Hello, Please I 'd to know how to use an ldap as a database of freeradius. I use freeradius-server-2.1.3. Is it possible to use more than one nas in clients.conf ? If yes how to do it? How to configure EAP-TLS ? Thank you for your help. Rato
David N'DAKPAZE wrote:
Hello, Please I 'd to know how to use an ldap as a database of freeradius. I use freeradius-server-2.1.3. Is it possible to use more than one nas in clients.conf ? If yes how to do it?
Read the examples in clients.conf? There is lots of documentation.
How to configure EAP-TLS ?
1) Install the server. 2) cd raddb/certs 3) make client.crt ca.der Put the client.crt && ca.der into the client. EAP-TLS will work. Alan DeKok.
Please it seems that ldap works only with pap.Is it true? tell me how to configure many clients (nas) in clients.conf 2009/3/23, Alan DeKok <aland@deployingradius.com>:
David N'DAKPAZE wrote:
Hello, Please I 'd to know how to use an ldap as a database of freeradius. I use freeradius-server-2.1.3. Is it possible to use more than one nas in clients.conf ? If yes how to do it?
Read the examples in clients.conf? There is lots of documentation.
How to configure EAP-TLS ?
1) Install the server.
2) cd raddb/certs
3) make client.crt ca.der
Put the client.crt && ca.der into the client.
EAP-TLS will work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am Dienstag, 24. März 2009 09:33:51 schrieb David N'DAKPAZE:
Please it seems that ldap works only with pap.Is it true? tell me how to configure many clients (nas) in clients.conf
Gamarjoobat, See the protocol and authentication server compatibility charts for more info. http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html clients: 1) Read the sample clients.conf file 2) Did you really read it? What is unclear? You can define MULTIPLE client {...} sections in the file. 3) If your clients are in one subnet the example says: client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 } 4) If you have disjunct IP address ranges for your clients: client 10.10.10.10 { secret = testing1 shortname = nas1 } client 10.20.30.40 { secret = testing2 shortname = nas2 } (...) -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
My problem is that i have define 2 clients but radius works with only the first nas. please see the output of the radtest: Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 2009/3/24 Michael Schwartzkopff <misch@multinet.de>
Am Dienstag, 24. März 2009 09:33:51 schrieb David N'DAKPAZE:
Please it seems that ldap works only with pap.Is it true? tell me how to configure many clients (nas) in clients.conf
Gamarjoobat,
See the protocol and authentication server compatibility charts for more info. http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html
clients:
1) Read the sample clients.conf file 2) Did you really read it? What is unclear? You can define MULTIPLE client {...} sections in the file.
3) If your clients are in one subnet the example says: client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 }
4) If you have disjunct IP address ranges for your clients: client 10.10.10.10 { secret = testing1 shortname = nas1 }
client 10.20.30.40 { secret = testing2 shortname = nas2 }
(...)
-- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75
mail: misch@multinet.de web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am Dienstag, 24. März 2009 10:50:58 schrieb David N'DAKPAZE:
My problem is that i have define 2 clients but radius works with only the first nas. please see the output of the radtest: Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests.
Hi, well, FR ist quit clear where the problem is. It does not know you client 172.30.10.71. Did you enter it in the clients.conf? Did you restart FR? What about the debug output of raduisd -X? -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
I've put it in; the output of radiusd -X is: FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 12 2009 at 17:24:19 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client GW-RADIUS { ipaddr = 172.30.3.121 require_message_authenticator = no secret = "moov123" shortname = "GW-RADIUS" nastype = "cisco" } client 172.30.2.14 { ipaddr = 172.30.2.14 require_message_authenticator = no secret = "moov123" shortname = "VPN-test" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### modules { } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. This client is not in the output of radiusd -X, i don't know why. 2009/3/24 Michael Schwartzkopff <misch@multinet.de>
Am Dienstag, 24. März 2009 10:50:58 schrieb David N'DAKPAZE:
My problem is that i have define 2 clients but radius works with only the first nas. please see the output of the radtest: Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests.
Hi,
well, FR ist quit clear where the problem is. It does not know you client 172.30.10.71. Did you enter it in the clients.conf? Did you restart FR?
What about the debug output of raduisd -X?
-- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75
mail: misch@multinet.de web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've put it in; the output of radiusd -X is:
..
client GW-RADIUS { ipaddr = 172.30.3.121 require_message_authenticator = no secret = "moov123" shortname = "GW-RADIUS" nastype = "cisco" } client 172.30.2.14 { ipaddr = 172.30.2.14 require_message_authenticator = no secret = "moov123" shortname = "VPN-test" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers ####
Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests.
So, client 172.30.10.71 *is* unknown. It is *not* in your clients conf. Ivan Kalik Kalik Informatika ISP
The server doesn't see it but i've put it; i don't it ignores it 2009/3/24 <tnt@kalik.net>
I've put it in; the output of radiusd -X is:
..
client GW-RADIUS { ipaddr = 172.30.3.121 require_message_authenticator = no secret = "moov123" shortname = "GW-RADIUS" nastype = "cisco" } client 172.30.2.14 { ipaddr = 172.30.2.14 require_message_authenticator = no secret = "moov123" shortname = "VPN-test" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers ####
Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests.
So, client 172.30.10.71 *is* unknown. It is *not* in your clients conf.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've add other clients in the client .conf but when i debug the server they don't appear in the output of radiusd -X. ii dont know why. 2009/3/24 <tnt@kalik.net>
The server doesn't see it but i've put it; i don't it ignores it
Put it where? In the clients.conf file listed in the debug? Or in some other clients.conf file server is not using!
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am Dienstag, 24. März 2009 12:21:06 schrieb David N'DAKPAZE:
I've add other clients in the client .conf but when i debug the server they don't appear in the output of radiusd -X. ii dont know why.
radiusd knows the clients it displays during the debug output. Please recheck your setup WHERE you inserted the new NAS and why radiusd doesn't use it. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
I've add other clients in the client .conf but when i debug the server they don't appear in the output of radiusd -X. ii dont know why.
Because that is not the file server is using. Read the debug - it lists which clients.conf file server is reading. Edit that one. Ivan Kalik Kalik Informatika ISP
Excuse me, i know that it is that clients.conf the server is using because when i modify a client which appears in the debug output the server considers this changes and te debug output isn't the same 2009/3/24 <tnt@kalik.net>
I've add other clients in the client .conf but when i debug the server they don't appear in the output of radiusd -X. ii dont know why.
Because that is not the file server is using. Read the debug - it lists which clients.conf file server is reading. Edit that one.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post the debug *and* clients.conf. Mask the passwords this time. Ivan Kalik Kalik Informatika ISP Dana 24/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
Excuse me, i know that it is that clients.conf the server is using because when i modify a client which appears in the debug output the server considers this changes and te debug output isn't the same
2009/3/24 <tnt@kalik.net>
I've add other clients in the client .conf but when i debug the server they don't appear in the output of radiusd -X. ii dont know why.
Because that is not the file server is using. Read the debug - it lists which clients.conf file server is reading. Edit that one.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients.conf: # -*- text -*- ## ## clients.conf -- client configuration directives ## ## $Id$ ####################################################################### # # Define RADIUS clients (usually a NAS, Access Point, etc.). # # Defines a RADIUS client. # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # # # # Each client has a "short name" that is used to distinguish it from # other clients. # # In version 1.x, the string after the word "client" was the IP # address of the client. In 2.0, the IP address is configured via # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x # format is still accepted. # client GW-RADIUS { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) ipaddr = 172.30.3.121 # OR, you can use an IPv6 address, but not both # at the same time. # ipv6addr = :: # any. ::1 == localhost # # A note on DNS: We STRONGLY recommend using IP addresses # rather than host names. Using host names means that the # server will do DNS lookups when it starts, making it # dependent on DNS. i.e. If anything goes wrong with DNS, # the server won't start! # # The server also looks up the IP address from DNS once, and # only once, when it starts. If the DNS record is later # updated, the server WILL NOT see that update. # # One client definition can be applied to an entire network. # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and # "netmask = 8" # # If not specified, the default netmask is 32 (i.e. /32) # # We do NOT recommend using anything other than 32. There # are usually other, better ways to acheive the same goal. # Using netmasks of other than 32 can cause security issues. # # You can specify overlapping networks (127/8 and 127.0/16) # In that case, the smallest possible network will be used # as the "best match" for the client. # # Clients can also be defined dynamically at run time, based # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, # etc. # See raddb/sites-available/dynamic-clients for details. # # netmask = 32 # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 8k characters in length. # # Control codes can be entered vi octal encoding, # e.g. "\101\102" == "AB" # Quotation marks can be entered by escaping them, # e.g. "foo\"bar" # # A note on security: The security of the RADIUS protocol # depends COMPLETELY on this secret! We recommend using a # shared secret that is composed of: # # upper case letters # lower case letters # numbers # # And is at LEAST 8 characters long, preferably 16 characters in # length. The secret MUST be random, and should not be words, # phrase, or anything else that is recognizable. # # The default secret below is only for testing, and should # not be used in any real environment. # secret = xxxxx # # Old-style clients do not send a Message-Authenticator # in an Access-Request. RFC 5080 suggests that all clients # SHOULD include it in an Access-Request. The configuration # item below allows the server to require it. If a client # is required to include a Message-Authenticator and it does # not, then the packet will be silently discarded. # # allowed values: yes, no require_message_authenticator = no # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # # It is accepted for compatibility with 1.x, but it is no # longer necessary in 2.0 # shortname = GW-RADIUS # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nastype = cisco # localhost isn't usually a NAS... } # IPv6 Client #client ::1 { # secret = testing123 # shortname = localhost #} # # All IPv/usr/local/var/log/radius/6 Site-local clients #client fe80::/16 { # secret = testing123 # shortname = localhost #} #client some.host.org { # secret = testing123 # shortname = localhost #} # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} # #client 192.168.0.0/16 { # secret = testing123-2 # shortname = private-network-2 #} client 172.30.2.14 { ipaddr = 172.30.2.14 # # secret and password are mapped through the "secrets" file. secret = xxxxx shortname = VPN-test # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks nastype = cisco # login = !root # password = someadminpas } Client RADIUS { ipaddr = 172.30.1.10 # # secret and password are mapped through the "secrets" file. secret = xxxxxx shortname = RADIUS # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks nastype = cisco # login = !root # password = someadminpas } ####################################################################### # # Per-socket client lists. The configuration entries are exactly # the same as above, but they are nested inside of a section. # # You can have as many per-socket client lists as you have "listen" # sections, or you can re-use a list among multiple "listen" sections. # # Un-comment this section, and edit a "listen" section to add: # "clients = per_socket_clients". That IP address/port combination # will then accept ONLY the clients listed in this section. # #clients per_socket_clients { # client 192.168.3.4 { # secret = testing123 # } #} #client 172.30.153.20 { # ipaddr = 172.30.153.20 # secret = xxxx # nastype = cisco #} The output of the debug is the same i've sent.Thank you for your help 2009/3/24 <tnt@kalik.net>
Post the debug *and* clients.conf. Mask the passwords this time.
Ivan Kalik Kalik Informatika ISP
Dana 24/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
Excuse me, i know that it is that clients.conf the server is using because when i modify a client which appears in the debug output the server considers this changes and te debug output isn't the same
2009/3/24 <tnt@kalik.net>
I've add other clients in the client .conf but when i debug the server they don't appear in the output of radiusd -X. ii dont know why.
Because that is not the file server is using. Read the debug - it lists which clients.conf file server is reading. Edit that one.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am Dienstag, 24. März 2009 12:51:31 schrieb David N'DAKPAZE:
clients.conf:
Client RADIUS { ipaddr = 172.30.1.10 # # secret and password are mapped through the "secrets" file. secret = xxxxxx shortname = RADIUS # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks nastype = cisco # login = !root # password = someadminpas }
keyword client with a small caps "c" in the beginning. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me 2009/3/24 <tnt@kalik.net>
Client RADIUS { ..
That should be:
client RADIUS { ..
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:
I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me
PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ Password_authentication_protocol ) Have a nice day!
2009/3/24 <tnt@kalik.net>
Client RADIUS { ..
That should be:
client RADIUS { ..
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Please which protocol more secure can i use with ldap as database? 2009/3/24 Nicolas Goutte <nicolas.goutte@extragroup.de>
Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:
I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me
PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/Password_authentication_protocol )
Have a nice day!
2009/3/24 <tnt@kalik.net>
Client RADIUS { ..
That should be:
client RADIUS { ..
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 24.03.2009 um 18:15 schrieb David N'DAKPAZE:
Please which protocol more secure can i use with ldap as database?
As I wrote in the email as answer to my email (and an URL I missed to find the whole day as answer to your problems), see http:// deployingradius.com/documents/protocols/compatibility.html There you have a list of what protocols can be used when you have which type of passwords available for freeradius.
2009/3/24 Nicolas Goutte <nicolas.goutte@extragroup.de>
Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:
I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me
PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ Password_authentication_protocol )
Have a nice day!
2009/3/24 <tnt@kalik.net>
Client RADIUS { ..
That should be:
client RADIUS { ..
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
I've seen it and there it is said that we can use crypt passwords but inmy case i have an access-reject: rad_recv: Access-Request packet from host 127.0.0.1 port 58647, id=108, length=5 7 User-Name = "steve" User-Password = "xxxxx" NAS-IP-Address = 172.30.10.71 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "steve", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry steve at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> steve attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 108 to 127.0.0.1 port 58647 Waking up in 4.9 seconds. Cleaning up request 0 ID 108 with timestamp +20 2009/3/24 Nicolas Goutte <nicolas.goutte@extragroup.de>
Am 24.03.2009 um 18:15 schrieb David N'DAKPAZE:
Please which protocol more secure can i use with ldap as database?
As I wrote in the email as answer to my email (and an URL I missed to find the whole day as answer to your problems), see http://deployingradius.com/documents/protocols/compatibility.html
There you have a list of what protocols can be used when you have which type of passwords available for freeradius.
2009/3/24 Nicolas Goutte <nicolas.goutte@extragroup.de>
Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:
I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me
PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/Password_authentication_protocol )
Have a nice day!
2009/3/24 <tnt@kalik.net>
Client RADIUS { ..
That should be:
client RADIUS { ..
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please why crypt-passwords don't work in ths case? 2009/3/24 Alan DeKok <aland@deployingradius.com>
David N'DAKPAZE wrote:
I've seen it and there it is said that we can use crypt passwords but inmy case i have an access-reject: ... [pap] login attempt with password "testing" [pap] Using CRYPT encryption. [pap] Passwords don't match
That should be clear.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please how must Iconfigure ldap for authentication? 2009/3/24 <tnt@kalik.net>
Please why crypt-passwords don't work in ths case?
It has nothing to do with crypt. Password you have entered to log in and password that is stored in users file are not the same.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Read doc/rlm_ldap. Ivan Kalik Kalik Informatika ISP Dana 25/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
please how must Iconfigure ldap for authentication?
2009/3/24 <tnt@kalik.net>
Please why crypt-passwords don't work in ths case?
It has nothing to do with crypt. Password you have entered to log in and password that is stored in users file are not the same.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've read it but it is not very clear for me. 2009/3/25 <tnt@kalik.net>
Read doc/rlm_ldap.
Ivan Kalik Kalik Informatika ISP
Dana 25/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
please how must Iconfigure ldap for authentication?
2009/3/24 <tnt@kalik.net>
Please why crypt-passwords don't work in ths case?
It has nothing to do with crypt. Password you have entered to log in and password that is stored in users file are not the same.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Me I have a database already (ldap) and i want to synchronize it with freeradius. 2009/3/25 David N'DAKPAZE <lndakpaze@gmail.com>
I've read it but it is not very clear for me.
2009/3/25 <tnt@kalik.net>
Read doc/rlm_ldap.
Ivan Kalik Kalik Informatika ISP
Dana 25/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
please how must Iconfigure ldap for authentication?
2009/3/24 <tnt@kalik.net>
Please why crypt-passwords don't work in ths case?
It has nothing to do with crypt. Password you have entered to log in and password that is stored in users file are not the same.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So what is unclear in the configuration file? Ivan Kalik Kalik Informatika ISP Dana 25/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
Me I have a database already (ldap) and i want to synchronize it with freeradius.
2009/3/25 David N'DAKPAZE <lndakpaze@gmail.com>
I've read it but it is not very clear for me.
2009/3/25 <tnt@kalik.net>
Read doc/rlm_ldap.
Ivan Kalik Kalik Informatika ISP
Dana 25/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
please how must Iconfigure ldap for authentication?
2009/3/24 <tnt@kalik.net>
Please why crypt-passwords don't work in ths case?
It has nothing to do with crypt. Password you have entered to log in and password that is stored in users file are not the same.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It is the file i must configure or the ldap file which is in /raddb/modules/ldap 2009/3/25 <tnt@kalik.net>
So what is unclear in the configuration file?
Ivan Kalik Kalik Informatika ISP
Dana 25/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
Me I have a database already (ldap) and i want to synchronize it with freeradius.
2009/3/25 David N'DAKPAZE <lndakpaze@gmail.com>
I've read it but it is not very clear for me.
2009/3/25 <tnt@kalik.net>
Read doc/rlm_ldap.
Ivan Kalik Kalik Informatika ISP
Dana 25/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
please how must Iconfigure ldap for authentication?
2009/3/24 <tnt@kalik.net>
>Please why crypt-passwords don't work in ths case? >
It has nothing to do with crypt. Password you have entered to log in and password that is stored in users file are not the same.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please, I want to know which relation exist between /modules/ldap and rlm_ldap. What is the meaning of theses lines of the file /modules/ldap: #identity = "cn=admin,o=My Org,c=UA" #password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" Thank you 2009/3/25 <tnt@kalik.net>
It is the file i must configure or the ldap file which is in /raddb/modules/ldap
raddb/modules/ldap is ldap module configuration file.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please, I want to know which relation exist between /modules/ldap and rlm_ldap. What is the meaning of theses lines of the file /modules/ldap:
#identity = "cn=admin,o=My Org,c=UA" #password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
doc/rlm_ldap are instructions for using raddb/modules/ldap. Read it. It will tell you what these things are. Ivan Kalik Kalik Informatika ISP
I've configured Freeradius to use LDAP but when debug it I have This: Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_l ogin including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/virtual.example. com including configuration file /usr/local/etc/raddb/sites-enabled/SRV-RADIUS.moov. tg including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client GW-RADIUS { ipaddr = XXXXX require_message_authenticator = no secret = "xxxxxx" shortname = "GW-RADIUS" nastype = "cisco" } client XXXX { ipaddr = XXXX require_message_authenticator = no secret = "xxxxxx" shortname = "VPN-test" nastype = "cisco" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "xxxxx" shortname = "localhost" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': rlm_ ldap.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/inner-tunnel[218]: Failed to find module "lda p". /usr/local/etc/raddb/sites-enabled/inner-tunnel[218]: Failed to parse "ldap" ent ry. } } Errors initializing modules I need your help 2009/3/30, tnt@kalik.net <tnt@kalik.net>:
Please, I want to know which relation exist between /modules/ldap and rlm_ldap. What is the meaning of theses lines of the file /modules/ldap:
#identity = "cn=admin,o=My Org,c=UA" #password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
doc/rlm_ldap are instructions for using raddb/modules/ldap. Read it. It will tell you what these things are.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've configured Freeradius to use LDAP but when debug it I have This:
..
/usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': rlm_ ldap.so: cannot open shared object file: No such file or directory
If you installed from the source - this error is in FAQ. If you installed from RPMs - you haven't installed the one for ldap support (something called like freeradius-ldap). Ivan Kalik Kalik Informatika ISP
please in the FAQ the error is about Mysql. I don't see what I must change in my configuration. 2009/3/30, tnt@kalik.net <tnt@kalik.net>:
I've configured Freeradius to use LDAP but when debug it I have This:
..
/usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': rlm_ ldap.so: cannot open shared object file: No such file or directory
If you installed from the source - this error is in FAQ. If you installed from RPMs - you haven't installed the one for ldap support (something called like freeradius-ldap).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've done whath is said in the FAQ and now I have this problem: radiusd: #### Instantiating modules #### instantiate { /usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory Errors initializing modules 2009/3/30, tnt@kalik.net <tnt@kalik.net>:
please in the FAQ the error is about Mysql.
Same applies to ldap.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've done whath is said in the FAQ and now I have this problem:
radiusd: #### Instantiating modules #### instantiate { /usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory Errors initializing modules
Same applies to *any* missing library.If your linker doesn't have the correct path it doesn't matter what's the library called. Do you use exec? If you don't you can comment those entries from the configuration. Ivan Kalik Kalik Informatika ISP
I am re-intalling freeradius and when I run make after ./configure --disable-shared I have this: ... /usr/bin/ld: attempted static link of dynamic object `/usr/lib/libltdl.so' collect2: ld returned 1 exit status rm -f .libs/radiusdS.o make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/tmp/freeradius-server-2.1.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/tmp/freeradius-server-2.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/tmp/freeradius-server-2.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/tmp/freeradius-server-2.1.3' make: *** [all] Error 2 Thank you for your help 2009/3/30 <tnt@kalik.net>
I've done whath is said in the FAQ and now I have this problem:
radiusd: #### Instantiating modules #### instantiate { /usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory Errors initializing modules
Same applies to *any* missing library.If your linker doesn't have the correct path it doesn't matter what's the library called.
Do you use exec? If you don't you can comment those entries from the configuration.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David N'DAKPAZE wrote:
I am re-intalling freeradius and when I run make after ./configure --disable-shared I have this: Don't make matters worse by trying to defeat loadable modules. Go back and figure out why the loader can't find the modules. A good place to start is looking to see what libdir was defined as when you ran configure and/or look to see where the modules were installed when you ran "make install" (should be the same place and by default is /usr/lib/freeradius). Are the modules there? Was rpath set when the modules were linked? Was ldconfig run so the loader knows where to find them?
>radiusd: #### Instantiating modules #### > instantiate { >/usr/local/etc/raddb/modules/exec[24]: Failed to link to module >'rlm_exec': rlm_exec.a: cannot open shared object file: No such file >or directory >Errors initializing modules >
Same applies to *any* missing library.If your linker doesn't have the correct path it doesn't matter what's the library called.
-- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Please now i have a new problem; i use an Active Directory database and when i do a radtest, it is always access-reject like this: rad_recv: Access-Request packet from host 172.41.10.71 port 42678, id=153, length=61 User-Name = "azerty5" User-Password = "xxxxxxxxx" NAS-IP-Address = 172.30.10.71 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "azerty5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [azerty5/xxxxxxxx] (from client SRV-RADIUS port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> lndakpaze attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 153 to 172.30.10.71 port 42678 Waking up in 4.9 seconds. Cleaning up request 0 ID 153 with timestamp +7 thank you for your help 2009/3/30 John Dennis <jdennis@redhat.com>
David N'DAKPAZE wrote:
I am re-intalling freeradius and when I run make after ./configure --disable-shared I have this:
Don't make matters worse by trying to defeat loadable modules. Go back and figure out why the loader can't find the modules. A good place to start is looking to see what libdir was defined as when you ran configure and/or look to see where the modules were installed when you ran "make install" (should be the same place and by default is /usr/lib/freeradius). Are the modules there? Was rpath set when the modules were linked? Was ldconfig run so the loader knows where to find them?
radiusd: #### Instantiating modules ####
instantiate { /usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory Errors initializing modules
Same applies to *any* missing library.If your linker doesn't have the correct path it doesn't matter what's the library called.
-- John Dennis <jdennis@redhat.com> <jdennis@redhat.com>
Looking to carve out IT costs?www.redhat.com/carveoutcosts/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please now i have a new problem; i use an Active Directory database and when i do a radtest, it is always access-reject like this:
http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP
I searched throught the threads and found this thread exactly matching to my error I am getting. I am getting following error while debugging freeradius for using LDAP: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module "ldap". /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse "ldap" entry. David, How did you solve this problem? I don't know what to do........... Your suggestions would be greately appreciated. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978124.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
suggestme wrote:
I searched throught the threads and found this thread exactly matching to my error I am getting. I am getting following error while debugging freeradius for using LDAP:
/usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found
And the answer is the same as last time: read the FAQ. Look for "failed to load module" Alan DeKok.
Alan, I tried the 3 steps that is suggested in FAQ, that isn't working. Also, As suggested in 3rd (b) step; I found the 'radiusd.conf' file inside /usr/local/etc/raddb/radiusd.conf. Inside radiusd.conf file it is suggesting to do : To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib Does this mean I should add libdir for rlm_ldap just below the '/usr/local/share/doc/freeradius/rlm_ldap' line of radiusd.conf as follows: *libdir = /usr/local/share/doc/freeradius/rlm_ldap* When doing "locate rlm_ldap" command I just see rlm_ldap path as */usr/local/share/doc/freeradius/rlm_ldap* I am confused on this............. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978260.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
suggestme wrote:
I tried the 3 steps that is suggested in FAQ, that isn't working.
The steps in the FAQ assume that you built the server yourself from source. Did you? They also assume (step 1), that you read the output. That will tell you whether or not the required LDAP libraries and header files are on your system. Saying "it didn't work" is the wrong response. Saying "there are no libraries" is a better response. Saying "there are libraries, but for some reason rlm_ldap isn't being built" is an even better response.
Does this mean I should add libdir for rlm_ldap just below the '/usr/local/share/doc/freeradius/rlm_ldap' line of radiusd.conf as follows:
That was a good search to do, but that file is documentation. It's not a library module. So editing "libdir" to point to documentation won't help.
When doing "locate rlm_ldap" command I just see rlm_ldap path as */usr/local/share/doc/freeradius/rlm_ldap*
Which then means you don't have the rlm_ldap.so module on your system. This means you failed to follow (or understand) step 1 as suggested in the FAQ. If you installed the server from source, ensure that you have the necessary LDAP libraries and headers installed. The list of what is needed is printed during the "configure" stage. If you installed the server from a package (rpm, apt-get, etc.), consult your local OS documentation for how to find the rlm_ldap package. Alan DeKok.
Alan, The LDAP server was already configred in other machine by System Administrator. I am trying to link FreeRadius to that existing and already running LDAP server and authenticate the users using already configured attribute. I didn't download LDAP on this machine where FreeRadius is running. I made the LDAP option "on" during the FreeRadius installation like: ==> The following configuration options are available for freeradius-2.1.10_2: USER=on "Run as user freeradius, group freeradius" KERBEROS=on "With Kerberos support" HEIMDAL=off "With Heimdal Kerberos support" LDAP=on "With LDAP database support" MYSQL=on "With MySQL database support" PGSQL=on "With PostgreSQL database support" UNIXODBC=on "With unixODBC database support" FIREBIRD=on "With Firebird database support (EXPERIMENTAL)" PERL=on "With Perl support" PYTHON=on "With Python support" OCI8=on "With Oracle support (currently experimental)" RUBY=on "With Ruby support (EXPERIMENTAL)" DHCP=on "With DHCP support (EXPERIMENTAL)" EXPERIMENTAL=on "Build experimental modules" UDPFROMTO=on "Compile in UDPFROMTO support" ===> Use 'make config' to modify these settings *The scenario is LDAP is already running in one server and Freeradius is running in another server. I just changed the configuration settings on freeBSD server where FreeRadius is running as:* */usr/local/etc/raddb/modules/ldap :* ldap { # Define the LDAP server and the base domain name server = "localhost" basedn = "dc=example,dc=com" # Define which attribute from an LDAP "ldapsearch" query # is the password. Create a filter to extract the password # from the "ldapsearch" output password_attribute = "userPassword" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # The following are RADIUS defaults start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } */usr/local/etc/raddb/sites-enabled/default :* authorize { ... ... # # The ldap module will set Auth-Type to LDAP if it has not # already been set Ldap ... ... } Auth-Type LDAP { ldap } Also, same type of modifications has been done on : */usr/local/etc/raddb/sites-enabled/inner-tunnel* Also, change has been made to users file adding LDAP user authentication. Thanks for the suggestions........... -- View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-freeradius-tp2781398p4978695.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 11/09/2011 01:40 PM, suggestme wrote:
The LDAP server was already configred in other machine by System Administrator. I am trying to link FreeRadius to that existing and already running LDAP server and authenticate the users using already configured attribute. I didn't download LDAP on this machine where FreeRadius is running. I made the LDAP option "on" during the FreeRadius installation
Sigh. You're using the wrong terminology. Link has a very specific meaning in the context of shared objects (e.g. .so files). What the message was trying to tell you was the dynamic loader could not load the rlm_ldap module (a shared object). That might be because rlm_ldap.so isn't on your system or your loader has not be made aware of it's existence (e.g. ldconfig on Linux). You would be "connecting" to the ldap server on the other system, not "linking" it. Really, you need to read the FAQ and learn to use the correct vocabulary, anything less and you'll be flailing hopelessly and frustrating those who are trying to help you. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Am Dienstag, 24. März 2009 18:15:26 schrieb David N'DAKPAZE:
Please which protocol more secure can i use with ldap as database?
the answer to this question was in one of my first replies to your mail. AGAIN! See: http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html Please read what people write! You also can use google for searching. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
Forget what I have written, see http://deployingradius.com/documents/ protocols/compatibility.html Am 24.03.2009 um 18:05 schrieb Nicolas Goutte:
Am 24.03.2009 um 18:00 schrieb David N'DAKPAZE:
I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me
PAP needs cleartext passwords (see http://en.wikipedia.org/wiki/ Password_authentication_protocol )
Have a nice day!
2009/3/24 <tnt@kalik.net>
Client RADIUS { ..
That should be:
client RADIUS { ..
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
I've use it but the authentication have failed SRV-RADIUS:/var/log# radtest steve testing localhost 1812 xxxxx Sending Access-Request of id 151 to 127.0.0.1 port 1812 User-Name = "steve" User-Password = "xxxxx" NAS-IP-Address = 172.30.10.71 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=151, length=20 2009/3/24 <tnt@kalik.net>
I want to use crypt -passwords (pap) but Idon't know where to define it. Only cleartext-passwords are accepted. Can somebody help me
For cypted passwords use attribute Crypt-Password:
Crypt-Password := "...
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Le Tuesday 24 March 2009 12:33:40 David N'DAKPAZE, vous avez écrit :
Excuse me, i know that it is that clients.conf the server is using because when i modify a client which appears in the debug output the server considers this changes and te debug output isn't the same
2009/3/24 <tnt@kalik.net>
I've add other clients in the client .conf but when i debug the server
they
don't appear in the output of radiusd -X. ii dont know why.
Because that is not the file server is using. Read the debug - it lists which clients.conf file server is reading. Edit that one.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You should have something like : client 172.30.10.71 { ipaddr = 172.30.10.71 require_message_authenticator = no secret = "XXXXXX" shortname = "VPN-test" nastype = "cisco" } Is this in your clients.conf ?
yes. 2009/3/24 Laurent Besson <lolo@system-linux.net>
Le Tuesday 24 March 2009 12:33:40 David N'DAKPAZE, vous avez écrit :
Excuse me, i know that it is that clients.conf the server is using because when i modify a client which appears in the debug output the server considers this changes and te debug output isn't the same
2009/3/24 <tnt@kalik.net>
I've add other clients in the client .conf but when i debug the server
they
don't appear in the output of radiusd -X. ii dont know why.
Because that is not the file server is using. Read the debug - it lists which clients.conf file server is reading. Edit that one.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You should have something like : client 172.30.10.71 { ipaddr = 172.30.10.71 require_message_authenticator = no secret = "XXXXXX" shortname = "VPN-test" nastype = "cisco" }
Is this in your clients.conf ?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thank you, now it is ok 2009/3/24 David N'DAKPAZE <lndakpaze@gmail.com>
yes.
2009/3/24 Laurent Besson <lolo@system-linux.net>
Le Tuesday 24 March 2009 12:33:40 David N'DAKPAZE, vous avez écrit :
Excuse me, i know that it is that clients.conf the server is using because when i modify a client which appears in the debug output the server considers this changes and te debug output isn't the same
2009/3/24 <tnt@kalik.net>
I've add other clients in the client .conf but when i debug the server
they
don't appear in the output of radiusd -X. ii dont know why.
Because that is not the file server is using. Read the debug - it lists which clients.conf file server is reading. Edit that one.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You should have something like : client 172.30.10.71 { ipaddr = 172.30.10.71 require_message_authenticator = no secret = "XXXXXX" shortname = "VPN-test" nastype = "cisco" }
Is this in your clients.conf ?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am Dienstag, 24. März 2009 11:12:50 schrieb David N'DAKPAZE:
client GW-RADIUS { ipaddr = 172.30.3.121 require_message_authenticator = no secret = "moov123" shortname = "GW-RADIUS" nastype = "cisco" } client 172.30.2.14 { ipaddr = 172.30.2.14 require_message_authenticator = no secret = "moov123" shortname = "VPN-test" nastype = "cisco" }
Client config: client GW-RADIUS { ipaddr = 172.30.3.121 require_message_authenticator = no secret = "XXXXX" shortname = "GW-RADIUS" nastype = "cisco" } client 172.30.2.14 { ipaddr = 172.30.2.14 require_message_authenticator = no secret = "XXXXXX" shortname = "VPN-test" nastype = "cisco" } Error message: Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 You don't need to bee Shelok Holms to find out that your client is not defined. Please do not send passwords, when debugging with freeradius -X. Please also change your shared secrets NOW! Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: misch@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
Post your clients.conf and startup output of radiusd -X (before you send any requests). Ivan Kalik Kalik Informatika ISP Dana 24/3/2009, "David N'DAKPAZE" <lndakpaze@gmail.com> piše:
My problem is that i have define 2 clients but radius works with only the first nas. please see the output of the radtest: Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 172.30.10.71 port 38509
2009/3/24 Michael Schwartzkopff <misch@multinet.de>
Am Dienstag, 24. März 2009 09:33:51 schrieb David N'DAKPAZE:
Please it seems that ldap works only with pap.Is it true? tell me how to configure many clients (nas) in clients.conf
Gamarjoobat,
See the protocol and authentication server compatibility charts for more info. http://deployingradius.com/documents/protocols/compatibility.html http://deployingradius.com/documents/protocols/oracles.html
clients:
1) Read the sample clients.conf file 2) Did you really read it? What is unclear? You can define MULTIPLE client {...} sections in the file.
3) If your clients are in one subnet the example says: client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 }
4) If you have disjunct IP address ranges for your clients: client 10.10.10.10 { secret = testing1 shortname = nas1 }
client 10.20.30.40 { secret = testing2 shortname = nas2 }
(...)
-- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75
mail: misch@multinet.de web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (9)
-
Alan DeKok -
David N'DAKPAZE -
John Dennis -
Laurent Besson -
Michael Schwartzkopff -
Nicolas Goutte -
phil lemelin -
suggestme -
tnt@kalik.net