, i want to perform compliance testing on radclient and radeapclient binaries available with freeradius package. On investigation, i found that the manpage of radclient states: radclient is a radius client program. It can send arbitrary radius packets to a radius server, then shows the reply. It can be used to test changes you made in the configuration of the radius server, or it can be used to monitor if a radius server is up. Does it mean that freeradius client is just a dummy client and there is no point in performing compliance testing on it? I tried to run the “radclient” binary. I executed the following command for this *./radclient server-ip auth secret-key* Once the above command is executed, the control waits for the attributes entry. After the attributes are written, radclient sends radius request packet and receives response from the server and then it exits. To again send any authentication or authorization request, radclient binary needs to be executed again. As per my understanding, the binary should not have exited. As radius client sends the Access-request itself once it receives a request for any service from the user. Also, if the server does not respond, radius client shall send the request to an alternate server. This means that the radius client can handle the user requests at runtime also. So it should not exit. *Please let me know if I need some extra configuration to achieve the above functionality.* Query #2: In RFC 2131, it is mentioned that there are three entities in any freeradius setup: USER, RADIUS CLIENT, RADIUS SERVER. Does freeradius package provide a separate binary/module for USER application? If not, can we consider RADIUS CLIENT as our USER as well? Thanks, Arpit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compliance testing of Free Radius Client
On 10/17/2012 08:26 AM, Arpit Jain wrote: Does it mean that freeradius client is just a dummy client and there is no point in performing compliance testing on it? radclient and radeapclient are not NASes. They don't provide service to users, and they don't run as daemons. They're for server administrators to test FreeRADIUS. You could in theory build a NAS on top of radclient, using it to send the packets, but that's not the usual approach. To again send any authentication or authorization request, radclient binary needs to be executed again. As per my understanding, the binary should not have exited. As above your understanding is wrong, it's a program for testing the RADIUS server. Once you've sent the test packet(s), it exits. *Please let me know if I need some extra configuration to achieve the above functionality.* You need to go away and do some basic reading around the subject. Try the current version of the RADIUS RFCs for starters, instead of obsoleted ones. It sounds like you want a NAS, which is the component that provides network service to the user, and authenticates it using an embedded radius client. NASes are specific to the network layer - modem, ADSL, ethernet/802.1x, wifi/802.11, webauth, VPN, etc. See: pppd, chillispot, hostapd, and so on. Does freeradius package provide a separate binary/module for USER application? If not, can we consider RADIUS CLIENT as our USER as well? No. A user is a user. As in, a human being. As in, the person doing the using? This isn't really the place to be asking RADIUS 101 questions. There are books on the topic, though I don't have any specific recommendations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compliance testing of Free Radius Client
Hey Arpit, You wont be able to interact with the user using radclient. Please have a proper understanding first. Freeradius clearly mentions that radclient and radeapclient are just for testing the freeradius server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compliance testing of Free Radius Client
Arpit, As mentioned by other users radclient is not designed to be used in embedded applications. If you require an RFC compliant RADIUS client library, one is available from NetworkRADIUS (http://networkradius.com/clientapi.html). -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
non-blocking radius client
I am trying to write my own Radius client using Java + Netty in a non-blocking IO fashion. Is there a sample code I can look at or reuse? Obviously, trying not to reinvent the wheel here. Also, any suggestion on RADIUS servers that I can install and test my RADIUS client against? Not much info out there to compare various implementations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: non-blocking radius client
Hi, Also, any suggestion on RADIUS servers that I can install and test my RADIUS client against? well, since this is the freeradius mailing list I think the suggestion for server would be FreeRADIUS :-| alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: non-blocking radius client
Is there an advantage of using non-blocking IO in the RADIUS client implementation? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: non-blocking radius client
al so wrote: Is there an advantage of using non-blocking IO in the RADIUS client implementation? This list is about FreeRADIUS. It is not a support group for writing your own RADIUS implementation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: non-blocking radius client
al so wrote: you will pay the price for sure.. Threats are rude. You've not only been banned from the list, but your threats are now on permanent record in the list archives. Anyone wanting to know who you really are just has to search for your email address. On Fri, Aug 24, 2012 at 12:50 PM, al so volks...@gmail.com mailto:volks...@gmail.com wrote: just go eat some shit On Fri, Aug 24, 2012 at 12:49 PM, Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com wrote: al so wrote: looks like you need to find some decent job.. Congratulations. You've been unsubscribed from the freeradius-users list. You've also been banned from every subscribing again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Client/ supplicant or captive portal / mschapv2 pw change support
Hello list, are there any here who have suggestions for me? Kind regards, Tobias Hachmer Am 20.07.2012 11:35, schrieb Tobias Hachmer: Hello list, I know it isn't an directly FR issue but I hope that anybody on this list have had the questions I have now. Is there a RADIUS Client or a captive portal/ hotspot software which supports changing password via mschapv2? I know FRv3 will support this, but that's only the server side. Is there any software which supports password changes via mschapv2 like a Windows OS does with PEAP/MSCHAPv2? For example a captive portal which tells the user via web frontend if his password is expired and allows him to change it also via web frontend? google doesn't have any good answers for me. Maybe on this list is anyone who has done this before or have experience with this. Thanks in advance, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Client/ supplicant or captive portal / mschapv2 pw change support
Tobias Hachmer wrote: Is there a RADIUS Client or a captive portal/ hotspot software which supports changing password via mschapv2? Likely not. This requires someone to implement it. Only commercial providers have done this to my knowledge. I know FRv3 will support this, but that's only the server side. Is there any software which supports password changes via mschapv2 like a Windows OS does with PEAP/MSCHAPv2? For example a captive portal which tells the user via web frontend if his password is expired and allows him to change it also via web frontend? google doesn't have any good answers for me. Maybe on this list is anyone who has done this before or have experience with this. Write the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Client/ supplicant or captive portal / mschapv2 pw change support
Thanks Alan for your respone! Am 01.08.2012 18:04, schrieb Alan DeKok: Tobias Hachmer wrote: Is there a RADIUS Client or a captive portal/ hotspot software which supports changing password via mschapv2? Likely not. This requires someone to implement it. Only commercial providers have done this to my knowledge. Can you tell me which commercial providers do you mean, please? Regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Client/ supplicant or captive portal / mschapv2 pw change support
Tobias Hachmer wrote: Can you tell me which commercial providers do you mean, please? People selling products? Microsoft, Cisco, ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Client/ supplicant or captive portal / mschapv2 pw change support
Hello list, I know it isn't an directly FR issue but I hope that anybody on this list have had the questions I have now. Is there a RADIUS Client or a captive portal/ hotspot software which supports changing password via mschapv2? I know FRv3 will support this, but that's only the server side. Is there any software which supports password changes via mschapv2 like a Windows OS does with PEAP/MSCHAPv2? For example a captive portal which tells the user via web frontend if his password is expired and allows him to change it also via web frontend? google doesn't have any good answers for me. Maybe on this list is anyone who has done this before or have experience with this. Thanks in advance, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Client vs. Radius Client-NG
Hello Everyone, When installing the client, some documentation point to: radiusclient-ng 0.5.6: http://developer.berlios.de/projects/radiusclient-ng/, and freeradius-client-1.1.6.tar: ftp://ftp.freeradius.org/pub/freeradius/ Is there a difference between the two? Is one recommended or have benefits over the other? Thanks in Advance, Nicholas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client vs. Radius Client-NG
read this: http://freeradius.org/freeradius-client/ from the link below: In late 2006 it was decided that the FreeRADIUS Project should adopt the latest code from radiusclient-ng cvs as the basis of a new FreeRADIUS client package. I personnally use radiusclient-ng Le 08/12/2011 19:18, Nick Khamis a écrit : Hello Everyone, When installing the client, some documentation point to: radiusclient-ng 0.5.6: http://developer.berlios.de/projects/radiusclient-ng/, and freeradius-client-1.1.6.tar: ftp://ftp.freeradius.org/pub/freeradius/ Is there a difference between the two? Is one recommended or have benefits over the other? Thanks in Advance, Nicholas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.horoa.net Alexandre Chapellon Ingénierie des systèmes open sources et réseaux. Follow me on twitter: @alxgomz http://www.twitter.com/alxgomz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client vs. Radius Client-NG
On 2011/12/08 09:05 PM, Alexandre Chapellon wrote: read this: http://freeradius.org/freeradius-client/ from the link below: In late 2006 it was decided that the FreeRADIUS Project should adopt the latest code from radiusclient-ng cvs as the basis of a new FreeRADIUS client package. I personnally use radiusclient-ng I also use radiusclient-ng. Comes as a standard debian package. Never had an issue. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
Hi,
I did add the
home_server nps01 {
type = auth+acct
ipaddr = XXX.XXX.XXX.1
port = 1812,1813
secret = secretkey
rest is default? }
home_server nps02 {
type = auth+acct
ipaddr = XXX.XXX.XXX.2
port = 1812,1813
secret = secretkey
rest is default? }
home_server_pool my_auth_failover {
type = fail-over
home_server = nps01
home_server = nps02
}
But it does not seem to work, is there some attributes that i need to add,
remove or change ?
Regards
Ole
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Radius-client-redundance-tp4822209p4866338.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
oleaweel wrote: I did add the ... But it does not seem to work, is there some attributes that i need to add, remove or change ? See the FAQ for it doesn't work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
oleaweel wrote: Just for information, I have not been working to much with FreeRadius:). I have read the proxy.conf file but im having problems understanding the configuration. When it say home_server is this a general name ? I don't know what you mean by that. If I understand correct i need to configure a home_server_pool, and remove the realm DEFAULT that I have today ? Yes. Or is it possible to do something like the following (to configure to MS NPS) No. If the above is not possibe, is this the right way... : Pretty much, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius client redundance
Hi,
We have configured EAP-PEAP with freeradius, and forward MS-CHAP-V2 request
to a Microsoft NPS server. This works fine, but we now want to implement one
more Microsoft NPS server, so how do we define a second radius client. So
that if the first one fails, it will automatically try the next ?
We have configured the following:
clients.conf
client merucontroller01 {
ipaddr = xxx.xxx.xxx.1
secret = secretkey
nastype = other
require_message_authenticator = no
}
proxy.conf
realm DEFAULT {
authhost= xxx.xxx.xxx.1:1812
accthost= xxx.xxx.xxx.1:1813
secret = secretkey
}
So could i just add another ip here xxx.xxx.xxx.2 in both ?
Thanks for reply.
Regards
Ole
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Radius-client-redundance-tp4822209p4822209.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
oleaweel wrote: Hi, We have configured EAP-PEAP with freeradius, and forward MS-CHAP-V2 request to a Microsoft NPS server. This works fine, but we now want to implement one more Microsoft NPS server, so how do we define a second radius client. So that if the first one fails, it will automatically try the next ? Packets are sent to home servers, not to RADIUS clients. To configure fail-over, see raddb/proxy.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
Hi,
Thanks for fast reply.
Just for information, I have not been working to much with FreeRadius:). I
have read the proxy.conf file but im having problems understanding the
configuration. When it say home_server is this a general name ?
If I understand correct i need to configure a home_server_pool, and remove
the realm DEFAULT that I have today ? Or is it possible to do something like
the following (to configure to MS NPS)
realm DEFAULT {
authhost = xxx.xxx.xxx.1:1812
accthost = xxx.xxx.xxx.1:1813
authhost = xxx.xxx.xxx.2:1812
accthost = xxx.xxx.xxx.2:1813
secret = secretkey
}
If the above is not possibe, is this the right way... :
home_server nps01 {
type = auth+acct
ipaddr = XXX.XXX.XXX.1
port = 1812,1813
secret = secretkey
rest is default? }
home_server nps02 {
type = auth+acct
ipaddr = XXX.XXX.XXX.2
port = 1812,1813
secret = secretkey
rest is default? }
home_server_pool my_auth_failover {
type = fail-over
home_server = nps01
home_server = nps02
}
Regards
Ole
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Radius-client-redundance-tp4822209p4823563.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS client configuratio-1.1.6n steps
Hi , I have downloaded and installed RADIUS server -2.1.11 and RADIUS client-1.1.6. To run the server I used the command radiusd -X. Please let me know the configuration part for RADIUS client , run RADIUS client, in which file I need to specify the username ,password and secret password. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS client configuratio-1.1.6n steps
On Thu, Sep 8, 2011 at 3:23 PM, vikraman@wipro.com wrote: Hi , I have downloaded and installed RADIUS server -2.1.11 and RADIUS client-1.1.6. To run the server I used the command radiusd –X. Please let me know the configuration part for RADIUS client , run RADIUS client, in which file I need to specify the username ,password and secret password. What are you trying to do? Are you writing your own radius program? If you simply want to do authentication test to a radius server, radtest bundled in freeradius-server should be easier to use and self-explanatory (try radtest -h) If you use radlogin, the servers and secret should be in /etc/radiusclient/servers (or wherever it's installed during make install), while user and password is prompted on STDIN. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS client configuratio-1.1.6n steps
On Thu, Sep 8, 2011 at 3:53 PM, vikraman@wipro.com wrote: Fajar, Thanks for your response. I am trying to run a sample RADIUS client and server program. In that case, it's MUCH easier NOT to use radiusclient, but rather just use radtest (and possibly also radclient) included in freeradius-server. On another note, I previously tried Ubuntu natty's radiusclient1 (which still uses ancient 0.3.x) that works fine, but when compiling freeradius-client-1.1.6 it always seem to use incorrect shared secret. Can't figure out why. Please answer for the following questions 1) In RADIUS client 1.1.6 is there any file to specify username(test) and password(test) details other than STDIN . Eg: test Cleartext-Password := test Just use radtest from freeradius-server. e.g. radtest testuser testpass localhost 0 testing123 run radtest -h or man radtest for more info. 2) usage: radiusclient [-f config_file] [-p nas_port] [-s | [-a] a1=v1 [a2=v2[...[aN=vN]...]]] What for this [-f config_file] option mean ? what information this file contains ? do I need to specify /etc/radiusclient/servers file here ? It's easier to use radclient from freeradius-server, see man radclient for more info. For your purposes though radtest should be enough. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Disconnect request support in free radius client -1.1.6
Hi , I am looking into Free radius client (freeradius-client-1.1.6) library code for using in our project. Please let me know if the Free radius client supports processing of the disconnect request message from RADIUS server which is defined in the RFC 5176. Thanks, Vikraman Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Specifying Any Port for RADIUS Client
Hi, I want to connect to RADIUS server using RADIUS client software, not through NAS. Using RADIUS client software such as radperf will generate different port numbers when connecting to the RADIUS server. How do I place client information in NAS table such that I am able to specify IP and any ports. When client connects to RADIUS server, server will just respond with, Ignoring request to authentication address * port 1812 from unknown client 192.168.0.10 port 52268 thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specifying Any Port for RADIUS Client
please disregard this email. I thought that the 'ports' field in 'nas' table means the 'source' port the client will use to connect to the RADIUS server when it actually means the port on the RADIUS server that the client will connect to. From: Det Det det.explo...@yahoo.com To: FreeRadius mailing list freeradius-users@lists.freeradius.org Sent: Thursday, September 8, 2011 11:07 AM Subject: Specifying Any Port for RADIUS Client Hi, I want to connect to RADIUS server using RADIUS client software, not through NAS. Using RADIUS client software such as radperf will generate different port numbers when connecting to the RADIUS server. How do I place client information in NAS table such that I am able to specify IP and any ports. When client connects to RADIUS server, server will just respond with, Ignoring request to authentication address * port 1812 from unknown client 192.168.0.10 port 52268 thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specifying Any Port for RADIUS Client
On Thu, Sep 8, 2011 at 10:15 AM, Det Det det.explo...@yahoo.com wrote:
please disregard this email. I thought that the 'ports' field in 'nas' table
means the 'source' port the client will use to connect to the RADIUS server
when it actually means the port on the RADIUS server that the client will
connect to.
I don't think that's the case.
While the default nas table has many columns (including ports), the
default query on dialup.conf is
nas_query = SELECT id, nasname, shortname, type, secret, server FROM
${nas_table}
... which should mean only those columns are used.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specifying Any Port for RADIUS Client
yeah you are right. realized that the ports value is actually not in use. it
actually get the shortname not the nasname which is why i get an 'unknown
client' error. i left the shortname empty.
From: Fajar A. Nugraha l...@fajar.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, September 8, 2011 11:40 AM
Subject: Re: Specifying Any Port for RADIUS Client
On Thu, Sep 8, 2011 at 10:15 AM, Det Det det.explo...@yahoo.com wrote:
please disregard this email. I thought that the 'ports' field in 'nas' table
means the 'source' port the client will use to connect to the RADIUS server
when it actually means the port on the RADIUS server that the client will
connect to.
I don't think that's the case.
While the default nas table has many columns (including ports), the
default query on dialup.conf is
nas_query = SELECT id, nasname, shortname, type, secret, server FROM
${nas_table}
... which should mean only those columns are used.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FREE RADIUS client
Hi, Can any one tell me that FREE RADIUS client is inernally doing UTF-8 conversion for the multilingual characters or It is replying on some other underlying module who is suppling credentials like username and password? Regards, Karnik Jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
On Mon, Feb 07, 2011 at 04:05:41PM +0530, karnik jain wrote: Can any one tell me that FREE RADIUS client is inernally doing UTF-8 conversion for the multilingual characters or It is replying on some other underlying module I think that's a meaningless question. RADIUS deals with bytes. It will send as User-Name whatever chunk of bytes you give it. It doesn't mangle values. who is suppling credentials like username and password? What exactly are you asking about - the program called radclient? In that case it is you, the person who invokes radclient, who supplies the username and password on stdin. If you're asking about something else, please be more specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
Hello, I think that's a meaningless question. RADIUS deals with bytes. It will send as User-Name whatever chunk of bytes you give it. It doesn't mangle values. I am under the impression that RADIUS client (radclient) is itself is doing the UTF-8 conversion as per RFC 2865 while sending multilingual username attribute if it is not in UTF-8 form. So I think this is not at all a meaning less. correct me if i am wrong. What exactly are you asking about - the program called radclient? In that case it is you, the person who invokes radclient, who supplies the username and password on stdin. If you're asking about something else, please be more specific. Yes, You have hit the correct nail. I am talking about radclient only. If supplied USER-NAme is not UTF-8 encoded by some means suppose the scenario where UTF-8 support is not there then at that time what radclient does. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? Regards, Karnik jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
karnik jain wrote: I am under the impression that RADIUS client (radclient) is itself is doing the UTF-8 conversion as per RFC 2865 while sending multilingual username attribute if it is not in UTF-8 form. So I think this is not at all a meaning less. correct me if i am wrong. Your question is meaningless and inappropriate for this forum. If you're writing your own RADIUS client, then pretending to ask questions about radclient is not nice. If you want to know how radclient handles UTF-8, go read the source code. It's publicly available. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? This question was already answered on the list, in a message describing how a RADIUS client works. If you're not going to read the messages on this list, there's no point in asking questions here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
On Mon, Feb 07, 2011 at 05:07:03PM +0530, karnik jain wrote: I am talking about radclient only. If supplied USER-NAme is not UTF-8 encoded by some means suppose the scenario where UTF-8 support is not there then at that time what radclient does. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? It just sends the bytes as-is. If you have data in another encoding, which you want to convert to UTF-8 for sending, then you need to transcode it yourself first using something like 'iconv'. In any case, the data which you provide to radclient needs to use the standard ASCII characters for equals, double-quotes and so on, so that it can parse the lines. UTF-8 fulfils that requirement. HTH, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
Hello B.Candler, Thank you so much sir for replying back. It is really helpful to my research on RADIUS client. Thanks, Karnik On Mon, Feb 7, 2011 at 7:50 PM, Brian Candler b.cand...@pobox.com wrote: On Mon, Feb 07, 2011 at 05:07:03PM +0530, karnik jain wrote: I am talking about radclient only. If supplied USER-NAme is not UTF-8 encoded by some means suppose the scenario where UTF-8 support is not there then at that time what radclient does. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? It just sends the bytes as-is. If you have data in another encoding, which you want to convert to UTF-8 for sending, then you need to transcode it yourself first using something like 'iconv'. In any case, the data which you provide to radclient needs to use the standard ASCII characters for equals, double-quotes and so on, so that it can parse the lines. UTF-8 fulfils that requirement. HTH, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
On Sun, Feb 06, 2011 at 10:06:01AM -, vijay s sheelavantar wrote: I am talking about pam_radius_client. I want this pam_radius_auth.so client to select a particular UDP port to communicate with external radius server. so that server can send authentication responce on the same port back to client. Of course, the server will always send the authentication response back to whatever port the client selected. Your options are: 1. If pam_radius_client doesn't have the ability to bind to a particular port, then you can modify the source code to do so. The call you need is bind() after the socket has been created. Warning: hacking C code in security-sensitive modules (especially those running as root) is a risky business. Get an expert to make this change for you, or become an expert first. (Recommended reading: Unix Network Programming vol 1, and Advanced Programming in the Unix Environment, both by Richard Stevens) 2. I think you said before you only wanted to make sure that the port was 32768. So you can configure your OS so that *all* outbound connections bind to ports 32768. Google linux ephemeral port range for details. On my system: $ cat /proc/sys/net/ipv4/ip_local_port_range 32768 61000 So in fact, all connections from my machine would be =32768 anyway. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
On Sun, Feb 06, 2011 at 11:11:58AM +, Brian Candler wrote:
1. If pam_radius_client doesn't have the ability to bind to a particular
port, then you can modify the source code to do so. The call you need is
bind() after the socket has been created.
Ah, it turns out the code to do this is already there: (pam_radius_auth.c)
/*
* Use our process ID as a local port for RADIUS.
*/
local_port = (getpid() 0x7fff) + 1024;
do {
local_port++;
s_in-sin_port = htons(local_port);
} while ((bind(conf-sockfd, salocal, sizeof (struct sockaddr_in)) 0)
(local_port 64000));
if (local_port = 64000) {
close(conf-sockfd);
_pam_log(LOG_ERR, No open port we could bind to.);
return PAM_AUTHINFO_UNAVAIL;
}
As you can see, the initial local_port is currently chosen in the range 1024
to 33791 (1024+32767), essentially at random, and if that one is in use then
it keeps incrementing until it finds a free one under 64000.
Adjust to use whatever range you like.
2. I think you said before you only wanted to make sure that the port was
32768. So you can configure your OS so that *all* outbound connections bind
to ports 32768.
Sorry, that won't work here, because the code is choosing its local port
explicitly.
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
On Fri, Feb 04, 2011 at 04:17:11AM -, vijay s sheelavantar wrote: Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port as client port. Are you talking about when freeradius is used as a proxy (and thus sending outbound RADIUS packets?) Or are you talking about radclient? Or something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Client UDP port selection
Hello Friends, Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port nbsp;as client port. 1. Is there a way where i can configure port numbers for client and server?2. Or if i need to change the code then in which function i have to change? I want client udp port number should be greater than 32767. Kindly help me. Thanks and Regards,VIJAY S.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
vijay s sheelavantar s_vija...@rediffmail.com wrote: Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port nbsp;as client port. 1. Is there a way where i can configure port numbers for client and server? 2. Or if i need to change the code then in which function i have to change? I want client udp port number should be greater than 32767. ...the 1990's called...they want their firewall security policy back. Whatever it is you are hoping to achieve[1], this is not going to help you. Cheers [1] what does pinning the client source address give you? -- Alexander Clouter .sigmonster says: No line available at 300 baud. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
vijay s sheelavantar s_vija...@rediffmail.com wrote: Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port nbsp;as client port. Well, this would imply that your radius client would exactly be able to authenticate one Supplicant simultaneous.(one udp-socket) And thats probably not that what you want. 2. Or if i need to change the code then in which function i have to change? I want client udp port number should be greater than 32767. The UDP Header Format offers 16Bit for Source and Destination Port. So, this will be possible. But you have to tell it your software to use Ports above 32767. -- Mit freundlichen Grüßen, Tobias Koopmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Settign up postauth to record radius-client name and other information
William wrote:
What I want to store int he radpostauth table is:
...
(I want to add these)
Calling_Station,
Called_Station,
See the debug mode for these attribute names. They're in the packet.
Calling-Station-Id and Called-Station-Id.
NAS_Short_name from clients.conf
That's a little more magical: %{client:shortname}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Client password not accepted
Hi, I am using free radius for communication between asterisk voip server and database. I have everything setup on same machine which has Centos 5.4. My problem is that when i send request from client to server the radius password is not accepted, also when i see radius packets in wireshark i see that accountstatus type value is not correct. I have checked the password at client and server are same. Please help i have been trying to solve this issue for the past 15 days. Regards Azam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client password not accepted
Azam Zia wrote: I am using free radius for communication between asterisk voip server and database. I have everything setup on same machine which has Centos 5.4. My problem is that when i send request from client to server the radius password is not accepted, What does that mean? also when i see radius packets in wireshark i see that accountstatus type value is not correct. What does that mean? I have checked the password at client and server are same. Have you tried running the server in debugging mode, as suggested in the FAQ, README, INSTALL, web page, man pages, and daily on this list? Please help i have been trying to solve this issue for the past 15 days. Ask questions earlier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius client / send NAS IP ?
Hello Alan, sorry, my fault :-) radclient saves my day, indeed i can send any attribute / value pair i like thanks for your help Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client / send NAS IP ?
Hello *, at the time beeing i have to use an old radius version for different reasons. freeradius-client-1.1.5-36 freeradius-devel-1.1.6-47 freeradius-1.1.6-47 freeradius-client-devel-1.1.5-36 freeradius-client-libs-1.1.5-36 for real logins at WLAN Hot Spot the DEFAULT NAS-IP-Address == 192.168.123.45 or DEFAULT Called-Station-Id =~ .*:MYSSID are part of the check ( via criteria in users ) is there a radtest client where i can send those attribute / value pairs intentionally ? else in my traces i will always see a refused as test result, since from localhost those parameters will not match Prio low, would just be nice for testing TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius client / send NAS IP ?
Michael Arndt wrote: is there a radtest client where i can send those attribute / value pairs intentionally ? $ man radclient Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius client / send NAS IP ?
Alan, thx for answering at least the radclient of the installed version does not allow to add those attributes according to manpage if i read your hint right i should download an actual version and compile to get an radclient with enhanced abilities :-) TIA Micha - ursprüngliche Nachricht - Subject: Re: radius client / send NAS IP ? Date: Sa 25 Sep 2010 15:01:49 CEST From: Alan DeKokal...@deployingradius.com To: FreeRadius users mailing listlt;freeradius-users@lists.freeradius.orggt; Michael Arndt wrote: is there a radtest client where i can send those attribute / value pairs intentionally ? $ man radclient Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ursprüngliche Nachricht Ende - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regardin radius client
Hi, All I have to develope redius client to full fill the follwing requrment. Plz which radius client lib/stack i should use for windows. simulate Radius and dot1x type of client flows The radius tool should allow us to specify authentication type and it should support all EAP methods such as MSCHAP/V2 etc. Tool should allow us to add custom attributes to authentication request and accounting request. Tool should allow end users to specify port information. It should be able to specify retries and time out. It should be able to simulate concurrent radius clients. 2. How to test are send dummy EAP packet to radius client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Radiusclient to implement a radius client on Windows platform?
Joshua Lim wrote: Hi Alan, Thanks, how about using the pgina radius plugin? http://userpage.fu-berlin.de/~holger/radiusplugin/RADIUSplugin-0.3src.zip It has code taken from pam_radius_auth Is pam_radius_auth using radiusclient? No. They are different code bases. They should really be unified at some point. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Radiusclient to implement a radius client on Windows platform?
Hi I'm a newbie, hope someone can help me. I'm trying to implementing a radius client on Windows platform to work with freeradius. I intend to use VC++ or Delphi. radiusclient is for linux platform, can i adapt it for Windows? Grateful for any pointers. :) Rgds, Joshua - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Radiusclient to implement a radius client on Windows platform?
Joshua Lim wrote: Hi I'm a newbie, hope someone can help me. I'm trying to implementing a radius client on Windows platform to work with freeradius. I intend to use VC++ or Delphi. radiusclient is for linux platform, can i adapt it for Windows? You'll have to hack the source code. It's not really portable right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Radiusclient to implement a radius client on Windows platform?
Hi Alan, Thanks, how about using the pgina radius plugin? http://userpage.fu-berlin.de/~holger/radiusplugin/RADIUSplugin-0.3src.zip It has code taken from pam_radius_auth Is pam_radius_auth using radiusclient? Rgds, Joshua Alan DeKok wrote: Joshua Lim wrote: Hi I'm a newbie, hope someone can help me. I'm trying to implementing a radius client on Windows platform to work with freeradius. I intend to use VC++ or Delphi. radiusclient is for linux platform, can i adapt it for Windows? You'll have to hack the source code. It's not really portable right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius client and binding to mulitple IPs
Chris Tong wrote: The problem I am having is that I have an OpenVPN proxy hub that has 3 external IP addresses. ... However if the user connects to INT2 the NAS requset still has the source IP address of INT1 and therefore the user is rejected because he is not a member of the INT1 grouping. The PAM module doesn't have a configuration option for use this local IP address Is it possible to have multiple instances of the radius plugin each binding to a different interface so that the request seen by the Radius server via the PAM plugin has the correct source address? The module will have to be updated to add that capability. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius client and binding to mulitple IPs
Hi everyone, I realise that this maybe somewhat a limitation of the PAM Radius Plugin for OpenVPN but have searched around for a week now to find a solution. The problem I am having is that I have an OpenVPN proxy hub that has 3 external IP addresses. I am using huntgroups to distinguish if a user can authenticate against an IP address and if so they receive an IP default Gw to a front end proxy (each front end proxy is located in a separate country). The idea is that a user of a specific group can only connect to an interface that he is a group memeber of. The authentication uses the pam radius plugin against a backend SQL / radius server. If I connect to int1 then the requests sent by the Radius plugin to the backend radius server has a source IP of int1. This works well and the user is authenticated and is provided a default GW to the front end proxy. However if the user connects to INT2 the NAS requset still has the source IP address of INT1 and therefore the user is rejected because he is not a member of the INT1 grouping. Is it possible to have multiple instances of the radius plugin each binding to a different interface so that the request seen by the Radius server via the PAM plugin has the correct source address? Is it possible to get the NAS to Distinguish between the interfaces? Cheers to all in advance (,) Cj _ New Windows 7: Find the right PC for you. Learn more. http://windows.microsoft.com/shop- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
thanks for the link. I want to know if we can give radius server ip address and secret in pam.conf file. I tried to configure radius server with CLI, but it doesn't seems to work. Can you please tell me how to configure radius server in radius client to work. Ivan Kalik wrote: I want to use PAM for user authentication. I am trying to setup radius client but unable to configure it. Radius client's setup is at Solaris and Radius Server (RKS emulator) is at Linux machine. Can any one tell the procedure to configure radius client so that it can communicate with Radius server? Is there any script required for that or all the commands needed to configure are in some config file? Also, how to login with radius client to check the authentication. http://freeradius.org/pam_radius_auth/ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Radius-client-configuration-issue-tp24678845p24695245.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
thanks for the link. I want to know if we can give radius server ip address and secret in pam.conf file. No. I tried to configure radius server with CLI, but it doesn't seems to work. Can you please tell me how to configure radius server in radius client to work. Did you actually read that linked page? It *does* say how and where to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
Hi Ivan, I have gone thorugh the link and check all the files. I also tried to compare with my existing installation: 1) As per the given link, it seems that pam.conf is configured as: login auth sufficient /usr/lib/security/pam_radius_auth.so.1 login auth required /usr/lib/security/pam_unix_auth.so.1 telnet authsufficient /usr/lib/security/pam_radius_auth.so.1 telnet authrequired/usr/lib/security/pam_unix.so.1 which is on Solaris 2.6. In our configuration on Solaris 5.10, pam.conf contains: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 where libraries are in folder /usr/lib/security 2) pam_radius_auth.conf is set at radius server (/etc/raddb/server), which contains server ip address and secret. 3) Also, client info is set in /etc/raddb/clients.conf on radius server But I could not find where radius server ip is configured in radius client. I am not able to find how radius client knows about radius server. Please let me know if I am missing anything. Regards, Meraj Ivan Kalik wrote: thanks for the link. I want to know if we can give radius server ip address and secret in pam.conf file. No. I tried to configure radius server with CLI, but it doesn't seems to work. Can you please tell me how to configure radius server in radius client to work. Did you actually read that linked page? It *does* say how and where to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Radius-client-configuration-issue-tp24678845p24697685.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
2) pam_radius_auth.conf is set at radius server (/etc/raddb/server), which contains server ip address and secret. ... But I could not find where radius server ip is configured in radius client. I am not able to find how radius client knows about radius server. Please let me know if I am missing anything. Yes you have. Just read what you have written. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
Yes that I understand. I think there is some confusion. Let me explain, we have 2 separate machine. On one machine (Linux), radius server is setup and running independantly. on this machine, we have made the changes(/etc/raddb/server/pam_radius_auth.conf ) On another machine, which is client machine (On Solaris), PAM is configured in SSH. Also, on this machine, we have pam.conf (/etc/pam.conf) and sshd_config files where authentication libraries and other properties are set. Now, I have to login through my client machine (radius client), and it has to sent information to linux machine (where radius server's setup is done). *Per the understanding, Radius server will authenticate user when PAM is enabled.* ** But it is not clear, how Radius client (on Solaris machine) knows to communicate with Radius Server (on Linux machine). 1. Do we configure ip address of Radius server (on linux) at Radius client (on Solaris machine) ? 2. Do we give username details on Radius server (on linux) machine? I hope it might help to understand the scenario. Regards, Meraj On Tue, Jul 28, 2009 at 6:07 PM, Ivan Kalik t...@kalik.net wrote: 2) pam_radius_auth.conf is set at radius server (/etc/raddb/server), which contains server ip address and secret. ... But I could not find where radius server ip is configured in radius client. I am not able to find how radius client knows about radius server. Please let me know if I am missing anything. Yes you have. Just read what you have written. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards Meraj Siddiqui Tel: +919958992646 Linkedin Profile : http://www.linkedin.com/pub/meraj-siddiqui/6/8a5/66b - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
Hi Ivan, I think there is some confusion. Let me explain, we have 2 separate machine. On one machine (Linux), radius server is setup and running independantly. on this machine, we have made the changes(/etc/raddb/server/pam_radius_auth.conf ) On another machine, which is client machine (On Solaris), PAM is configured in SSH. Also, on this machine, we have pam.conf (/etc/pam.conf) and sshd_config files where authentication libraries and other properties are set. Now, I have to login through my client machine (radius client), and it has to sent information to linux machine (where radius server's setup is done). Per the understanding, Radius server will authenticate user when PAM is enabled. But it is not clear, how Radius client (on Solaris machine) knows to communicate with Radius Server (on Linux machine). 1. Do we configure ip address of Radius server (on linux) at Radius client (on Solaris machine) ? 2. Do we give username details on Radius server (on linux) machine? I hope it might help to understand the scenario. Regards, Meraj mer...@gmail.com wrote: Hi Ivan, I have gone thorugh the link and check all the files. I also tried to compare with my existing installation: 1) As per the given link, it seems that pam.conf is configured as: login auth sufficient /usr/lib/security/pam_radius_auth.so.1 login auth required /usr/lib/security/pam_unix_auth.so.1 telnet authsufficient /usr/lib/security/pam_radius_auth.so.1 telnet authrequired/usr/lib/security/pam_unix.so.1 which is on Solaris 2.6. In our configuration on Solaris 5.10, pam.conf contains: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 where libraries are in folder /usr/lib/security 2) pam_radius_auth.conf is set at radius server (/etc/raddb/server), which contains server ip address and secret. 3) Also, client info is set in /etc/raddb/clients.conf on radius server But I could not find where radius server ip is configured in radius client. I am not able to find how radius client knows about radius server. Please let me know if I am missing anything. Regards, Meraj Ivan Kalik wrote: thanks for the link. I want to know if we can give radius server ip address and secret in pam.conf file. No. I tried to configure radius server with CLI, but it doesn't seems to work. Can you please tell me how to configure radius server in radius client to work. Did you actually read that linked page? It *does* say how and where to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Radius-client-configuration-issue-tp24678845p24698100.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
1. Do we configure ip address of Radius server (on linux) at Radius client (on Solaris machine) ? Yes, on client machine in pam_radius_auth.conf. 2. Do we give username details on Radius server (on linux) machine? Yes, you enter usernames/passwords in users file (sql, ldap, whatever). IMPORTANT: those users have to exist on your Solaris machine for PAM to work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius client configuration issue
I want to use PAM for user authentication. I am trying to setup radius client but unable to configure it. Radius client's setup is at Solaris and Radius Server (RKS emulator) is at Linux machine. Can any one tell the procedure to configure radius client so that it can communicate with Radius server? Is there any script required for that or all the commands needed to configure are in some config file? Also, how to login with radius client to check the authentication. Thanks in Advance. -- View this message in context: http://www.nabble.com/Radius-client-configuration-issue-tp24678845p24678845.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client configuration issue
I want to use PAM for user authentication. I am trying to setup radius client but unable to configure it. Radius client's setup is at Solaris and Radius Server (RKS emulator) is at Linux machine. Can any one tell the procedure to configure radius client so that it can communicate with Radius server? Is there any script required for that or all the commands needed to configure are in some config file? Also, how to login with radius client to check the authentication. http://freeradius.org/pam_radius_auth/ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSH authendication with radius server fails if the user does not exist in radius client
Hi, I am trying to authenticate ssh login using radius server running in another linux machine. I added a new user in /usr/local/etc/raddb/users of radius server. Now when I do ssh to the radius client, the radius server denies request and says 'Password doesn't match. But I gave right password. If I add the new user in radius client machine, then if I do ssh, the server accepts and authenticates the request. So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Do I need to configure anywhere in client or server to skip the local machine user check. Please help me to solve this issue. Thanks in advance. Regards, Dhandapani -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24074268.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Yes, that's how PAM works. It can't authenticate users that don't exist locally (think about it - if user/group is not defined locally what will user be able to access on the machine). Nothing to do with radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Thanks a lot Ivan for the clarification. I am feeling like working with you. Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Can't we login using the centralized username/password? Regards, Dhandapani Ivan Kalik wrote: So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Yes, that's how PAM works. It can't authenticate users that don't exist locally (think about it - if user/group is not defined locally what will user be able to access on the machine). Nothing to do with radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24075986.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Yes. Can't we login using the centralized username/password? No, that can't work. Let's say that you were authenticated and reached the shell as a nonexistant local user. How is he suposed to access anything or execute any commands? No permissions would apply to him. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Yes. Got it. Thanks Ivan. Regards, Dhandapani Ivan Kalik wrote: Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Yes. Can't we login using the centralized username/password? No, that can't work. Let's say that you were authenticated and reached the shell as a nonexistant local user. How is he suposed to access anything or execute any commands? No permissions would apply to him. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24077890.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client on fedora 10 ?
Hi, I would like to know is there any radius client on fedora 10 ? pam_radius ? other ? Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius client on fedora 10 ?
François Mehault wrote: I would like to know is there any radius client on fedora 10 ? pam_radius ? other ? pam radius is not currently packaged for Fedora, although there has been a request previously. It's on my to-do list, but the reality is I've got a lot of other work ahead of it. If you would like to package it then by all means please do, it will probably be faster if you do. I'll act as the package reviewer for you if you do. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Read radius client from database
Hi all, I am having problem to configure Radius to read client information from mysql database table nas. I found an option at last line of sql.conf readclients = yes i uncommented it ... then added record in nas table... then tried to send request from newly added client but it says unknown client Can anyone help me in this regard??? Thank you Regards, Saeed Akhtar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re:Re: Read radius client from database
Hi seems to me you are missing rlm_sql, when I start radiusd -X I get the following lines: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked .. rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret FROM nas this last line is then followed by rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secretpw .. Maybe you didn't configure sql right. In freeradius2 Uncomment sql in raddb/sites-enabled/default Check you raddb/sql.conf file in freeradius1 uncomment sql (authorize section) in radiusd.conf and adapt sql.conf Michel Debug Trace: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/jradius.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded jradius jradius: name = example jradius: primary = 127.0.0.1 jradius: secondary = 192.168.1.2:1815 jradius: tertiary = 192.168.1.2:1816 jradius: timeout = 1 jradius: onfail = NOOP jradius: keepalive = yes jradius: connections = 8 rlm_jradius: configuring jradius server 127.0.0.1:1814 rlm_jradius: configuring jradius server 192.168.1.2:1815 rlm_jradius: configuring jradius server 192.168.1.2:1816 rlm_jradius: starting JRadius connection 0 rlm_jradius: starting JRadius connection 1 rlm_jradius: starting JRadius connection 2 rlm_jradius: starting JRadius connection 3 rlm_jradius: starting JRadius connection 4 rlm_jradius: starting JRadius connection 5 rlm_jradius: starting JRadius connection 6 rlm_jradius: starting JRadius connection 7 Module:
Re: Read radius client from database
Saeed Akhtar wrote: Debug Trace: You're not running 2.x. You should upgrade. You haven't configured the SQL module. You need to do this for it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Read radius client from database
Debug Trace:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/jradius.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded jradius
jradius: name = example
jradius: primary = 127.0.0.1
jradius: secondary = 192.168.1.2:1815
jradius: tertiary = 192.168.1.2:1816
jradius: timeout = 1
jradius: onfail = NOOP
jradius: keepalive = yes
jradius: connections = 8
rlm_jradius: configuring jradius server 127.0.0.1:1814
rlm_jradius: configuring jradius server 192.168.1.2:1815
rlm_jradius: configuring jradius server 192.168.1.2:1816
rlm_jradius: starting JRadius connection 0
rlm_jradius: starting JRadius connection 1
rlm_jradius: starting JRadius connection 2
rlm_jradius: starting JRadius connection 3
rlm_jradius: starting JRadius connection 4
rlm_jradius: starting JRadius connection 5
rlm_jradius: starting JRadius connection 6
rlm_jradius: starting JRadius connection 7
Module: Instantiated jradius (jradius)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas =
Re: Read radius client from database
Thanks for ur help setting sql in authorize section of radiusd.conf solved the problem But now when sql checks for username and password it gives error Unknow Attribute Cleartext-Password.. I am not upgrading to 2.x because i tried to configure jradius with 2.1.1 it gave errors... so best choice left for me was to degrade to 1.1.3 ... as a patch was available for this version but now im facing problems regarding mysql Can you people suggest me anything.. Thanks for the help Regards, Saeed Akhtar On Wed, Nov 26, 2008 at 6:17 PM, Alan DeKok [EMAIL PROTECTED]wrote: Saeed Akhtar wrote: Debug Trace: You're not running 2.x. You should upgrade. You haven't configured the SQL module. You need to do this for it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Read radius client from database
sql is commented out in radiusd.conf by default. Enable it somewhere.
This is the old server version. Use the latest one. Even for testing.
It's so much better.
Ivan Kalik
Kalik Informatika ISP
Dana 26/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše:
Debug Trace:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/jradius.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded jradius
jradius: name = example
jradius: primary = 127.0.0.1
jradius: secondary = 192.168.1.2:1815
jradius: tertiary = 192.168.1.2:1816
jradius: timeout = 1
jradius: onfail = NOOP
jradius: keepalive = yes
jradius: connections = 8
rlm_jradius: configuring jradius server 127.0.0.1:1814
rlm_jradius: configuring jradius server 192.168.1.2:1815
rlm_jradius: configuring jradius server 192.168.1.2:1816
rlm_jradius: starting JRadius connection 0
rlm_jradius: starting JRadius connection 1
rlm_jradius: starting JRadius connection 2
rlm_jradius: starting JRadius connection 3
rlm_jradius: starting JRadius connection 4
rlm_jradius: starting JRadius connection 5
rlm_jradius: starting JRadius connection 6
rlm_jradius: starting JRadius connection 7
Module: Instantiated jradius (jradius)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
Re: Read radius client from database
1.1.3 doesn't use Cleartext-Password. That came in 1.1.4. Read the users file. It should be User-Password. Ivan Kalik Kalik Informatika ISP Dana 26/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše: Thanks for ur help setting sql in authorize section of radiusd.conf solved the problem But now when sql checks for username and password it gives error Unknow Attribute Cleartext-Password.. I am not upgrading to 2.x because i tried to configure jradius with 2.1.1 it gave errors... so best choice left for me was to degrade to 1.1.3 ... as a patch was available for this version but now im facing problems regarding mysql Can you people suggest me anything.. Thanks for the help Regards, Saeed Akhtar On Wed, Nov 26, 2008 at 6:17 PM, Alan DeKok [EMAIL PROTECTED]wrote: Saeed Akhtar wrote: Debug Trace: You're not running 2.x. You should upgrade. You haven't configured the SQL module. You need to do this for it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Read radius client from database
Post the debug of the server startup. Ivan Kalik Kalik Informatika ISP Dana 26/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše: Hi all, I am having problem to configure Radius to read client information from mysql database table nas. I found an option at last line of sql.conf readclients = yes i uncommented it ... then added record in nas table... then tried to send request from newly added client but it says unknown client Can anyone help me in this regard??? Thank you Regards, Saeed Akhtar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Read radius client from database
Thanks It worked but here comes another issue where im stuck ... using both sql and jradius for authorization creates a problem First freeradius goes to sql and check for the user record... regardless of result of sql , request is also fwd to jradius. and jradius also checks for the same username in another database over another server (as im using jradius for having connectivity to another server)... i want freeradius to not go to jradius if sql result is access-accept i dont now that is there any conditional statements in configuration file which will help me hopeful for some help :) Thanks Regards, Saeed Akhtar 2008/11/26 [EMAIL PROTECTED] 1.1.3 doesn't use Cleartext-Password. That came in 1.1.4. Read the users file. It should be User-Password. Ivan Kalik Kalik Informatika ISP Dana 26/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše: Thanks for ur help setting sql in authorize section of radiusd.conf solved the problem But now when sql checks for username and password it gives error Unknow Attribute Cleartext-Password.. I am not upgrading to 2.x because i tried to configure jradius with 2.1.1 it gave errors... so best choice left for me was to degrade to 1.1.3 ... as a patch was available for this version but now im facing problems regarding mysql Can you people suggest me anything.. Thanks for the help Regards, Saeed Akhtar On Wed, Nov 26, 2008 at 6:17 PM, Alan DeKok [EMAIL PROTECTED] wrote: Saeed Akhtar wrote: Debug Trace: You're not running 2.x. You should upgrade. You haven't configured the SQL module. You need to do this for it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Read radius client from database
Saeed Akhtar wrote: please...formatyourmessages in a normal way. Formatting them badly makes them harder to understand. i dont now that is there any conditional statements in configuration file which will help me hopeful for some help :) FreeRADIUS 2.x comes with a complete policy language. $ man unlang Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Read radius client from database
First freeradius goes to sql and check for the user record... regardless of result of sql , request is also fwd to jradius. and jradius also checks for the same username in another database over another server (as im using jradius for having connectivity to another server)... i want freeradius to not go to jradius if sql result is access-accept i dont now that is there any conditional statements in configuration file which will help me Not in 1.1.3. It can be done with unlang in new version. You should really try to get jradius working on 2.1.1. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free RADIUS client + CHAP + PAM
Hi there There are a lot of places on the net which talk about how PAM cannot work with CHAP on the RADIUS server. Will an implementation of freeRADIUS client with CHAP and PAM(pam_radius_auth) module work? Please point me to the appropriate link. Thanks -Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free RADIUS client + CHAP + PAM
Hi there There are a lot of places on the net which talk about how PAM cannot work with CHAP on the RADIUS server. Will an implementation of freeRADIUS client with CHAP and PAM(pam_radius_auth) module work? Please point me to the appropriate link. Thanks -Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test Radius Client supporting PEAP-EAP MD5
Hi, Can anyone suggest a test radius client supporting PEAP with EAP MD5 ? I have tried JRadius Simuator , RadiusTest n others but could not get the option of PEAP with EAP MD5. Incase anyone has come across, please let me know. Warm regards Queenie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Radius Client supporting PEAP-EAP MD5
wpa_supplicant eapol_test. Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Queenie de Melo [EMAIL PROTECTED] piše: Hi, Can anyone suggest a test radius client supporting PEAP with EAP MD5 ? I have tried JRadius Simuator , RadiusTest n others but could not get the option of PEAP with EAP MD5. Incase anyone has come across, please let me know. Warm regards Queenie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius client can not connected!
Hi all,
Need help.
I'd been doing this for sometimes and can't get it solved.
Client try to communicate with server but just can't get it connected.
here are the message:
Waking up in 4.7 seconds.
User-Name = testing
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = 00:30:1a:29:03:66
Calling-Station-Id = 00:1c:f0:10:56:b8
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 127.0.0.1
Connect-Info = CONNECT 11Mbps 802.11b
State = 0x50713d8653743023ce88a0c1a1b930fe
EAP-Message =
0x020505c50d8005bb160301058b0b00037b0003780003753082037130820259a003020102020102300d06092a864886f70d01010405003070310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311730150603550403140e4d6172734e65745f5365727665723120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730383032323630315a170d3131303730383032323630315a306f310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520
EAP-Message =
0x496e632e311730150603550403140e4d6172734e65745f436c69656e74311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c82149515d4198e7647e1dd2fdaba3dd274d89fe59259ea656b5550118896812a05a0bad9307dda14f88582a1cfd1b8f475aabfc4e7ee2618d195fdb4fed673093982696a14d7a929c8590bfb32a930ee363d15a2ddadaf398d497527addbb88562c48803840ac7ab5cfd47709718078cee8489a415783ff1149bd2d8c4abd5ed1c83811392890b60e65dcfe3fae892d4ab0e3f98506387d47094656bb
EAP-Message =
0xc7b5fdebc4b342b797d0dcc7a3fdd68cfa52490ec10a1e4a5d9cc82decc3f7340611755269c937f882478b6a875c460ea997351f33291f4f94bc7661b7f76a5457479f72639fc9acf815aa5ed438309a1695ffe34f1f967ad8f0b63d2e72f71240050203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101008cb12a5b0e048b822dd0e435fdb3c808a183a2bfe5b8970d24c8d7d8de6183ac6bd0978accaa284093f927e49b512056fd5850cd2211016f0d68099bc90a2bf2fb93ab3f6a2552fe2b094ffb8830aabe7d00871f1f8b882d3bfec10f73a7af1688a51a2e915597276d
EAP-Message =
0x0e2c716dbd340dba22124f473ea8396e799c6de451101cb64cc0e8913535dc79d23e6194878814e7d6baa7a1ba616947cfe5d368a83f5db7e71e95e9b90f189033e9851b1d8419c4ab78b988ca9c4ff1163ed3e390e486bfc803e176cb108e7c31b51c5b618e644a046f7a60f232b0d57c47f1626a96115e83d457a3ad661c064986ebdd3629ef50b6a0d67e7b923d4a0d288b3652d98e110201003c14f10ae05a07ca00d74116971fd5d146e8640db1f58ebebf6e49c7cd8dabe98da7b6461af55c77e5fbde2336eb2914ceb3a6e09cdb6a46989cd9e22983bc672387ff0483700a70e396a9f844edd9ac4bb95c4b2a3bc45755d9408e41b37034
EAP-Message =
0x32c84f5b11d84870904e298defb383734235d6f67c9d9c0dfe20ed207fa3fe539571566103e2f55ee41cd3c7d6d9019f224594853387f67ccf453aa85ead173fa5059922888c7de3a689745cdc800423fc43522a91ee235704264a60eec90c62d01fde3cdda4f81666c26f8681c08b4a18b447d9971270ce92391e5c54f2537b3f7ff791fe7863daa40f6e0e244a02dab97755b4de554a21973a34dab24815ae0f00010201001b8569aff3bd371c1c7d782df9db0e00468d7806f2b5307f49dd2d4c5507aec96fe0db1fa401a613e021eec225eedf95303d1b2af768c011541086e89933d72b07d56d5a588e96d79906e1672e016fd5694fe694990ded
EAP-Message =
0x9dc92e8f839a0e40cc7a7563476be125135d91d45ed4b5c978273b5e1d0e30cb655d8d1a011fe0d7c93e21603ee63e618566dbf126d95e68f8bf1e2bfbf8145a3894ddeb74923d45fbac9fdbde4cd7bf070931c74a4a7d3153a4e5de2d74c4f6f6191e639f57d2d18a256f240726a7b3100fec13048cddc9a99f594c82742aeb918959fe193bd1cb691a81fbf413aaba7e57cca12151350d96dc18a4b0af99d63cb68c1a5214a087a21403010001011603010020251f2329bd8931db05f4268228c4258ec07f3d2bb9281b1b83b584b08b75214d
Message-Authenticator = 0xd97d042e7cb701a8720f28f6c5f1292b
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testing at line 91
expand: Hello, %{User-Name} - Hello, testing
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 1467
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: TLS 1.0 Handshake [length 037f], Certificate
-- verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read
Re: Radius client can not connected!
Kwok Sianbin wrote: I'd been doing this for sometimes and can't get it solved. Client try to communicate with server but just can't get it connected. Please READ the debug output. It is telling you what's going wrong. rlm_eap_tls: TLS 1.0 Handshake [length 037f], Certificate -- verify error:num=20:unable to get local issuer certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned You are doing EAP-TLS. The certificate presented is from a CA that is unknown. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
php radius client (mount packet data)
Hello !!
Based on 'Pure PHP radius class' (http://developer.sysco.ch/php/) i´m
trying to implement disconnect-packet like this command:
echo User-Name := xx | radclient -x 111.222.333.444 disconnect
secret
freeradius recognizes that packet are disconnect-request but i think
checksum of packet are incorrect, can someone look and try to discover
the error ?!
attached class, my changes are commented with //AlexandrE
thanks !!!
--
Sds.
Alexandre Jeronimo Correa
Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net
Linux User ID #142329
UNOTEL S/A - http://www.unotel.com.br
.
*
*
* @author: SysCo/al
* @since CreationDate: 2008-01-04
* @copyright (c) 2008 by SysCo systemes de communication sa
* @version $LastChangedRevision: 1.1 $
* @version $LastChangedDate: 2008-02-04 $
* @version $LastChangedBy: SysCo/al $
* @link $HeadURL: radius.class.php $
* @link http://developer.sysco.ch/php/
* @link [EMAIL PROTECTED]
* Language: PHP 4.0.7 or higher
*
*
* Usage
*
* require_once('radius.class.php');
* $radius = new Radius($ip_radius_server = 'radius_server_ip_address', $shared_secret = 'radius_shared_secret'[, $radius_suffix = 'optional_radius_suffix'[, $udp_timeout = udp_timeout_in_seconds[, $authentication_port = 1812]]]);
* $result = $radius->Access_Request($username = 'username', $password = 'password'[, $udp_timeout = udp_timeout_in_seconds]);
*
*
* Examples
*
* Example 1
* AccessRequest('user', 'pass'))
* {
* echo "Authentication accepted.";
* }
* else
* {
* echo "Authentication rejected.";
* }
* ?>
*
* Example 2
* SetNasPort(0);
* if ($radius->AccessRequest('user', 'pass'))
* {
* echo "Authentication accepted.";
* echo "";
* }
* else
* {
* echo "Authentication rejected.";
* echo "";
* }
* echo $radius->GetReadableReceivedAttributes();
* ?>
*
*
* External file needed
*
* none.
*
*
* External file created
*
* none.
*
*
* Special issues
*
* - Sockets support must be enabled.
* * In Linux and *nix environments, the extension is enabled at
* compile time using the --enable-sockets configure option
* * In Windows, PHP Sockets can be activated by un-commenting
* extension=php_sockets.dll in php.ini
*
*
* Other related ressources
*
* FreeRADIUS, a free Radius server implementation for Linux and *nix environments: http://www.freeradius.org/
* WinRadius, Windows Radius server (free for 5 users): http://www.itconsult2000.com/en/product/WinRadius.zip
* Radl, a free Radius server for Windows: http://www.loriotpro.com/Products/RadiusServer/FreeRadiusServer_EN.php
* DOS command line Radius client: http://www.itconsult2000.com/en/product/WinRadiusClient.zip
*
*
* Change Log
*
* 2008-02-04 1.1 SysCo/al Typo error for the udp_timeout parameter (line 256 in the version 1.0)
* 2008-01-07 1.0 SysCo/al Initial release
*
*/
/*
*
* Radius
* Pure PHP radius class
*
* Creation 2008-01-04
* @package radius
* @version v.1.0
* @author SysCo/al
*
*/
class Radius
{
var $_ip_radius_server; // Radius server IP address
var $_shared_secret; // Shared secret with the radius server
var $_radius_suffix; // Radius suffix (default is '');
var $_udp_timeout;// Timeout of the UDP connection in seconds (default value is 5)
var $_authentication_port;// Authentication port (default value is 1812)
var $_accounting_port;// Accouting port (default value is 1813)
var $_nas_ip_address; // NAS IP address
var $_nas_port; // NAS port
var $_encrypted_password; // Encrypted password, as described in the RFC 2865
var $_user_ip_address;// Remote IP address of the user
var $_request_authenticator; // Request-Authenticator, 16 octets random number
var $_response_authenticator; // Request-Authenticator, 16 octets random number
var $_username; // Username to sent to the Radius server
var $_password; // Password to sent to the Radius server (clear password, must be encrypted)
var $_identifier_to_send; // Identifier field for the packet to be sent
var $_identifier_received;// Identifier field for the received packet
var $_radius_packet_to_send; // Radius packet code (1=Access-Request, 2=Access-Accept, 3=Access-Reject, 4=Accounting-Request, 5=Accounting-Response, 11=Access-Challenge, 12=Status-Server (experimental), 13=Status-Clie
Re: php radius client (mount packet data)
Pasting class source won't help. You need to ask specific question. I believe that nobody here doesn't have enough time to read 1000 lines just to answer you. You can find all about POD in FreeRadius FAQ section. create shell script and call it when you need to disconnect someone. On Fri, Aug 8, 2008 at 8:29 AM, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] wrote: Hello !! Based on 'Pure PHP radius class' (http://developer.sysco.ch/php/) i´m trying to implement disconnect-packet like this command: echo User-Name := xx | radclient -x 111.222.333.444 disconnect secret freeradius recognizes that packet are disconnect-request but i think checksum of packet are incorrect, can someone look and try to discover the error ?! attached class, my changes are commented with //AlexandrE thanks !!! -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br . List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: php radius client (mount packet data)
On Fri, Aug 08, 2008 at 03:29:15AM -0300, Alexandre J. Correa - Onda Internet wrote: Hello !! Based on 'Pure PHP radius class' (http://developer.sysco.ch/php/) i´m trying to implement disconnect-packet like this command: echo User-Name := xx | radclient -x 111.222.333.444 disconnect secret freeradius recognizes that packet are disconnect-request but i think checksum of packet are incorrect, can someone look and try to discover the error ?! PoD need to be signed, like Accounting-Request. You can't just send them, like an Access-Request. For more details, see the radius RFCs. I don't see any sign of that code in the PHP class. attached class, my changes are commented with //AlexandrE thanks !!! -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: java radius client libraries?
Hi Alex, i used JRadius around a year ago, and it is the way to go, JRadius only builds a layer on top of FreeRadius though, it is not a standalone RADIUS server, as is FreeRadius for example. It will allow you to create handlers written in java using the existing JRadius packages to deal with RADIUS events. If you need more specific details please let me know regards George Alex French wrote: 2008/5/12 Alan DeKok [EMAIL PROTECTED]: http://coova.org/wiki/index.php/JRadius/ClientAPI ? It's actively supported. Unless there's another jradius out there... Aha, I was looking at http://jradius-client.sourceforge.net/ which is different. Thanks for the pointers. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: java radius client libraries?
Hi guys, Sorry if this is slightly OT but I'm hoping someone can advise on an open-source radius client library in Java for integration with another project that will be talking to a freeradius server. I have found two, jradius and tinyradius, but jradius does not seem to be in active development. Has anyone used either of these or something else, preferably with a freeradius server? Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
