Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2010
- 121 participants
- 174 discussions
Is the integer type in the dictionaries signed or unsigned? It appears from
the release notes for 2.1.8 that it is, but this is not noted in the
dictionary file that I have seen so would like to confirm.
Ben
2
1
Dear all,
I would like to know if there is a way to get the content of the debug mode through another tool.
In fact, that could be interesting for me since I am doing a migration process and I do not know all passwords of my customer.
In other work, I would like to see, when my Radius send an access-reject packet what was the attribute sent by my customer equipment. This is written on the debug mode however, I hqve around 300 customers so I will not stop the Radius just to check this.
Is there also maybe a way of running debug mode over the daemon, meaning you do not have to stop it?
I was thinking about Ethereal or this kind of sofware to sniff the incoming packet.
Thanks in advance for your reply.
My configuration: Radius v.2
OS : Debian
NAS : Alvarion
Users equipment : Alvarion CPE
Regards
Sylvain
2
1
Hello, due to a typing error i realized that there is a mistake at my
configuration, the eap-tls is working fine but it doesn't matter what name
is written in the certificate, ldap is returning not found but the user is
always accepted. I looked at the ldap module for an identity check but i
can't find it and setting access_attr = "uid" makes no difference.
Please give me a hint where i have to look.
--
View this message in context: http://old.nabble.com/EAP-TLS---OpenLDAP---UID-Check-tp27326455p27326455.ht…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
2
Hi,
I've just installed a freeradius with mysql and it is working OK with
text passwords on the radcheck table.
When I try using MD5 password it doesn't work. Does anyone have a
"radius.conf" template file that I can use as a reference and also how
the tables on mysql should be populated.
I already went through hundreds of messages on this mailing list,
searched on wiki, google, etc.. but couldn't get it working so I thought
that would be easier if I started it fresh with a simple working
configuration.
The versions that I am running are:
-freeradius-mysql-1.1.3-1.2.el5
-freeradius-1.1.3-1.2.el5
-mysql-server-5.0.77-4.el5_4.1
Thanks for any help.
Cheers,
Juliano
3
2
27 Jan '10
Hi everybody.
As the title says, I'm trying to set up FreeRadius to authenticate wireless
clients (employees). I just finished deploying a Samba/Ldap domain, and I'd
like to take advantage of this user db.
I already followed several howtos, more or less outdated.
For now, I can authenticate a user against my directory only with radtest.
When I try from a Win XP laptop doing PEAP (in the wireless assistant), i cant
get it to work.
I'm not familiar with the bunch of protocols coming with radius and 802.1x
(PEAP, CHAP, etc.), and I can't find the issue.
Here is the trace of the server, with a connection attempt of the laptop.
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at
23:35:34
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 192.168.2.254/24 {
require_message_authenticator = no
secret = "testing123"
shortname = "ap1"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "ldap-samba.edatis.net"
port = 389
password = "*samba$edatis!"
identity = "cn=samba,ou=DSA,o=siege,dc=edatis,dc=net"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "o=siege,dc=edatis,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-
UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 2
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-
Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-
Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-
Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-
Group-Id
conns: 0x94af250
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-
Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.254 port 2029, id=34,
length=171
Message-Authenticator = 0xd656642af1dbbf33c13b354ef78a401d
Service-Type = Framed-User
User-Name = "ja"
Framed-MTU = 1488
Called-Station-Id = "0A1B2F3F4B09:TEST-RADIUS"
Calling-Station-Id = "00215DE37F06"
NAS-Identifier = "EdatisAP01"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02000007016a61
NAS-IP-Address = 192.168.2.254
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "ja", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 7
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ja
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> ja
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ja)
expand: o=siege,dc=edatis,dc=net -> o=siege,dc=edatis,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap-samba.edatis.net:389, authentication 0
rlm_ldap: bind as cn=samba,ou=DSA,o=siege,dc=edatis,dc=net/XXXXXXXXXXXXXX to
ldap-samba.edatis.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=siege,dc=edatis,dc=net, with filter (uid=ja)
rlm_ldap: Added User-Password = {SSHA}M+2zAL4OL40EyemvS5a7Ugr15dZzSGU3 in
check items
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password ==
"{SSHA}M+2zAL4OL40EyemvS5a7Ugr15dZzSGU3"
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password ==
0x3735323435463143333236443138413433393031383942453643463332313044
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password ==
0x3843443438453034363436383542424131343836323335413233333345344432
rlm_ldap: looking for reply items in directory...
rlm_ldap: user ja authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Normalizing SSHA1-Password from base64 encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 34 to 192.168.2.254 port 2029
EAP-Message = 0x010100160410fa30bf980ba96ef49bb5c937347c1e3b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7056fb277057ffca98e813bcb8a5e12b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.254 port 2029, id=35,
length=188
Message-Authenticator = 0x0cef594ab56e2919eabcef184089b5d8
Service-Type = Framed-User
User-Name = "ja"
Framed-MTU = 1488
State = 0x7056fb277057ffca98e813bcb8a5e12b
Called-Station-Id = "0A1B2F3F4B09:TEST-RADIUS"
Calling-Station-Id = "00215DE37F06"
NAS-Identifier = "EdatisAP01"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020100060319
NAS-IP-Address = 192.168.2.254
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "ja", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ja
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> ja
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ja)
expand: o=siege,dc=edatis,dc=net -> o=siege,dc=edatis,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=siege,dc=edatis,dc=net, with filter (uid=ja)
rlm_ldap: Added User-Password = {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX in
check items
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password ==
"{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password ==
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password ==
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
rlm_ldap: looking for reply items in directory...
rlm_ldap: user ja authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Normalizing SSHA1-Password from base64 encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for unsupported type 25
rlm_eap: No common EAP types found.
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [ja/<via Auth-Type = EAP>] (from client ap1 port 1 cli
00215DE37F06)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> ja
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.254 port 2029, id=35,
length=188
Waiting to send Access-Reject to client ap1 port 2029 - ID: 35
Sending delayed reject for request 1
Sending Access-Reject of id 35 to 192.168.2.254 port 2029
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 34 with timestamp +1
Waking up in 1.0 seconds.
Cleaning up request 1 ID 35 with timestamp +1
Ready to process requests.
I hope you can help me.
Thanks by advance,
Jonathan
--
***************************
Jonathan Amiez
Administrateur système
ja(a)edatis.com
***************************
2
1
In the release notes for 2.1.8 it says:
Document "chase_referrals" and "rebind" in raddb/modules/ldap
Well 2.1.7 says:
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
# chase_referrals = yes
# rebind = yes
which is no different than 2.1.8. What's different? Is this
documentation somewhere? I'm especially interested in rebind. Wat's it do?
Rick
Rick Steeves
http://www.sinister.net
In reality nothing is more damaging to the adventurous spirit within
a man than a secure future - Alexander Supertramp
2
3
Hi everyone,
I realise that this maybe somewhat a limitation of the PAM Radius Plugin for OpenVPN but have searched around for a week now to find a solution.
The problem I am having is that I have an OpenVPN "proxy hub" that has 3 external IP addresses. I am using huntgroups to distinguish if a user can authenticate against an IP address and if so they receive an IP & default Gw to a front end proxy (each front end proxy is located in a separate country). The idea is that a user of a specific group can only connect to an interface that he is a group memeber of. The authentication uses the pam radius plugin against a backend SQL / radius server. If I connect to int1 then the requests sent by the Radius plugin to the backend radius server has a source IP of int1. This works well and the user is authenticated and is provided a default GW to the front end proxy. However if the user connects to INT2 the NAS requset still has the source IP address of INT1 and therefore the user is rejected because he is not a member of the INT1 grouping.
Is it possible to have multiple instances of the radius plugin each binding to a different interface so that the request seen by the Radius server via the PAM plugin has the correct source address? Is it possible to get the NAS to Distinguish between the interfaces?
Cheers to all in advance (",)
Cj
_________________________________________________________________
New Windows 7: Find the right PC for you. Learn more.
http://windows.microsoft.com/shop
2
1
>
> Date: Tue, 26 Jan 2010 08:33:41 +0100
> From: Alan DeKok <aland(a)deployingradius.com>
> Subject: Re: dropped request after ldap "constraint violating"
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <4B5E9AD5.90907(a)deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> chui wrote:
> >>From radius.log, the symptom of the failure goes as follow
> >
> > 1. rlm_ldap receives "constraint violation" reply from ldap.
>
> Well... that's an issue with LDAP.
>
> > 2. other authentication requests immediately followed the constraint
> > violation reply failed with "incorrect login"
>
> Likely because the LDAP server treats the connection as "bad", and
> starts rejecting all searches done via that connection.
>
> > Can anybody shed some light on this failure scenario?
>
> See https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=18
>
> Maybe that change will help.
>
> Alan DeKok.
>
I believed I have the same issue as described in ID 18 "rlm_ldap
MAX_FAILED_CONNS logic and ldap response 19 constraint violation". I
would also like to see that "constraint violation" being handled as
RLM_MODULE_REJECT instead of RLM_MODULE_FAIL. Is it likely that
Adam's request be included in the next update?
Thanks
Cedric
2
1
26 Jan '10
Hi All;
I have been running a FreeRADIUS Server Version 2.1.6 setup to work with MySQL 5 to authenticate VPN Dial-up users with no problems at all.
My next step is to try to log the users realms, which is their MAC addresses, the authentication today is CHAP with a combination of username + password check on the mysql db.
I would like to continue with the same authentication method by when the user is authenticating they will include their MAC address as such:
username @ MAC_ADDRESS
Freeradius is to strip the MAC_ADDRESS, then insert onto the field "Realm" on the table "radacct" and then authenticate the user normally via the username+password combination.
I have researched and have not found a way to implement this.
Have any of you got any ideas how to implement this pls?
Any help appreciated.
Many thanks
Lucio
PS: Have not included any conf files as my FR is pretty much out of the box setup, but will happily do so.
_________________________________________________________________
Got a cool Hotmail story? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
4
11
Hi,
I fresh install freeradius ( Yes. I am newbie). I try to give IP address
for my authenticated user who use token as password. But still I don't
understand why altough users can give access if IP is in a ip pool,
other users can't give IP address as static. What affects while user
take IP address as static and from pool? What are the changes?
#users file:
tevfikceydeliler Proxy-To-Realm := 10.1.1.51
Framed-IP-Address := 172.30.64.20,
Framed-IP-Netmask := 255.255.255.255
In my case user can get Access-Accept but there is no IP address
#Here is the log:
root@radiussql:/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 17
2009 at 17:22:02
...
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/echo
...
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/ippool
...
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.65.8.100 {
require_message_authenticator = no
secret = "testing123"
shortname = "tceydelilerNB"
}
client 172.30.80.1 {
require_message_authenticator = no
secret = "1q2w3e4r"
shortname = "TurkcellGGSN"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm 10.1.1.51 {
authhost = 10.1.1.51:1812
secret = geheim
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_ippool
Module: Instantiating TESTPOOL
ippool TESTPOOL {
session-db = "/etc/freeradius/db.ippool"
ip-index = "/etc/freeradius/db.ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.30.64.10
range-stop = 172.30.64.15
netmask = 255.255.240.0
cache-size = 6
override = yes
maximum-timeout = 0
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.65.8.100 port 59112, id=15,
length=108
User-Name = "tevfikceydeliler"
User-Password = "172987330606"
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = 0
Service-Type = 0
NAS-Port-Type = Virtual
Calling-Station-Id = "905308507313"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tevfikceydeliler", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry tevfikceydeliler at line 224
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 116 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172987330606"
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = 0
Service-Type = 0
NAS-Port-Type = Virtual
Calling-Station-Id = "905308507313"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x3135
Proxying request 0 to home server 10.1.1.51 port 1812
Sending Access-Request of id 116 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172987330606"
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = 0
Service-Type = 0
NAS-Port-Type = Virtual
Calling-Station-Id = "905308507313"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x3135
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.1.1.51 port 1812, id=116,
length=24
Proxy-State = 0x3135
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[TESTPOOL] Could not find Pool-Name attribute.
++[TESTPOOL] returns noop
++[exec] returns noop
Sending Access-Accept of id 15 to 10.65.8.100 port 59112
Finished request 0.
Going to the next request
Waking up in 4.9 seconds
And Here is the packet analyzer output of radius part (I think number 8
and 9 are missing):
#Request:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xf (15)
Length: 108
Authenticator: 20202020202031323634353135343333
[The response to this request is in frame 4]
Attribute Value Pairs
AVP: l=18 t=User-Name(1): tevfikceydeliler
Length: 16
User-Name: tevfikceydeliler
AVP: l=18 t=User-Password(2): Encrypted
Length: 16
User-Password: \033b\273\326\245
AVP: l=10 t=NAS-Identifier(32): GGFILE02
Length: 8
NAS-Identifier: GGFILE02
AVP: l=10 t=Called-Station-Id(30): yasarapn
Length: 8
Called-Station-Id: yasarapn
AVP: l=6 t=Framed-Protocol(7): Unknown(0)
Length: 4
Framed-Protocol: Unknown (0)
AVP: l=6 t=Service-Type(6): Unknown(0)
Length: 4
Service-Type: Unknown (0)
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
Length: 4
NAS-Port-Type: Virtual (5)
AVP: l=14 t=Calling-Station-Id(31): 905308507313
Length: 12
Calling-Station-Id: 905308507313
#Answer:
Radius Protocol
Code: Access-Accept (2)
Packet identifier: 0xf (15)
Length: 20
Authenticator: 120DE5C52368150FB88F9EB91D31D80
[This is a response to a request in frame 1]
[time from request: 0.005307000 seconds]
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.
1
0