how to change the radius default "testing123" password
I changed all instances of the password "testing123", to a random password on both the StrongSwan server and the Radius server, and restarted the strongswan and radiusd services. However, this broke the connection to authenticate to the LDAP server, so I had to put it back to "testing123" to get it to work again. How can I change the radius default "testing123" password? Is there a command I need to run to do this? Thanks for any help with this.
Hi Alan, Thanks for your reply. However, I have already changed the instances of the password "testing123" in the following files: StrongSwan:/etc/strongswan/strongswan.conf Radius:/etc/raddb/proxy.conf Radius:/etc/raddb/sites-available/dynamic-clients Radius:/etc/raddb/sites-available/originate-coa Radius:/etc/raddb/sites-available/robust-proxy-accounting Radius:/etc/raddb/clients.conf After restarting the strongswan and radiusd service, I was not able to authenticate to my LDAP server, and had to change the entries back to "testing123"? What am I missing here? -----Original Message----- From: freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, October 02, 2013 12:50 PM To: FreeRadius users mailing list Subject: Re: how to change the radius default "testing123" password cpetty wrote:
How can I change the radius default "testing123" password? Is there a command I need to run to do this?
Edit raddb/clients.conf. Look for "testing123". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clint Petty wrote:
Hi Alan,
Thanks for your reply. However, I have already changed the instances of the password "testing123" in the following files:
StrongSwan:/etc/strongswan/strongswan.conf
That's good.
Radius:/etc/raddb/proxy.conf
That's not good. The secret there is for home servers, not clients. I suggest changing it back.
Radius:/etc/raddb/sites-available/dynamic-clients Radius:/etc/raddb/sites-available/originate-coa Radius:/etc/raddb/sites-available/robust-proxy-accounting
That's not good. Those files are NOT used by the running server. I suggest changing it back.
Radius:/etc/raddb/clients.conf
That's good.
After restarting the strongswan and radiusd service, I was not able to authenticate to my LDAP server, and had to change the entries back to "testing123"? What am I missing here?
Well, it should work. What does the debug output say? That should tell you *exactly* what's going on. Alan DeKok.
Hi Alan, Ok, I just changed the StrongSwan:/etc/strongswan/strongswan.conf & the Radius:/etc/raddb/clients.conf files, and left the other files with reference to "testing123" alone. Restarted the strongswan & radiusd services, and get the same error from my iphone, "VPN Connection - User authentication failed". I started radiusd -X (debug mode), and get the following: rad_recv: Access-Request packet from host xx.xx.xx.79 port 49922, id=198, length=137 Received packet from xx.xx.xx.79 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Going to the next request Waking up in 0.9 seconds. Cleaning up request 7 ID 198 with timestamp +296 Ready to process requests. Repeats four times. -----Original Message----- From: freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, October 02, 2013 2:02 PM To: FreeRadius users mailing list Subject: Re: how to change the radius default "testing123" password Clint Petty wrote:
Hi Alan,
Thanks for your reply. However, I have already changed the instances of the password "testing123" in the following files:
StrongSwan:/etc/strongswan/strongswan.conf
That's good.
Radius:/etc/raddb/proxy.conf
That's not good. The secret there is for home servers, not clients. I suggest changing it back.
Radius:/etc/raddb/sites-available/dynamic-clients Radius:/etc/raddb/sites-available/originate-coa Radius:/etc/raddb/sites-available/robust-proxy-accounting
That's not good. Those files are NOT used by the running server. I suggest changing it back.
Radius:/etc/raddb/clients.conf
That's good.
After restarting the strongswan and radiusd service, I was not able to authenticate to my LDAP server, and had to change the entries back to "testing123"? What am I missing here?
Well, it should work. What does the debug output say? That should tell you *exactly* what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, pretty definitive. incorrect shared secret - are you SURE that you havent got any white spaces etc lurking around? keep the shared secret in quotes if in doubt alan
Alan, That was actually the problem. I surrounded the new password in quotes, and didn't like that. Once I removed the quotes, it worked! Clint -----Original Message----- From: freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, October 02, 2013 3:31 PM To: FreeRadius users mailing list Subject: RE: how to change the radius default "testing123" password hi, pretty definitive. incorrect shared secret - are you SURE that you havent got any white spaces etc lurking around? keep the shared secret in quotes if in doubt alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, Ok, I figured out why I wasn't able to change the "testing123" password. I was surrounding the new random password in quotes. Once I removed the quotes, it worked. Clint -----Original Message----- From: freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, October 02, 2013 2:02 PM To: FreeRadius users mailing list Subject: Re: how to change the radius default "testing123" password Clint Petty wrote:
Hi Alan,
Thanks for your reply. However, I have already changed the instances of the password "testing123" in the following files:
StrongSwan:/etc/strongswan/strongswan.conf
That's good.
Radius:/etc/raddb/proxy.conf
That's not good. The secret there is for home servers, not clients. I suggest changing it back.
Radius:/etc/raddb/sites-available/dynamic-clients Radius:/etc/raddb/sites-available/originate-coa Radius:/etc/raddb/sites-available/robust-proxy-accounting
That's not good. Those files are NOT used by the running server. I suggest changing it back.
Radius:/etc/raddb/clients.conf
That's good.
After restarting the strongswan and radiusd service, I was not able to authenticate to my LDAP server, and had to change the entries back to "testing123"? What am I missing here?
Well, it should work. What does the debug output say? That should tell you *exactly* what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection: # radwho Login Name What TTY When From Location #
Hi,
I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection:
using the utmp/wtmp modules? what does your FreeRADIUS debug show when someone logging in? alan
Hello, We have been having "strange" experiences with our RADIUS service lately and we thought it would be a good idea to run RADIUS in debug mode "permanently" to enable us effectively troubleshoot user complaints. How can we run radiusd -x > "logname" such that we have different logname for each day? Clement
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I really wouldn't recommend running in full debug mode on a production server full time... its only single threaded so if you have to service lots of requests you have an immediate bottleneck. What sort of weird problems are you facing? You know you can run on debug mode for single users or clients via radmin/raddebug ?? If you really want to proceed then you can use eg crontab to run a script which kills all radiusd processes and then starts new debug session with the date in the logfile eg radiusd -X > /var/log/debug-'date +args xxxxxxx' Where + args xxxxxx is the date string format you require alan Clement Ogedengbe <c.ogedengbe@worc.ac.uk> wrote:
Hello,
We have been having "strange" experiences with our RADIUS service lately and we thought it would be a good idea to run RADIUS in debug mode "permanently" to enable us effectively troubleshoot user complaints.
How can we run radiusd -x > "logname" such that we have different logname for each day?
Clement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 iHkEAREIADkFAlJNM9EyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC7CfwCgir2zDhH8h4HExwUJ1vB9 820ZXBAAnjvmK6fXtpUpJbEGJDCa8gvkkjMz =KXvy -----END PGP SIGNATURE-----
How can we run radiusd -x > "logname" such that we have different logname for each day?
Clement, may I suggest a cron job? At midnight, move the log, kill and restart the radius server with a new log in the name? Of course you run the risk of possibly killing any authentication attempts that happen at that point in time, but... that's something you need to take into account? Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
On 3 Oct 2013, at 10:14, <stefan.paetow@diamond.ac.uk> wrote:
How can we run radiusd -x > "logname" such that we have different logname for each day?
Clement, may I suggest a cron job?
At midnight, move the log, kill and restart the radius server with a new log in the name? Of course you run the risk of possibly killing any authentication attempts that happen at that point in time, but... that's something you need to take into account?
Please don't. Use a crontab by all means but just use the main log file and enable additional debugging (-xx). As of 2.2.1 you can use the radmin control socket to reopen the log file handle without restarting the server, or sending a -HUP. It's not just the fact you'll kill any EAP auth sessions in progress, but you'll will clear out any cached entries (rlm_cache), and where proxying is being performed upstream server state will be lost. It's also dangerous in that if someone has messed with the configurations, or overwritten the radiusd/freeradius(debian) binary you'll experience an unexpected migration to the new binary/config on next restart. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Hi, this is FreeRADIUS list, not general Linux lsit - I'd suggest looking at some guides for the EXACT thing you need eg http://www.cyberciti.biz/faq/linux-unix-formatting-dates-for-display/ (and ensure your escape quotes are the right way around) alan
Hi Alan, Below is the results from radiusd -X (debug mode), while logging in: rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, length=138 User-Name = "test" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 53 NAS-Port-Id = "ios" NAS-IP-Address = xx.xx.xx.79 Called-Station-Id = "xx.xx.xx.79[4500]" Calling-Station-Id = "xx.xx.xx.150[32055]" EAP-Message = 0x02000009016a646f65 NAS-Identifier = "strongSwan" Message-Authenticator = 0x13a0846c40f521e3c009161546f6f3fb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for test [ldap] expand: (&(uid=%u)) -> (&(uid=test)) [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to xx.xx.xx.126:389, authentication 0 [ldap] bind as cn=Admin,dc=company,dc=com/xxxx to xx.xx.xx.126:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test)) [ldap] looking for check items in directory... [ldap] userPassword -> User-Password == "password" [ldap] userPassword -> Password-With-Header == "password" [ldap] sambaNtPassword -> NT-Password == 0x38424235443 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 79 to xx.xx.xx.79 port 40379 EAP-Message = 0x010100160410c73f50e02103b6473c8f5ed51995e29f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2310bb7d2311bf963fc3fbc63c331669 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=80, length=169 User-Name = "test" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 53 NAS-Port-Id = "ios" NAS-IP-Address = xx.xx.xx.79 Called-Station-Id = "xx.xx.xx.79[4500]" Calling-Station-Id = "xx.xx.xx.150[32055]" EAP-Message = 0x020100160410958ab4a6a9b38188febc74cc0c573b96 NAS-Identifier = "strongSwan" State = 0x2310bb7d2311bf963fc3fbc63c331669 Message-Authenticator = 0xdb77c116ca06726a60a2d3a224bc2e22 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for test [ldap] expand: (&(uid=%u)) -> (&(uid=test)) [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test)) [ldap] looking for check items in directory... [ldap] userPassword -> User-Password == "password" [ldap] userPassword -> Password-With-Header == "password" [ldap] sambaNtPassword -> NT-Password == 0x38424235443 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns ok Login OK: [test] (from client localhost port 53 cli xx.xx.xx.150[32055]) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 80 to xx.xx.xx.79 port 40379 EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 79 with timestamp +20 Cleaning up request 1 ID 80 with timestamp +20 Ready to process requests. -----Original Message----- From: freeradius-users-bounces+me=company.com@lists.freeradius.org [mailto:freeradius-users-bounces+me=company.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, October 03, 2013 1:32 AM To: FreeRadius users mailing list Subject: Re: radwho not working Hi,
I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection:
using the utmp/wtmp modules? what does your FreeRADIUS debug show when someone logging in? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clint Petty wrote:
Below is the results from radiusd -X (debug mode), while logging in:
rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, length=138
The radwho file logs *accounting* packets. That is an *authentication* packet. You're blaming FreeRADIUS because the NAS never sends an Accounting-Request. Go fix the NAS. Alan DeKok.
Hi Alan, I am not blaming, I am just wanting to get the radwho command to work. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/<IP_Address>/detail-20131003 file. However I am still getting the same results with the radwho command, showing just the titles, with no connections? -----Original Message----- From: freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 03, 2013 10:53 AM To: FreeRadius users mailing list Subject: Re: radwho not working cpetty wrote:
Below is the results from radiusd -X (debug mode), while logging in:
rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, length=138
The radwho file logs *accounting* packets. That is an *authentication* packet. You're blaming FreeRADIUS because the NAS never sends an Accounting-Request. Go fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I am not blaming, I am just wanting to get the radwho command to work. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/<IP_Address>/detail-20131003 file. However I am still getting the same results with the radwho command, showing just the titles, with no connections?
same reponse - output of "radiusd -X" please alan
My "radiusd -X" output while connecting: rad_recv: Access-Request packet from host xx.xx.xx.79 port 50925, id=93, length=138 User-Name = "test" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 61 NAS-Port-Id = "ios" NAS-IP-Address = xx.xx.xx.79 Called-Station-Id = "xx.xx.xx.79[4500]" Calling-Station-Id = "xx.xx.xx.150[29608]" EAP-Message = 0x02000009016a646f65 NAS-Identifier = "strongSwan" Message-Authenticator = 0x2e5a4bc6ce78809a66e6cfb5172715f7 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for test [ldap] expand: (&(uid=%u)) -> (&(uid=test)) [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to xx.xx.xx.126:389, authentication 0 [ldap] bind as cn=Manager,dc=company,dc=com/secret to xx.xx.xx.126:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test)) [ldap] looking for check items in directory... [ldap] userPassword -> User-Password == "password" [ldap] userPassword -> Password-With-Header == "password" [ldap] sambaNtPassword -> NT-Password == 0x3842423544393331433146303430343833393537393933353042383233443243 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 93 to xx.xx.xx.79 port 50925 EAP-Message = 0x010100160410520b942adc4ff97397fce57a6fcc6a52 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8886590d88961e0e9b66439bb75efe5 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.79 port 50925, id=94, length=169 User-Name = "test" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 61 NAS-Port-Id = "ios" NAS-IP-Address = xx.xx.xx.79 Called-Station-Id = "xx.xx.xx.79[4500]" Calling-Station-Id = "xx.xx.xx.150[29608]" EAP-Message = 0x02010016041078bdd69581375d6fba33bd1624ef7b1c NAS-Identifier = "strongSwan" State = 0xd8886590d88961e0e9b66439bb75efe5 Message-Authenticator = 0x4fb645215cd481fd17a5ff8af9c0ac8c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for test [ldap] expand: (&(uid=%u)) -> (&(uid=test)) [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=company,dc=com, with filter (&(uid=test)) [ldap] looking for check items in directory... [ldap] userPassword -> User-Password == "password" [ldap] userPassword -> Password-With-Header == "password" [ldap] sambaNtPassword -> NT-Password == 0x3842423544393331433146303430343833393537393933353042383233443243 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns ok Login OK: [test] (from client localhost port 61 cli xx.xx.xx.150[29608]) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 94 to xx.xx.xx.79 port 50925 EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host xx.xx.xx.79 port 48595, id=95, length=136 Acct-Status-Type = Start Acct-Session-Id = "1380824273-61" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 61 NAS-Port-Id = "ios" NAS-IP-Address = xx.xx.xx.79 Called-Station-Id = "xx.xx.xx.79[4500]" Calling-Station-Id = "xx.xx.xx.150[29608]" User-Name = "test" Framed-IP-Address = xx.xx.xx.1 NAS-Identifier = "strongSwan" # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 61,Client-IP-Address = xx.xx.xx.79,NAS-IP-Address = xx.xx.xx.79,Acct-Session-Id = "1380824273-61",User-Name = "test"' [acct_unique] Acct-Unique-Session-ID = "145df3492fbbdbec". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> xx.xx.xx.79 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/xx.xx.xx.79/detail-20131003 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/xx.xx.xx.79/detail-20131003 [detail] expand: %t -> Thu Oct 3 21:45:27 2013 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 95 to xx.xx.xx.79 port 48595 Finished request 2. Cleaning up request 2 ID 95 with timestamp +9 Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 93 with timestamp +9 Cleaning up request 1 ID 94 with timestamp +9 Ready to process requests. -----Original Message----- From: freeradius-users-bounces+cpetty=company.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=company.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, October 03, 2013 2:17 PM To: FreeRadius users mailing list Subject: Re: radwho not working Hi,
I am not blaming, I am just wanting to get the radwho command to work. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/<IP_Address>/detail-20131003 file. However I am still getting the same results with the radwho command, showing just the titles, with no connections?
same reponse - output of "radiusd -X" please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Clint, On Thu, Oct 03, 2013 at 09:53:57PM +0000, Clint Petty wrote: ...
[detail] expand: %t -> Thu Oct 3 21:45:27 2013 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> test ++[radutmp] returns ok ++[exec] returns noop
From that, have you tried the following?
radwho -F /var/log/radius/radutmp See also radwho(1). Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Clint Petty wrote:
I am not blaming, I am just wanting to get the radwho command to work.
That is *entirely* the wrong attitude. There is no "just get it to work". There *are* multiple pieces involved, each of which has to be verified. I'm trying to convince you to use a methodical approach. If you read "man radwho", you'll see it uses accounting packets. That should indicate that you'll need to enable accounting. But you didn't do that. You were told to run the server in debugging mode, and you did once... but not the next time. The less you do yourself, and the more difficult you make it to help you, the less we're inclined to help. *THAT* is the goal of many of my responses.
I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/<IP_Address>/detail-20131003 file.
Which isn't the radutmp file, is it? Again, "man radwho" says it reads the radutmp file. Again, your process should be something like this: - "man radwho" says it needs the radutmp file. - is the radutmp module enabled? - if enabled, is it doing anything? - where is the file? - is it being modified?
However I am still getting the same results with the radwho command, showing just the titles, with no connections?
You other message indicates that the module is being used, and is returning "ok". Does the "radwho" command print anything after the "radutmp" module returns "ok" ? It should. Alan DeKok.
Hi Alan, Well I discovered a way to display a list of all active users without having to implement FreeRadius accounting, which BTW is not as straight forward as it should be. I was able to display all active users through my StrongSwan server, with the simple following command: # strongswan leases FreeRadius should be so easy! Thanks, Clint -----Original Message----- From: freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 03, 2013 3:10 PM To: FreeRadius users mailing list Subject: Re: radwho not working Clint Petty wrote:
I am not blaming, I am just wanting to get the radwho command to work.
That is *entirely* the wrong attitude. There is no "just get it to work". There *are* multiple pieces involved, each of which has to be verified. I'm trying to convince you to use a methodical approach. If you read "man radwho", you'll see it uses accounting packets. That should indicate that you'll need to enable accounting. But you didn't do that. You were told to run the server in debugging mode, and you did once... but not the next time. The less you do yourself, and the more difficult you make it to help you, the less we're inclined to help. *THAT* is the goal of many of my responses.
I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/<IP_Address>/detail-20131003 file.
Which isn't the radutmp file, is it? Again, "man radwho" says it reads the radutmp file. Again, your process should be something like this: - "man radwho" says it needs the radutmp file. - is the radutmp module enabled? - if enabled, is it doing anything? - where is the file? - is it being modified?
However I am still getting the same results with the radwho command, showing just the titles, with no connections?
You other message indicates that the module is being used, and is returning "ok". Does the "radwho" command print anything after the "radutmp" module returns "ok" ? It should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 7 Oct 2013, at 22:39, Clint Petty <cpetty@luthresearch.com> wrote:
Hi Alan,
Well I discovered a way to display a list of all active users without having to implement FreeRadius accounting, which BTW is not as straight forward as it should be.
I was able to display all active users through my StrongSwan server, with the simple following command:
# strongswan leases
FreeRadius should be so easy!
It is if you understand SQL, and don't insist on using arcane decade old modules and utilities. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Clint Petty wrote:
Hi Alan,
Well I discovered a way to display a list of all active users without having to implement FreeRadius accounting, which BTW is not as straight forward as it should be.
I was able to display all active users through my StrongSwan server, with the simple following command:
# strongswan leases
FreeRadius should be so easy!
<sigh> RADIUS does a LOT more than strongswan. And yes, basic RADIUS really is easy. A large part of the difficulties are due to bad client implementations. No one wants to blame the client, so everyone blames FreeRADIUS. I've learned to deal with it, but that doesn't mean I have to like it. Alan DeKok.
One of our radius servers started acting strange and there has been no config change except that we updated the DELL hardware storage firmware of the server. MSCHAP authentication request returns Access-Accept, but the client does not get authenticated. We have two servers with similar config. Authentication request sent to the other server is OK. I ant figure out what the issue is. Extract of log below: Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.255.253.2 port 35521, id=81, length=189 Cleaning up request 73 ID 81 with timestamp +270 Proxy-State = 0x00000002 User-Name = "ogec1" Framed-MTU = 1300 Calling-Station-Id = "90-a4-de-49-e0-60" Called-Station-Id = "a4-18-75-79-b0-50:eduroam" NAS-IP-Address = 10.255.252.248 NAS-Identifier = "XXX_WLC5" Service-Type = Framed-User MS-CHAP-Challenge = 0x2d710de1e7c6f6dfebb86195af7b5842 MS-CHAP2-Response = 0x0000f8bd757bd0a4523c2f2e52575cb5d549000000000000000031c8fc0bb6f978154d90d4e54bd3093e3a8f96d367dd7dde # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok Sending Access-Request of id 35 to 193.62.48.61 port 1812 Proxy-State = 0x00000002 User-Name = "ogec1" Framed-MTU = 1300 Calling-Station-Id = "90-a4-de-49-e0-60" Called-Station-Id = "a4-18-75-79-b0-50:eduroam" NAS-IP-Address = 10.255.252.248 NAS-Identifier = "XXX_WLC5" Service-Type = Framed-User MS-CHAP-Challenge = 0x2d710de1e7c6f6dfebb86195af7b5842 MS-CHAP2-Response = 0x0000f8bd757bd0a4523c2f2e52575cb5d549000000000000000031c8fc0bb6f978154d90d4e54bd3093e3a8f96d367dd7dde Domain-Name = "XXXX.AC.UK" Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3831 rad_recv: Access-Accept packet from host 193.62.48.61 port 1812, id=35, length=189 MS-CHAP2-Success = 0x00533d34383638323832443935343639393934463836374330323636383934463332463336374339354239 MS-MPPE-Recv-Key = 0x283d0adb1d7c75073e65a97484b6254b MS-MPPE-Send-Key = 0x3896bcce7a7467cf3bfe790c5ccc4111 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Proxy-State = 0x00000002 Proxy-State = 0x3831 # Executing section post-proxy from file /etc/freeradius/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = MSCHAP Found Auth-Type = Accept Warning: Found 2 auth-types on request for user 'ogec1' Auth-Type = Accept, accepting the user Login OK: [ogec1] (from client bsc1 port 0 cli 90-a4-de-49-e0-60) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /usr/local/var/log/radius/radacct/%Y%m%d/reply-detail -> /usr/local/var/log/radius/radacct/20131205/reply-detail [reply_log] /usr/local/var/log/radius/radacct/%Y%m%d/reply-detail expands to /usr/local/var/log/radius/radacct/20131205/reply-detail [reply_log] expand: %{Packet-Src-IP-Address} Returned from %{home_server:ipaddr} for User %{User-Name} - %t -> 10.255.253.2 Returned from 193.62.48.61 for User ogec1 - Thu Dec$ ++[reply_log] returns ok [f_ticks] expand: %{reply:Packet-Type} -> Access-Accept [f_ticks] expand: f_ticks.%{%{reply:Packet-Type}:-format} -> f_ticks.Access-Accept [f_ticks] expand: /usr/local/var/log/radius/radacct/%Y%m%d/linelog -> /usr/local/var/log/radius/radacct/20131205/linelog [f_ticks] expand: Access accepted for %{User-Name} at %{NAS-IP-Address} received from %{Packet-Src-IP-Address} proxied to %{home_server:ipaddr} # CSI=%{Calling-Station-Id} $ ++[f_ticks] returns ok ++[exec] returns noop Sending Access-Accept of id 81 to 10.255.253.2 port 35521 MS-CHAP2-Success = 0x00533d34383638323832443935343639393934463836374330323636383934463332463336374339354239 MS-MPPE-Recv-Key = 0x283d0adb1d7c75073e65a97484b6254b MS-MPPE-Send-Key = 0x3896bcce7a7467cf3bfe790c5ccc4111 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Proxy-State = 0x00000002 Finished request 75. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.255.253.2 port 35521, id=81, length=192
Many Thanks Clement Ogedengbe Network Support Officer Information & Learning Services University of Worcester 01905 54 2258 -----Original Message----- From: Clement Ogedengbe Sent: 05 December 2013 10:34 To: 'FreeRadius users mailing list' Subject: RE: Running RADIUS in permanent debug mode with rotating log One of our radius servers started acting strange and there has been no config change except that we updated the DELL hardware storage firmware of the server. MSCHAP authentication request returns Access-Accept, but the client does not get authenticated. We have two servers with similar config. Authentication request sent to the other server is OK. I ant figure out what the issue is. Extract of log below: Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.255.253.2 port 35521, id=81, length=189 Cleaning up request 73 ID 81 with timestamp +270 Proxy-State = 0x00000002 User-Name = "ogec1" Framed-MTU = 1300 Calling-Station-Id = "90-a4-de-49-e0-60" Called-Station-Id = "a4-18-75-79-b0-50:eduroam" NAS-IP-Address = 10.255.252.248 NAS-Identifier = "XXX_WLC5" Service-Type = Framed-User MS-CHAP-Challenge = 0x2d710de1e7c6f6dfebb86195af7b5842 MS-CHAP2-Response = 0x0000f8bd757bd0a4523c2f2e52575cb5d549000000000000000031c8fc0bb6f978154d90d4e54bd3093e3a8f96d367dd7dde # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok Sending Access-Request of id 35 to 193.62.48.61 port 1812 Proxy-State = 0x00000002 User-Name = "ogec1" Framed-MTU = 1300 Calling-Station-Id = "90-a4-de-49-e0-60" Called-Station-Id = "a4-18-75-79-b0-50:eduroam" NAS-IP-Address = 10.255.252.248 NAS-Identifier = "XXX_WLC5" Service-Type = Framed-User MS-CHAP-Challenge = 0x2d710de1e7c6f6dfebb86195af7b5842 MS-CHAP2-Response = 0x0000f8bd757bd0a4523c2f2e52575cb5d549000000000000000031c8fc0bb6f978154d90d4e54bd3093e3a8f96d367dd7dde Domain-Name = "XXXX.AC.UK" Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3831 rad_recv: Access-Accept packet from host 193.62.48.61 port 1812, id=35, length=189 MS-CHAP2-Success = 0x00533d34383638323832443935343639393934463836374330323636383934463332463336374339354239 MS-MPPE-Recv-Key = 0x283d0adb1d7c75073e65a97484b6254b MS-MPPE-Send-Key = 0x3896bcce7a7467cf3bfe790c5ccc4111 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Proxy-State = 0x00000002 Proxy-State = 0x3831 # Executing section post-proxy from file /etc/freeradius/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = MSCHAP Found Auth-Type = Accept Warning: Found 2 auth-types on request for user 'ogec1' Auth-Type = Accept, accepting the user Login OK: [ogec1] (from client bsc1 port 0 cli 90-a4-de-49-e0-60) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /usr/local/var/log/radius/radacct/%Y%m%d/reply-detail -> /usr/local/var/log/radius/radacct/20131205/reply-detail [reply_log] /usr/local/var/log/radius/radacct/%Y%m%d/reply-detail expands to /usr/local/var/log/radius/radacct/20131205/reply-detail [reply_log] expand: %{Packet-Src-IP-Address} Returned from %{home_server:ipaddr} for User %{User-Name} - %t -> 10.255.253.2 Returned from 193.62.48.61 for User ogec1 - Thu Dec$ ++[reply_log] returns ok [f_ticks] expand: %{reply:Packet-Type} -> Access-Accept [f_ticks] expand: f_ticks.%{%{reply:Packet-Type}:-format} -> f_ticks.Access-Accept [f_ticks] expand: /usr/local/var/log/radius/radacct/%Y%m%d/linelog -> /usr/local/var/log/radius/radacct/20131205/linelog [f_ticks] expand: Access accepted for %{User-Name} at %{NAS-IP-Address} received from %{Packet-Src-IP-Address} proxied to %{home_server:ipaddr} # CSI=%{Calling-Station-Id} $ ++[f_ticks] returns ok ++[exec] returns noop Sending Access-Accept of id 81 to 10.255.253.2 port 35521 MS-CHAP2-Success = 0x00533d34383638323832443935343639393934463836374330323636383934463332463336374339354239 MS-MPPE-Recv-Key = 0x283d0adb1d7c75073e65a97484b6254b MS-MPPE-Send-Key = 0x3896bcce7a7467cf3bfe790c5ccc4111 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 Proxy-State = 0x00000002 Finished request 75. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.255.253.2 port 35521, id=81, length=192
Hi,
MSCHAP authentication request returns Access-Accept, but the client does not get authenticated. We have two servers with similar config. Authentication request sent to the other server is OK. I ant figure out what the issue is.
RADIUS server is sending Access-Accept - crucially thats the key thing here - its doing its job. something else isnt. is the VLAN/WLAN up /active - is the response getting back to the NAS slower than the NAS expects? alan
The authentication is proxied from the front end server to the back end server. The front end server assigns appropriate VLAN and authenticates user based on response from the back end server. The logs on the front end and back end servers showed MSCHAP authentication request returns Access-Accept but user doesn't get authenticated. This problem doesn't occur when I directed the same front end server to an alternate back end server with similar configuration as the other one. I am really confused as this has worked all along until recently, a few days after updating the server's hardware firmware. Nothing else has changed. Many Thanks Clement -----Original Message----- From: freeradius-users-bounces+c.ogedengbe=worc.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: 05 December 2013 11:05 To: FreeRadius users mailing list Subject: Re: Server returns Access-Accept but client is not authenticated Hi,
MSCHAP authentication request returns Access-Accept, but the client does not get authenticated. We have two servers with similar config. Authentication request sent to the other server is OK. I ant figure out what the issue is.
RADIUS server is sending Access-Accept - crucially thats the key thing here - its doing its job. something else isnt. is the VLAN/WLAN up /active - is the response getting back to the NAS slower than the NAS expects? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thanks for your reply. However, I have already changed the instances of the password "testing123" in the following files:
if you are dealing with a shared secret between a NAS and the FreeRADIUS server, there are only 2 thigns to configure 1) the shared secret on the NAS - I would guess this is storngswan.conf for you 2) the shared secret in the clients.conf file - this is whats used to reference the incoming request from the NAS all other parts are system components eg proxy.conf has a default internal one - and if you were proxying to OTHER RADIUS servers, then you would change their entries IF you has set them to testing123 - most people wouldnt - they would use their own choices. of course, when thigns go wrong, run in full debug mode and see whats printed out when you connect via the NAS alan
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Clement Ogedengbe -
Clint Petty -
Matthew Newton -
stefan.paetow@diamond.ac.uk