two different enable passwords.
Hi all,
I have radius-ldap setup for authenticating network devices.
I have small doubt here.
Is it possible to have different enable passwords for different huntgroups?
For e.g. i have 2 huntgroups. one for cisco switches and one for cisco routers and I want to have different enable passwords for both.
Currently i have only one entry for enable password and that is commom for all the cisco devices.
On 9/10/07,
freeradius-users-request@lists.freeradius.org <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius+Active directory - router login authentciation
(Rakesh Jha)
2. Re: Freeradius doesn't detect EAP when authenticating against
MySQL (Andrew Rowson)
3. RE : LOGs of eap-tls authentication (inelec communication)
4. Re: Freeradius doesn't detect EAP when authenticating against
MySQL (Alan DeKok)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Sep 2007 09:21:42 +0300
From: "Rakesh Jha" <rakesh@burgan.com>
Subject: RE: Freeradius+Active directory - router login authentciation
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID:
<A928C53C7FC96746A7C07338F009DCA00C4D37@BB-MAIL.main.burgan.bnk">
A928C53C7FC96746A7C07338F009DCA00C4D37@BB-MAIL.main.burgan.bnk>
Content-Type: text/plain; charset="us-ascii"
Alan,
Please see the complete output of radiusd -X as following -
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain:-burgan_dom} --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Cha
llenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-
srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "(null)"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap_tls: Unable to open DH file - (null)
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1962] Unknown module "eap".
radiusd.conf[1909] Failed to parse authenticate section.
As you have written 'as are most "helpful" pages not on
freeradius.org',
can you please suggest some links which guide correctly to configure
radius, openssl and active directory.
Thanks a lot,
Rakesh Jha
-----Original Message-----
From:
freeradius-users-bounces@lists.freeradius.org
[mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan
DeKok
Sent: Monday, September 10, 2007 8:35 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius+Active directory - router login authentciation
Rakesh Jha wrote:
...
> After following FreeRADIUS Tutorial for AD integration I am not able
to
> start radius daemon as it complains -
>
> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1962] Unknown module "eap".
> radiusd.conf[1909] Failed to parse authenticate section.
I'm at a bit of a loss for why so many people are so insistent on
removing all useful messages.
Attention:
Any non-official business related views, opinions and other information presented in this electronic mail
are solely those of the sender/author.
Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed
indicated in this mail or responsible for delivering this message to the intended,
you should delete this message and notify the sender immediately.
-------------------------------------------------------
Burgan Bank S.A.K
www.burgan.com
------------------------------
Message: 2
Date: Mon, 10 Sep 2007 08:47:09 +0100
From: Andrew Rowson <freeradius@growse.com>
Subject: Re: Freeradius doesn't detect EAP when authenticating against
MySQL
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <b03eaa106466517b3d809c38044273f9@ticklemail.mrmen.home">
b03eaa106466517b3d809c38044273f9@ticklemail.mrmen.home>
Content-Type: text/plain; charset="UTF-8"
On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <
aland@deployingradius.com>
wrote:
> Andrew Rowson wrote:
>> Looking over it, it seems that a problem comes up with the MSCHAP bit:
>>
>> rlm_mschap: No User-Password configured. Cannot create LM-Password.
>> rlm_mschap: No User-Password configured. Cannot create NT-Password.
>> rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password
>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
>> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>> modcall[authenticate]: module "mschap" returns reject for request 14
>>
>> This appears to imply that there's no User-Password entry found anywhere
>> for the user in the database. This would be correct, as the attribute in
>> the radcheck table is set to Cleartext-Password. Anything other than
>> Cleartext-Password and freeradius doesn't attempt an auth-type of EAP,
>> but Local instead, going back to my original problem.
>
> What does the database contain? Cleartext-Password == password,
> or Cleartext-Password := password ?
>
The database contains Cleartext-Password == password. I've tried it with
:=, but if I remember correctly that fails as well, with the Auth-type
being set to local again. I'll see if I can get a log of that failure as
well, if it'd be helpful?
Andrew
------------------------------
Message: 3
Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST)
From: inelec communication <inelec_communication@yahoo.fr>
Subject: RE : LOGs of eap-tls authentication
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <60722.76768.qm@web26011.mail.ukl.yahoo.com">
60722.76768.qm@web26011.mail.ukl.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
hello,
running radius in debug mode doesn't give any log file ,i meen it doesn't give logs in
radiusd.log ; if you give me your result when you have rubn radiusd -X -A perhaps i can help
regards
anoop_c@sifycorp.com a ?crit :
Hi 1 I am using eap-tls
authentication.My setup is working well with certificates. I am unable to get logs of user login ok or denied in the radius.log file [root@anoop sbin]# radiusd -X -A Starting - reading configuration files ... reread_config: reading
radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \"/usr/local\" main: localstatedir = \"/usr/local/var\" main: logdir = \"/usr/local/var/log/radius\" main: libdir = \"/usr/local/lib\" main: radacctdir = \"/usr/local/var/log/radius/radacct\" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names
= yes main: log_file = \"/usr/local/var/log/radius/radius.log\" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main: user = \"(null)\" main: group = \"(null)\" main: usercollide = no main: lower_user = \"no\" main: lower_pass = \"no\" main: nospace_user = \"no\" main: nospace_pass = \"no\" main: checkrad = \"/usr/local/sbin/checkrad\" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients
read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \"(null)\" exec: input_pairs = \"request\" exec: output_pairs = \"(null)\" exec: packet_type = \"(null)\" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \"(null)\" unix: shadow = \"(null)\" unix: group = \"(null)\" unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \"tls\" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = \"Password: \"
gtc: auth_type = \"PAP\" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \"(null)\" tls: pem_file_type = yes tls: private_key_file = \"/etc/1x/07xwifi.pem\" tls: certificate_file = \"/etc/1x/07xwifi.pem\" tls: CA_file = \"/etc/1x/root.pem\" tls: private_key_password = \"password\" tls: dh_file = \"/etc/1x/DH\" tls: random_file = \"/etc/1x/random\" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \"(null)\" tls: cipher_list = \"(null)\" tls: check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in
eap.conf rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \"/etc/raddb/huntgroups\" preprocess: hints = \"/etc/raddb/hints\" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \"suffix\" realm: delimiter = \"@\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \"/etc/raddb/users\" files: acctusersfile = \"/etc/raddb/acct_users\" files: preproxy_usersfile = \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \"User-Name,
Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = \"/usr/local/var/log/radius/radutmp\" radutmp: username = \"%{User-Name}\" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. 2 I am using certificate based authentication so do i need to edit anything in the users file/ Thanks and regards Anoop
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------------------
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html
>
------------------------------
Message: 4
Date: Mon, 10 Sep 2007 11:15:58 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: Freeradius doesn't detect EAP when authenticating against
MySQL
To: freeradius@growse.com, FreeRadius users mailing list
<freeradius-users@lists.freeradius.org
>
Message-ID: <46E50B4E.9050407@deployingradius.com">46E50B4E.9050407@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Andrew Rowson wrote:
> The database contains Cleartext-Password == password. I've tried it with
> :=, but if I remember correctly that fails as well,
Use := for Cleartext-Password.
> with the Auth-type
> being set to local again. I'll see if I can get a log of that failure as
> well, if it'd be helpful?
No.
Upgrade to 1.1.7, I think it solves this problem.
Alan DeKok.
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 29, Issue 25
************************************************
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.