Himanshu Pandey wrote:
I modified users configuration file and radiusd.conf.
If you don't know what you're doing, DO NOT EDIT THE FILES. This isn't difficult.
I have attached radiusd.conf file.
I'm not going to read it. The default radiusd.conf file works. Use it.
Please tell me what shall I not modify in radiusd.conf file. Actually I did some modifications in radiusd.conf file since I was getting some error in starting the radius server.
Nonsense. The default configuration works. Alan DeKok.
Hi, I'm confused about the definition of "NAS-IP-Address" in RFC 2865: ///////////////////////////////////////////////////////////////////////// This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IPAddress is only used in Access-Request packets. Either NAS-IPAddress or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret. ///////////////////////////////////////////////////////////////////////// The description first said NAS-IP-Address is the IP Address of the NAS which is requesting authentication of the user. Then description said the source IP address (not the NAS-IP-Address) of the Access-Request packet MUST be used to select the shared secret. My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description. Could anybody explain? Best Regards, -----Original Message----- From: freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org [mailto:freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, 23 September 2014 12:45 a.m. To: FreeRadius users mailing list Subject: Re: Beginner need help Himanshu Pandey wrote:
I modified users configuration file and radiusd.conf.
If you don't know what you're doing, DO NOT EDIT THE FILES. This isn't difficult.
I have attached radiusd.conf file.
I'm not going to read it. The default radiusd.conf file works. Use it.
Please tell me what shall I not modify in radiusd.conf file. Actually I did some modifications in radiusd.conf file since I was getting some error in starting the radius server.
Nonsense. The default configuration works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
Hi,
My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description.
Could anybody explain?
sure. the NAS-IP-Address is set by the NAS - so it SHOULD be its IP address in a nice world. okay thats clear....however, the packet might be reaching your RADIUS server via some other route - lets say, eg a NAT gateway, a RADIUS server (it has been proxied) or from some central controller (thinking of some of the WiFi solutions out there) - in which case the NAS-IP-Address is NOT the source IP address of the packet. the NAS-IP-Address is also part of the RADIUS datagram - so you've already started to analyse the packet contents really before you can - eg how did you ensure the packet contents were correct, verify the message authenticator or ensured the content values by using the shared secret? you didnt. the RADIUS datagram comes in. you see the source address of the packet. look up the client, get its shared secret, work on the packet. alan
Dear friends, I have added clients client private-network-1 { ipaddr = 192.168.0.244 netmask = 24 secret = testing123-1 shortname = private-network-1 } To the clients.conf. And run command "radius -X". From the debug message I can see the added client loaded. Then from my NAS (with IP 192.168.0.244) I sent a "authentication only" request to the server. The server showed me a message: Ignored,.....Unrecognized client "192.168.0.244" port "1222". What is wrong with my config? Regards, Frank -----Original Message----- From: freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org [mailto:freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, 25 September 2014 6:49 p.m. To: FreeRadius users mailing list Subject: Re: Beginner need help Hi,
My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description.
Could anybody explain?
sure. the NAS-IP-Address is set by the NAS - so it SHOULD be its IP address in a nice world. okay thats clear....however, the packet might be reaching your RADIUS server via some other route - lets say, eg a NAT gateway, a RADIUS server (it has been proxied) or from some central controller (thinking of some of the WiFi solutions out there) - in which case the NAS-IP-Address is NOT the source IP address of the packet. the NAS-IP-Address is also part of the RADIUS datagram - so you've already started to analyse the packet contents really before you can - eg how did you ensure the packet contents were correct, verify the message authenticator or ensured the content values by using the shared secret? you didnt. the RADIUS datagram comes in. you see the source address of the packet. look up the client, get its shared secret, work on the packet. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
Hi, I believe it is the same clients.conf the server reads in. When I use command "radius-X" the output shows the new client is configured. Cheers, -----Original Message----- From: freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org [mailto:freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Monday, 29 September 2014 10:02 p.m. To: FreeRadius users mailing list Subject: Re: Beginner need help (unrecognized clients) Hi,
To the clients.conf.
which file did you edit? the same clients.conf that the server reads in (check its path in radiusd -X output_ alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
Hi,
I believe it is the same clients.conf the server reads in. When I use command "radius-X" the output shows the new client is configured. ^^^^^^^^^^^
thats not really good enough. you need to ensure/guarantee that its the same file. alan
Hi, I've just installed "freeradius" in another linux PC running UBUNTU as my old linux PC has some issues. In this version of "freeraius" I have to run command "freeradius -X" (rather than "radius -X"). The output shows an error message of Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 What is the reason it is not working? Cheers, ############################################################################# Below is the full output main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
Hi,
Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
What is the reason it is not working?
wondering what bit of the output was not clear? "Address already in use" if you do ps aux | grep radius you'll see its running already. killall freeradiusd or use the system scripts to stop/start the service (stop, debug, kill debug, start) alan
Hi,
client private-network-1 { ipaddr = 192.168.0.244 netmask = 24 secret = testing123-1 shortname = private-network-1 }
how about just client private-network-1 { ipaddr = 192.168.0.244 secret = testing123-1 shortname = private-network-1 } ? alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Frank Wei