two different enable passwords.
ashish verma
ashish.scit at gmail.com
Mon Sep 10 13:51:34 CEST 2007
Hi all,
I have radius-ldap setup for authenticating network devices.
I have small doubt here.
Is it possible to have different enable passwords for different huntgroups?
For e.g. i have 2 huntgroups. one for cisco switches and one for cisco
routers and I want to have different enable passwords for both.
Currently i have only one entry for enable password and that is commom for
all the cisco devices.
On 9/10/07, freeradius-users-request at lists.freeradius.org <
freeradius-users-request at lists.freeradius.org> wrote:
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. RE: Freeradius+Active directory - router login authentciation
> (Rakesh Jha)
> 2. Re: Freeradius doesn't detect EAP when authenticating against
> MySQL (Andrew Rowson)
> 3. RE : LOGs of eap-tls authentication (inelec communication)
> 4. Re: Freeradius doesn't detect EAP when authenticating against
> MySQL (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Sep 2007 09:21:42 +0300
> From: "Rakesh Jha" <rakesh at burgan.com>
> Subject: RE: Freeradius+Active directory - router login authentciation
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <A928C53C7FC96746A7C07338F009DCA00C4D37 at BB-MAIL.main.burgan.bnk>
> Content-Type: text/plain; charset="us-ascii"
>
> Alan,
>
> Please see the complete output of radiusd -X as following -
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> pap: auto_header = yes
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = yes
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain:-burgan_dom} --username=%{mschap:User-Name:-None}
> --challenge=%{mschap:Cha
> llenge:-00} --nt-response=%{mschap:NT-Response:-00}"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "tls"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "(null)"
> tls: random_file = "/dev/urandom"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> tls: cipher_list = "(null)"
> tls: check_cert_issuer = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap_tls: Unable to open DH file - (null)
> rlm_eap: Failed to initialize type tls
> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1962] Unknown module "eap".
> radiusd.conf[1909] Failed to parse authenticate section.
>
> As you have written 'as are most "helpful" pages not on freeradius.org',
> can you please suggest some links which guide correctly to configure
> radius, openssl and active directory.
>
> Thanks a lot,
> Rakesh Jha
>
> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
> [mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Alan
> DeKok
> Sent: Monday, September 10, 2007 8:35 AM
> To: FreeRadius users mailing list
> Subject: Re: Freeradius+Active directory - router login authentciation
>
> Rakesh Jha wrote:
> ...
> > After following FreeRADIUS Tutorial for AD integration I am not able
> to
> > start radius daemon as it complains -
> >
> > radiusd.conf[10]: eap: Module instantiation failed.
> > radiusd.conf[1962] Unknown module "eap".
> > radiusd.conf[1909] Failed to parse authenticate section.
>
> I'm at a bit of a loss for why so many people are so insistent on
> removing all useful messages.
>
> Attention:
> Any non-official business related views, opinions and other information
> presented in this electronic mail
> are solely those of the sender/author.
> Burgan Bank does not endorse or accept responsibility for their opinions.
> If you are not the addressed
> indicated in this mail or responsible for delivering this message to the
> intended,
> you should delete this message and notify the sender immediately.
> -------------------------------------------------------
> Burgan Bank S.A.K
> www.burgan.com
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Sep 2007 08:47:09 +0100
> From: Andrew Rowson <freeradius at growse.com>
> Subject: Re: Freeradius doesn't detect EAP when authenticating against
> MySQL
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <b03eaa106466517b3d809c38044273f9 at ticklemail.mrmen.home>
> Content-Type: text/plain; charset="UTF-8"
>
>
>
> On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <aland at deployingradius.com>
> wrote:
> > Andrew Rowson wrote:
> >> Looking over it, it seems that a problem comes up with the MSCHAP bit:
> >>
> >> rlm_mschap: No User-Password configured. Cannot create LM-Password.
> >> rlm_mschap: No User-Password configured. Cannot create NT-Password.
> >> rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password
> >> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
> authentication.
> >> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> >> modcall[authenticate]: module "mschap" returns reject for request 14
> >>
> >> This appears to imply that there's no User-Password entry found
> anywhere
> >> for the user in the database. This would be correct, as the attribute
> in
> >> the radcheck table is set to Cleartext-Password. Anything other than
> >> Cleartext-Password and freeradius doesn't attempt an auth-type of EAP,
> >> but Local instead, going back to my original problem.
> >
> > What does the database contain? Cleartext-Password == password,
> > or Cleartext-Password := password ?
> >
>
> The database contains Cleartext-Password == password. I've tried it with
> :=, but if I remember correctly that fails as well, with the Auth-type
> being set to local again. I'll see if I can get a log of that failure as
> well, if it'd be helpful?
>
> Andrew
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST)
> From: inelec communication <inelec_communication at yahoo.fr>
> Subject: RE : LOGs of eap-tls authentication
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <60722.76768.qm at web26011.mail.ukl.yahoo.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> hello,
> running radius in debug mode doesn't give any log file ,i meen it
> doesn't give logs in radiusd.log ; if you give me your result when you
> have rubn radiusd -X -A perhaps i can help
>
> regards
>
>
> anoop_c at sifycorp.com a ?crit :
>
> Hi 1 I am using eap-tls authentication.My setup is working well with
> certificates. I am unable to get logs of user login ok or denied in
> the radius.log file [root at anoop sbin]# radiusd -X -A Starting -
> reading configuration files ... reread_config: reading radiusd.conf Config:
> including file: /etc/raddb/proxy.conf Config: including file:
> /etc/raddb/clients.conf Config: including file:
> /etc/raddb/snmp.conf Config: including file:
> /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main:
> prefix = \"/usr/local\" main: localstatedir = \"/usr/local/var\" main:
> logdir = \"/usr/local/var/log/radius\" main: libdir = \"/usr/local/lib\"
> main: radacctdir = \"/usr/local/var/log/radius/radacct\" main:
> hostname_lookups = no main: snmp = no main: max_request_time = 30
> main: cleanup_delay = 5 main: max_requests = 1024 main:
> delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no
> main: log_stripped_names
> = yes main: log_file = \"/usr/local/var/log/radius/radius.log\" main:
> log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass =
> yes main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main:
> user = \"(null)\" main: group = \"(null)\" main: usercollide = no
> main: lower_user = \"no\" main: lower_pass = \"no\" main: nospace_user =
> \"no\" main: nospace_pass = \"no\" main: checkrad =
> \"/usr/local/sbin/checkrad\" main: proxy_requests = yes proxy:
> retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy:
> default_fallback = yes proxy: dead_time = 120 proxy:
> post_proxy_authorize = no proxy: wake_all_if_all_dead = no security:
> max_attributes = 200 security: reject_delay = 1 security: status_server
> = no main: debug_level = 0 read_config_files: reading
> dictionary read_config_files: reading naslist Using deprecated naslist
> file. Support for this will go away soon. read_config_files: reading
> clients
> read_config_files: reading realms radiusd: entering modules
> setup Module: Library search path is /usr/local/lib Module: Loaded exec
> exec: wait = yes exec: program = \"(null)\" exec: input_pairs =
> \"request\" exec: output_pairs = \"(null)\" exec: packet_type =
> \"(null)\" rlm_exec: Wait=yes but no output defined. Did you mean
> output=none? Module: Instantiated exec (exec) Module: Loaded expr Module:
> Instantiated expr (expr) Module: Loaded System unix: cache = no unix:
> passwd = \"(null)\" unix: shadow = \"(null)\" unix: group = \"(null)\"
> unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\" unix: usegroup =
> no unix: cache_reload = 600 Module: Instantiated unix (unix) Module:
> Loaded eap eap: default_eap_type = \"tls\" eap: timer_expire = 60 eap:
> ignore_unknown_eap_types = no eap: cisco_accounting_username_bug =
> no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and
> initialized type leap gtc: challenge = \"Password: \"
> gtc: auth_type = \"PAP\" rlm_eap: Loaded and initialized type gtc tls:
> rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length =
> 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path =
> \"(null)\" tls: pem_file_type = yes tls: private_key_file =
> \"/etc/1x/07xwifi.pem\" tls: certificate_file = \"/etc/1x/07xwifi.pem\"
> tls: CA_file = \"/etc/1x/root.pem\" tls: private_key_password =
> \"password\" tls: dh_file = \"/etc/1x/DH\" tls: random_file =
> \"/etc/1x/random\" tls: fragment_size = 1024 tls: include_length = yes
> tls: check_crl = no tls: check_cert_cn = \"(null)\" tls: cipher_list =
> \"(null)\" tls: check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the
> certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH
> parameters. DH cipher suites may not work! WARNING: Fix this by running
> the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized
> type tls mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap
> (eap) Module: Loaded preprocess preprocess: huntgroups =
> \"/etc/raddb/huntgroups\" preprocess: hints = \"/etc/raddb/hints\"
> preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line =
> 23 preprocess: with_ntdomain_hack = no preprocess:
> with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no
> preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess
> (preprocess) Module: Loaded realm realm: format = \"suffix\" realm:
> delimiter = \"@\" realm: ignore_default = no realm: ignore_null =
> no Module: Instantiated realm (suffix) Module: Loaded files files:
> usersfile = \"/etc/raddb/users\" files: acctusersfile =
> \"/etc/raddb/acct_users\" files: preproxy_usersfile =
> \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module: Instantiated
> files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key =
> \"User-Name,
> Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\" Module:
> Instantiated acct_unique (acct_unique) Module: Loaded detail detail:
> detailfile =
> \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
> detail: detailperm = 384 detail: dirperm = 493 detail: locking =
> no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp:
> filename = \"/usr/local/var/log/radius/radutmp\" radutmp: username =
> \"%{User-Name}\" radutmp: case_sensitive = yes radutmp: check_with_nas =
> yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated
> radutmp (radutmp) Listening on authentication *:1812 Listening on
> accounting *:1813 Ready to process requests. 2 I am using certificate
> based authentication so do i need to edit anything in the users
> file/ Thanks and regards Anoop
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ---------------------------------
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo!
> Mail
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Sep 2007 11:15:58 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Freeradius doesn't detect EAP when authenticating against
> MySQL
> To: freeradius at growse.com, FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <46E50B4E.9050407 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Andrew Rowson wrote:
> > The database contains Cleartext-Password == password. I've tried it with
> > :=, but if I remember correctly that fails as well,
>
> Use := for Cleartext-Password.
>
> > with the Auth-type
> > being set to local again. I'll see if I can get a log of that failure as
> > well, if it'd be helpful?
>
> No.
>
> Upgrade to 1.1.7, I think it solves this problem.
>
> Alan DeKok.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 29, Issue 25
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/a2ffc990/attachment.html>
More information about the Freeradius-Users
mailing list