Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
May 2008
- 159 participants
- 252 discussions
It´s possible close the session (make logout) when user close the web browser?
by Jose Maira Iranzo Marin 06 May '08
by Jose Maira Iranzo Marin 06 May '08
06 May '08
It´s possible close the session (make logout) when user close the web
browser?
And, it´s possible that when user make login in other host, the first
session in the other host close.
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.7/1408 - Release Date: 30/04/2008
18:10
2
3
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
by johnson elangbam 06 May '08
by johnson elangbam 06 May '08
06 May '08
>Good. Now you are getting Digest-Attributes. Now uncomment digest entry
>in authorize section of default or whatever virtual server is processing
>this.
Hi Kalik,
As per your instruction I've uncommented all the digest entry
in authorize and authenticate section in the sites-enabled/default file,
unfortunately I still didn't get the values of these attributes in my perl
code to authenticate. I am confusing what should I emphasized, please help.
*I am submitting the complete radius log when it run in debug mode before
authenticate a user here*
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008
at 21:42:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 192.168.1.227 {
require_message_authenticator = no
secret = "johnson"
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = "/usr/local/etc/raddb/myperltemp.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_digest
Module: Instantiating digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
*Here is the log output after rejecting a user*
rad_recv: Access-Request packet from host 192.168.1.227 port 33192, id=169,
length=271
User-Name = "johnson(a)192.168.1.227"
Digest-Attributes = 0x0a096a6f686e736f6e
Digest-Attributes = 0x010f3139322e3136382e312e323237
Digest-Attributes =
0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "bb91be247c053ec09ab0da78d666c469"
Service-Type = Sip-Session
Sip-Uri-User = "johnson"
Cisco-AVPair = "call-id=
2ce841ba64a44ec9ad8a53c0e20fb453(a)192.168.1.193"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x9cb1b90 asigned new request. Handled so far: 1
found interpetator at address 0x9cb1b90
rlm_perl: ###############################################################
rlm_perl: RAD_REQUEST: Digest-Response = bb91be247c053ec09ab0da78d666c469
rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
2ce841ba64a44ec9ad8a53c0e20fb453(a)192.168.1.193
rlm_perl: RAD_REQUEST: User-Name = johnson(a)192.168.1.227
rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x9e79f88)
rlm_perl: ###############################################################
rlm_perl: Added pair Digest-Response = bb91be247c053ec09ab0da78d666c469
rlm_perl: Added pair Service-Type = Sip-Session
rlm_perl: Added pair Cisco-AVPair = call-id=
2ce841ba64a44ec9ad8a53c0e20fb453(a)192.168.1.193
rlm_perl: Added pair User-Name = johnson(a)192.168.1.227
rlm_perl: Added pair Sip-Uri-User = johnson
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e
rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes =
0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
rlm_perl: Added pair Digest-Attributes =
0x04137369703a3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9cb1b90
++[perl] returns reject
Invalid user: [johnson(a)192.168.1.227/<no User-Password attribute>] (from
client 192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> johnson(a)192.168.1.227
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 33193, id=170,
length=271
User-Name = "johnson(a)192.168.1.227"
Digest-Attributes = 0x0a096a6f686e736f6e
Digest-Attributes = 0x010f3139322e3136382e312e323237
Digest-Attributes =
0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "bb91be247c053ec09ab0da78d666c469"
Service-Type = Sip-Session
Sip-Uri-User = "johnson"
Cisco-AVPair = "call-id=
2ce841ba64a44ec9ad8a53c0e20fb453(a)192.168.1.193"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x9eeddc8 asigned new request. Handled so far: 1
found interpetator at address 0x9eeddc8
rlm_perl: ###############################################################
rlm_perl: RAD_REQUEST: Digest-Response = bb91be247c053ec09ab0da78d666c469
rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
2ce841ba64a44ec9ad8a53c0e20fb453(a)192.168.1.193
rlm_perl: RAD_REQUEST: User-Name = johnson(a)192.168.1.227
rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x9f83c98)
rlm_perl: ###############################################################
rlm_perl: Added pair Digest-Response = bb91be247c053ec09ab0da78d666c469
rlm_perl: Added pair Service-Type = Sip-Session
rlm_perl: Added pair Cisco-AVPair = call-id=
2ce841ba64a44ec9ad8a53c0e20fb453(a)192.168.1.193
rlm_perl: Added pair User-Name = johnson(a)192.168.1.227
rlm_perl: Added pair Sip-Uri-User = johnson
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e
rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes =
0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
rlm_perl: Added pair Digest-Attributes =
0x04137369703a3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9eeddc8
++[perl] returns reject
Invalid user: [johnson(a)192.168.1.227/<no User-Password attribute>] (from
client 192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> johnson(a)192.168.1.227
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 169 to 192.168.1.227 port 33192
Reply-Message = "Incorrect Password"
Waking up in 0.4 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 170 to 192.168.1.227 port 33193
Reply-Message = "Incorrect Password"
Waking up in 4.5 seconds.
Cleaning up request 0 ID 169 with timestamp +8
Waking up in 0.4 seconds.
Cleaning up request 1 ID 170 with timestamp +8
Ready to process requests.
Thanks for your valuable time.
With regards,
Elangbam Johnson
2
1
Lemaster, Rob wrote:
> I recently upgraded to 2.0.4, and now I'm seeing the following error
when I start FreeRADIUS:
...
> Sat May 3 20:21:39 2008 : Error: ERROR: Failed to open socket:
> Sat May 3 20:21:39 2008 : Error:
/opt/freeradius-2.0.4/etc/raddb/radiusd.conf[210]: Error binding to port
for 0.0.0.0 port 1812
> Sun May 4 01:37:24 2008 : Info: Ready to process requests.
---
DeKok:
So it *does* eventually start. Do you change the configuration
between the start attempts? If not, then it's difficult to say why it
starts one time, and then not another.
Maybe it's port re-use timers? Or something like the FreeBSD Jail
issue?
Is there a ktrace functionality on your system to see which system
calls it's doing, and what the results are?
--
Lemaster:
Yes, it does appear to be starting. Radius.log is no longer reporting the error, but radiusd -X still is.
I did not change the configuration. The only change I made was to upgrade to 2.0.4 and add the "Bob" account from the setup instructions. The rest of the configuration is 100% virgin.
>From the recommendation from Joel MBA OYONE, I made sure all other terminals were closed and there were no other radius processes running.
Radtest:
[root@localhost bin]# ./radtest bob hello localhost 0 testing123
User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Radius.log:
Mon May 5 20:04:55 2008 : Info: Ready to process requests.
Radiusd -X:
ERROR: Failed to open socket:
/opt/freeradius-2.0.4/etc/raddb/radiusd.conf[210]: Error binding to port for 0.0.0.0 port 1812
I couldn't find a ktrace in Fedora. Any other suggestions?
Thanks!
2
1
Hi
I have configured Free Radius 1.1.7 to connect to MSSQL. However when i run
radiusd -x i get the error
rlm_sql_unixodbc: Connection failed
Shoud i use versiion 2 instead.
I need help on this.
Thank you
--
Devinder
2
2
Hi All,
We need to extent the authentication feature of freeRadius server in
windows platform. Hence I need the source code of freeradius server
which I can build and compile in windows platform.
I tried to search in freeradius.net site where I suppose to get the
source code of freeradius server but it is still down for maintenance.
Can anyone help me out.
Thanks in advance.
-Sonali.
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments
to this message are intended for the exclusive use of the addressee(s)
and may contain proprietary, confidential or privileged information. If
you are not the intended recipient, you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately and
destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses.
The company accepts no liability for any damage caused by any virus
transmitted by this email.
www.wipro.com
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
3
2
Hello
My Linux BOX
Fedora Core 5
freeradius-server-2.0.3.tar.gz
freeradius-client-1.1.5.tar.bz2
pptpd-1.3.3-1.fc5.i386.rpm
-------------------------------------------------------
1.MYSQL check_error: 1064 received
2.IP Allocation FAILED from dialup_pool1
3.sqlippool_log_nopool = "No Pool-Name defined
My radippool
-------------------------------------------------------
#
# Table structure for table 'radippool'
#
CREATE TABLE radippool (
id int(11) unsigned NOT NULL auto_increment,
pool_name varchar(30) NOT NULL,
framedipaddress varchar(15) NOT NULL default '',
nasipaddress varchar(15) NOT NULL default '',
calledstationid VARCHAR(30) NOT NULL,
callingstationid VARCHAR(30) NOT NULL,
expiry_time DATETIME NULL default NULL,
username varchar(64) NOT NULL default '',
pool_key varchar(30) NOT NULL,
PRIMARY KEY (id)
);
MY radiusd -X
-------------------------------------------------------
FreeRADIUS Version 2.0.3, for host i686-redhat-linux-gnu, built on Apr 15 2008 at 18:25:23
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/sqlippool.conf
including configuration file /etc/raddb/sql/mysql/ippool.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "radiusd"
group = "radiusd"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "test1234"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Linked to module rlm_sqlcounter
Module: Instantiating noresetcounter
sqlcounter noresetcounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'"
reset = "never"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Reply attribute set to Session-Timeout.
rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 11273
rlm_sqlcounter: Check attribute Max-All-Session is number 3000
rlm_sqlcounter: Current Time: 1208605561 [2008-04-19 20:46:01], Next reset 0 [2008-04-19 20:00:00]
rlm_sqlcounter: Current Time: 1208605561 [2008-04-19 20:46:01], Prev reset 0 [2008-04-19 20:00:00]
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radiusid"
password = "test1234"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0 AND acctstoptime = NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND
nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime = NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radiusid@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_sqlippool
Module: Instantiating sqlippool
sqlippool {
sql-instance-name = "sql"
lease-duration = 3600
pool-name = ""
allocate-begin = "START TRANSACTION"
allocate-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND"
allocate-find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time IS NULL ORDER BY RAND() LIMIT 1 FOR UPDATE"
allocate-update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I'"
allocate-commit = "COMMIT"
allocate-rollback = "ROLLBACK"
pool-check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start-begin = "START TRANSACTION"
start-update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}'"
start-commit = "COMMIT"
start-rollback = "ROLLBACK"
alive-begin = "START TRANSACTION"
alive-update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive-commit = "COMMIT"
alive-rollback = "ROLLBACK"
stop-begin = "START TRANSACTION"
stop-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop-commit = "COMMIT"
stop-rollback = "ROLLBACK"
on-begin = "START TRANSACTION"
on-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on-commit = "COMMIT"
on-rollback = "ROLLBACK"
off-begin = "START TRANSACTION"
off-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off-commit = "COMMIT"
off-rollback = "ROLLBACK"
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
defaultpool = "main_pool"
}
rlm_sql (sql): Reserving sql socket id: 4
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32771, id=124, length=150
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "test"
MS-CHAP-Challenge = 0xc5ac1174350544cd13a3a19a5b8fe003
MS-CHAP2-Response = 0x0500caf32d299dbd505edfb10d4ea4d87ee30000000000000000503a118fd04e0a3c56a71ee4de8f3f17005fbb831d142dc4
Calling-Station-Id = "121.176.82.138"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry DEFAULT at line 172
++[files] returns ok
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup_pool1' ORDER BY id
rlm_sql (sql): User found in group dialup_pool1
expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup_pool1' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_expiration: Checking Expiration time: '19 May 2008'
++[expiration] returns ok
++[logintime] returns noop
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}''
expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test'}'
rlm_sql (sql): - sql_xlat
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test'} -> 3751
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user test, check_item=360000, counter=3751
rlm_sqlcounter: Sent Reply-Item for user test, Type=Session-Timeout, value=356249
++[noresetcounter] returns ok
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group MS-CHAP
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
++[mschap] returns ok
+- entering group session
expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
expand: %{User-Name} -> test
++[radutmp] returns ok
Login OK: [test/<via Auth-Type = mschap>] (from client localhost port 0 cli 121.176.82.138)
+- entering group post-auth
rlm_sql (sql): Reserving sql socket id: 1
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: START TRANSACTION -> START TRANSACTION
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND -> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND
rlm_sql_mysql: MYSQL check_error: 1064 received
sqlippool_command: database query error in: 'UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND'
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time IS NULL ORDER BY RAND() LIMIT 1 FOR UPDATE -> SELECT framedipaddress FROM radippool WHERE pool_name = 'dialup_pool1' AND expiry_time IS NULL ORDER BY RAND() LIMIT 1 FOR UPDATE
sqlippool_query1: SQL query did not return any results
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: COMMIT -> COMMIT
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1 -> SELECT id FROM radippool WHERE pool_name='dialup_pool1' LIMIT 1
rlm_sql (sql): Released sql socket id: 1
rlm_sqlippool: IP address could not be allocated.
expand: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> IP Allocation FAILED from dialup_pool1 (did cli 121.176.82.138 port 0 user test)
IP Allocation FAILED from dialup_pool1 (did cli 121.176.82.138 port 0 user test)
++[sqlippool] returns notfound
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: %{User-Password} ->
expand: %{Chap-Password} ->
expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Accept', '2008-04-19 20:46:08')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Accept', '2008-04-19 20:46:08')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
Sending Access-Accept of id 124 to 127.0.0.1 port 32771
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 356249
MS-CHAP2-Success = 0x05533d34363644443445384430314142383438313442463536393542334338314542463146394244353536
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 32771, id=125, length=114
Acct-Session-Id = "4809DB830D9500"
User-Name = "test"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "121.176.82.138"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 111.111.111.173
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4809DB830D9500",User-Name = "test"'
rlm_acct_unique: Acct-Unique-Session-ID = "9d5d17a8d0b2e79c".
++[acct_unique] returns ok
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting
expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/detail-20080419
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20080419
expand: %t -> Sat Apr 19 20:46:11 2008
++[detail] returns ok
++[unix] returns ok
expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
expand: %{User-Name} -> test
++[radutmp] returns ok
rlm_sql (sql): Reserving sql socket id: 3
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: START TRANSACTION -> START TRANSACTION
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' -> UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '127.0.0.1' AND pool_key = '0'
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: COMMIT -> COMMIT
rlm_sql (sql): Released sql socket id: 3
++[sqlippool] returns ok
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: %{Acct-Delay-Time} -> 0
expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('4809DB830D9500', '9d5d17a8d0b2e79c', 'test', '', '127.0.0.1', '0', 'Async', '2008-04-19 20:46:11', NULL, '0', 'RADIUS', '', '', '0', '0', '', '121.176.82.138', '', 'Framed-User', 'PPP', '111.111.111.173', '0', '0', '')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 125 to 127.0.0.1 port 32771
Finished request 1.
Cleaning up request 1 ID 125 with timestamp +10
Going to the next request
Waking up in 1.9 seconds.
Cleaning up request 0 ID 124 with timestamp +7
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 32771, id=126, length=150
Acct-Session-Id = "4809DB830D9500"
User-Name = "test"
Acct-Status-Type = Stop
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 4
Acct-Output-Octets = 12
Acct-Input-Octets = 1671
Acct-Output-Packets = 1
Acct-Input-Packets = 19
Calling-Station-Id = "121.176.82.138"
NAS-Port-Type = Async
Acct-Terminate-Cause = User-Request
Framed-IP-Address = 111.111.111.173
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4809DB830D9500",User-Name = "test"'
rlm_acct_unique: Acct-Unique-Session-ID = "9d5d17a8d0b2e79c".
++[acct_unique] returns ok
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting
expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/detail-20080419
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20080419
expand: %t -> Sat Apr 19 20:46:15 2008
++[detail] returns ok
++[unix] returns ok
expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
expand: %{User-Name} -> test
++[radutmp] returns ok
rlm_sql (sql): Reserving sql socket id: 1
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: START TRANSACTION -> START TRANSACTION
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' -> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress = '127.0.0.1' AND pool_key = '0' AND username = 'test' AND callingstationid = '121.176.82.138' AND framedipaddress = '111.111.111.173'
rlm_sql_mysql: MYSQL check_error: 1064 received
sqlippool_command: database query error in: 'UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress = '127.0.0.1' AND pool_key = '0' AND username = 'test' AND callingstationid = '121.176.82.138' AND framedipaddress = '111.111.111.173''
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: COMMIT -> COMMIT
rlm_sql (sql): Released sql socket id: 1
expand: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name}) -> Released IP 111.111.111.173 (did cli 121.176.82.138 user test)
Released IP 111.111.111.173 (did cli 121.176.82.138 user test)
++[sqlippool] returns ok
expand: %{User-Name} -> test
rlm_sql (sql): sql_set_user escaped user --> 'test'
expand: %{Acct-Input-Gigawords} ->
expand: %{Acct-Input-Octets} -> 1671
expand: %{Acct-Output-Gigawords} ->
expand: %{Acct-Output-Octets} -> 12
expand: %{Acct-Delay-Time} -> 0
expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress
= '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2008-04-19 20:46:15', acctsessiontime = '4', acctinputoctets = '0' << 32 | '1671', acctoutputoctets = '0' << 32 | '12', acctterminatecause = 'User-Request', acctstopdelay = '0', connectinfo_stop = '' WHERE acctsessionid = '4809DB830D9500' AND username = 'test' AND nasipaddress = '127.0.0.1'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 126 to 127.0.0.1 port 32771
Finished request 2.
Cleaning up request 2 ID 126 with timestamp +14
Going to the next request
Ready to process requests.
________________________________________________________
180도 달라진 야후! 메일 - 여러 개의 메시지를 동시에 확인? 새로운 야후! 메일의 탭으로 가능해집니다.
http://kr.content.mail.yahoo.com/cgland
1
0
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
by johnson elangbam 05 May '08
by johnson elangbam 05 May '08
05 May '08
>You are asking your questions on a wrong list. There is nothing you can
>do on a radius server in order to get those attributes if radius client
>is not sending Digest-Attributes. Direct your question to SER server
>support.
hi Kalik,
After I've done some changes in dictionary of radius server I
can see the output sending digest attributes from the client, but still i
didn't get the values at the radius server. Is it the problem of my
configuration of radius server or it may be some other client configuration.
Please advice, sorry for posting the same question again.
Please tell me the possible problems of not getting these values:
'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri',
'Digest-Nonce', 'Digest-Response'
here is the full output when I run in debug mode
rad_recv: Access-Request packet from host 192.168.1.227 port 33093, id=86,
length=271
User-Name = "johnson(a)192.168.1.227"
Digest-Attributes = 0x0a096a6f686e736f6e
Digest-Attributes = 0x010f3139322e3136382e312e323237
Digest-Attributes =
0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439
Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "b8f4759b0c4462aaa56edd1794da872a"
Service-Type = Sip-Session
Sip-Uri-User = "johnson"
Cisco-AVPair = "call-id=
bf4f8d7607dc4f4aa0e7aacff499141c(a)192.168.1.193"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x89260f0 asigned new request. Handled so far: 1
found interpetator at address 0x89260f0
rlm_perl: ###############################################################
rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a
rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
bf4f8d7607dc4f4aa0e7aacff499141c(a)192.168.1.193
rlm_perl: RAD_REQUEST: User-Name = johnson(a)192.168.1.227
rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x89dd638)
rlm_perl: ###############################################################
rlm_perl: Added pair Digest-Response = b8f4759b0c4462aaa56edd1794da872a
rlm_perl: Added pair Service-Type = Sip-Session
rlm_perl: Added pair Cisco-AVPair = call-id=
bf4f8d7607dc4f4aa0e7aacff499141c(a)192.168.1.193
rlm_perl: Added pair User-Name = johnson(a)192.168.1.227
rlm_perl: Added pair Sip-Uri-User = johnson
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e
rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes =
0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439
rlm_perl: Added pair Digest-Attributes =
0x04137369703a3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x89260f0
++[perl] returns reject
Invalid user: [johnson(a)192.168.1.227/<no User-Password attribute>] (from
client 192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> johnson(a)192.168.1.227
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 33094, id=87,
length=271
User-Name = "johnson(a)192.168.1.227"
Digest-Attributes = 0x0a096a6f686e736f6e
Digest-Attributes = 0x010f3139322e3136382e312e323237
Digest-Attributes =
0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439
Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "b8f4759b0c4462aaa56edd1794da872a"
Service-Type = Sip-Session
Sip-Uri-User = "johnson"
Cisco-AVPair = "call-id=
bf4f8d7607dc4f4aa0e7aacff499141c(a)192.168.1.193"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x8a20548 asigned new request. Handled so far: 1
found interpetator at address 0x8a20548
rlm_perl: ###############################################################
rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a
rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
bf4f8d7607dc4f4aa0e7aacff499141c(a)192.168.1.193
rlm_perl: RAD_REQUEST: User-Name = johnson(a)192.168.1.227
rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8ab7bd0)
rlm_perl: ###############################################################
rlm_perl: Added pair Digest-Response = b8f4759b0c4462aaa56edd1794da872a
rlm_perl: Added pair Service-Type = Sip-Session
rlm_perl: Added pair Cisco-AVPair = call-id=
bf4f8d7607dc4f4aa0e7aacff499141c(a)192.168.1.193
rlm_perl: Added pair User-Name = johnson(a)192.168.1.227
rlm_perl: Added pair Sip-Uri-User = johnson
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e
rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes =
0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439
rlm_perl: Added pair Digest-Attributes =
0x04137369703a3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x8a20548
++[perl] returns reject
Invalid user: [johnson(a)192.168.1.227/<no User-Password attribute>] (from
client 192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> johnson(a)192.168.1.227
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 86 to 192.168.1.227 port 33093
Reply-Message = "Incorrect Password"
Waking up in 0.4 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 87 to 192.168.1.227 port 33094
Reply-Message = "Incorrect Password"
Waking up in 4.5 seconds.
Cleaning up request 2 ID 86 with timestamp +9
Waking up in 0.4 seconds.
Cleaning up request 3 ID 87 with timestamp +10
Ready to process requests.
Thanks and Regards
Elangbam Johnson
2
1
freeradius-2.0.4 under rhel el 5.
If no module sets Auth-Type I want it to set to: pam.
Config:
authorize {
...
eap {
ok = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module in radiusd.conf.
#
# unix
#
# Read the 'users' file
files
pap
if (Control:Auth-type == "") {
update control {
Auth-Type := pam
}
}
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
...
Auth-Type pam {
pam
}
radiusd -X show that even if no authetication method is found the
condition is not empty.
++? if ('%{Control:Auth-type}' == "")
? Evaluating ('%{Control:Auth-type}' == "") -> FALSE
++? if ('%{Control:Auth-type}' == "") -> FALSE
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Do you have a suggestion?
Thank You for Your time.
--
Grüße
Hans-Peter Fuchs
Hans-Peter Fuchs - RRZK Zimmer 20
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
Universität zu Köln - Tel: 0221-470-6972
3
2
Ok, before radiusd -X lets see the scenario and config files:
step 1:
- the network use wireless grid technologie, all the AP are managed by one switch controler (dws-3024 - d-link)
- the AP should be authenticated by the RADIUS Server before they could be authorised to be managed by the switch controler. so this step, the dws-3024 is the Authenticator and the AP (dwl-8500AP+) is the supplicant.
at this stage, you adviced me to fix "Auth-Type := Accept" to the AP attribute in the user file, so everything is OK.
step 2:
the AP become the Authenticator cause it transmit the Authentication requests to the Radius Server (so it possesses an entry in client.conf) and the supplicant here is rhe wireless client.
dws-3024 documentation give a sample for wireless client as follow:
=======================================================
If you use an external RADIUS server to manage VLANs, you configure the server to use
Tunnel attributes in Access-Accept messages in order to inform the access point about the
selected VLAN. These attributes are defined in RFC 2868 and their use for dynamic VLAN is
specified in RFC 3580.
The VLAN attributes defined in RFC3580 are as follows:
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which
is why client entries use 6 for the Tunnel-Medium-Type value.
To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the
etc/raddb/users file, which contains the user account information, and add for the new user.
The following example shows the entry for a user in the users file. The username is
“johndoe,” the password is “test1234.” The user is assigned to VLAN 77.
johndoe Auth-Type: = EAP, User-Password == “test1234"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 77
Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private-
Group-ID is the selected VLAN ID and can be different for each user.
NOTE: Do not use the management VLAN ID of the AP for the value of the Tunnel-
Private-Group-ID.
======================================================
so i create my certificates according to certs/README and the commonname for client is "mojo".
here is the log of Radiusd - X in an attemting connexion by the wireless clienst:
(Wireless security is WEP 802.1x and VLANID = 2)
============================================================
============================================================
============================================================
radius:~ # radiusd -X
FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Mar 18 2008 at 19:47:59
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "radiusd"
group = "radiusd"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client dws3024 {
ipaddr = 192.168.0.254
require_message_authenticator = yes
secret = "wireless"
nastype = "D-Link"
}
client Access_Point_DWL-8500AP+ {
ipaddr = 192.168.2.0
netmask = 24
require_message_authenticator = yes
secret = "wireless"
nastype = "D-Link"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "wireless"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
rad_recv: Access-Request packet from host 192.168.0.254 port 49153, id=1, length=79
User-Name = "00-1c-f0-07-d6-90\000"
NAS-Identifier = "00-17-9A-95-0C-18"
Message-Authenticator = 0x65f1cca415ab9d0413903188af185f25
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "00-1c-f0-07-d6-90", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry 00-1c-f0-07-d6-90 at line 52
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [00-1c-f0-07-d6-90\000/<via Auth-Type = Accept>] (from client dws3024 port 0)
Sending Access-Accept of id 1 to 192.168.0.254 port 49153
D-Link-Wireless-AP-Mode = WS-Managed
D-Link-Wireless-AP-Location = "Bureau de Joel"
D-Link-Wireless-AP-Profile-ID = 1
D-Link-Wireless-AP-Switch-IP = 192.168.10.254
D-Link-Wireless-AP-Radio-1-Chan = Auto
D-Link-Wireless-AP-Radio-2-Chan = Auto
D-Link-Wireless-AP-Radio-1-Power = Auto
D-Link-Wireless-AP-Radio-2-Power = Auto
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Cleaning up request 0 ID 1 with timestamp +81
Ready to process requests.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
USING "Auth-Type := Accept
mojo Auth-Type := Accept, User-Password == "wireless"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 2,
Reply-Message = "client account stuffs."
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
############## AUTHENTIFICATION REQUEST FROM THE SUPPLICANT (Wireless client) ########
rad_recv: Access-Request packet from host 192.168.2.4 port 1026, id=0, length=162
User-Name = "mojo"
NAS-IP-Address = 192.168.2.4
NAS-Port = 1
Called-Station-Id = "00-1C-F0-07-D6-99:pedagogie_wpa2_entr."
Calling-Station-Id = "00-12-F0-0C-97-61"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02000009016d6f6a6f
Message-Authenticator = 0xa57b6ebbe376d1eaed8cecc7e397aefa
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
users: Matched entry mojo at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [mojo/<via Auth-Type = Accept>] (from client Access_Point_DWL-8500AP+ port 1 cli 00-12-F0-0C-97-61)
Sending Access-Accept of id 0 to 192.168.2.4 port 1026
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
Reply-Message = "client account stuffs."
Finished request 1.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 192.168.2.4 port 1026, id=0, length=162
Sending duplicate reply to client Access_Point_DWL-8500AP+ port 1026 - ID: 0
Sending Access-Accept of id 0 to 192.168.2.4 port 1026
Waking up in 1.9 seconds.
Cleaning up request 1 ID 0 with timestamp +98
Ready to process requests.
#######CONNECTED, NO @IP AND IT RESTART FOR ANOTHER TURN, NEVER STOPPING #######
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
WITHOUT USING "Auth-Type := Accept (
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
USING "Auth-Type := Accept
mojo Auth-Type := Accept, User-Password == "wireless"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 2,
Reply-Message = "client account stuffs."
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=8, length=155
User-Name = "mojo"
NAS-IP-Address = 192.168.2.4
NAS-Port = 2
Called-Station-Id = "00-1C-F0-07-D6-98:Guest Network"
Calling-Station-Id = "00-12-F0-0C-97-61"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02000009016d6f6a6f
Message-Authenticator = 0x349aea9694c93a503c14b5c10c73d45b
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
users: Matched entry mojo at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.2.4 port 1024
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
Reply-Message = "client account stuffs."
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x83d6e38e83d7ee899c87131befee6bdc
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=1, length=155
User-Name = "mojo"
NAS-IP-Address = 192.168.2.4
NAS-Port = 2
Called-Station-Id = "00-1C-F0-07-D6-98:Guest Network"
Calling-Station-Id = "00-12-F0-0C-97-61"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02000009016d6f6a6f
Message-Authenticator = 0x2b53afbbb4b2229f0d5bfa9fa7a53167
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
users: Matched entry mojo at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.2.4 port 1024
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
Reply-Message = "client account stuffs."
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e10926a5e119fe515a2972f16e32f58
Finished request 1.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Cleaning up request 0 ID 8 with timestamp +6
Cleaning up request 1 ID 1 with timestamp +6
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=8, length=155
User-Name = "mojo"
NAS-IP-Address = 192.168.2.4
NAS-Port = 2
Called-Station-Id = "00-1C-F0-07-D6-98:Guest Network"
Calling-Station-Id = "00-12-F0-0C-97-61"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02000009016d6f6a6f
Message-Authenticator = 0x349aea9694c93a503c14b5c10c73d45b
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
users: Matched entry mojo at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.2.4 port 1024
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
Reply-Message = "client account stuffs."
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcff784ddcff689f72fa303f8f4fab41c
Finished request 2.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=3, length=155
User-Name = "mojo"
============================================================
============================================================
in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management and sometime i receive the right ip adresss in the right IP Pool. ut lost it immediately, maybe cause of the repeating cycle of athentication sequence.
AND, the client certificate, signed by the Server (not the CA root) is still with the same message.
hope it would be helpfull !!
thank you for your time
MBA OYONE Joël
Lot. El Firdaous
Bât GH20, Porte A 204, Appt 8
20000 Oulfa
Casablanca - Maroc
Tél. : +212 69 25 85 70
----- Message d'origine ----
De : Ivan Kalik <tnt(a)kalik.net>
À : FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
Envoyé le : Lundi, 5 Mai 2008, 10h42mn 29s
Objet : Re: howto EAP-TLS on freeradius 2.0.2-3 ??
> - ca.der ---- no prob, known as an CA in windows
> - server.p12 ---no prob, certicate is valid
> - client.p12 --- !!! windows said something like that
>(excuse my english translation, but i think you'll get
>the message):
>
>--CA
> ---Server
> -------clients:
>
> ---Information about the certificate: ---
> ****this certificate is not valide cause one of the
>certificate authority in the certificate path seems
>not to be allow to deliver certificate, or this
>certificate can not be use as end-user certificate
>*****
>(see attached file)
>
http://technet.microsoft.com/en-us/library/bb331963(EXCHG.80).aspx
It looks like the certificate doesn't have the OIDs needed. They should
be present in certificate details (Details tab). Post radiusd -X to see
what happens.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités
http://mail.yahoo.fr Yahoo! Mail
2
1
Hello!
I need some configuration help, I'm stuck! I have configured Freeradius to work great with PPP access with user/pass, etc using rlm_sql module with MySQL.
Now I have a problem. I have different requests coming in from OpenSER. One is authentication it self (the registration) which includes the user/pass combination - the packet looks like this:
User-Name = "10000@voip"
Digest-Attributes = 0x0a073130303030
Digest-Attributes = 0x0110766f69702e6962757273742e7369
Digest-Attributes = 0x022a34383165633632613431333361613638303939666434316333306136396363643665363765353239
Digest-Attributes = 0x04147369703a766f69702e6962757273742e7369
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "0d741120406c55bb2631bc16ba79eedc"
Service-Type = Sip-Session
Sip-Uri-User = "10000"
NAS-Port = 5060
NAS-IP-Address = 172.16.3.10
This works OK, and user get's authenticated. But how could I match also this query received:
User-Name = "10000@voip"
Service-Type = Call-Check
NAS-Port = 0
NAS-IP-Address = 172.16.3.10
Now, there's no Password or anything, I would just like to check if this user is in the database.
I have put the user into two groups, one checking for Service-Type Sip-Session and the other to Service-Type Call-Check. I can see in the debug, that the user was found in Call-Check group, but then radius sends REJECT as there was no password provided. Can I somehow send Accept, without user/pass checking, if the user was found in this group?!
Thank you for any inputs regarding this issue.
Kind regards,
Dejan Markic
2
3