Freeradius-Users Digest, Vol 84, Issue 63

全球无线联盟 2394263740 at qq.com
Fri Apr 20 09:42:09 CEST 2012


Alan,
  
 Thanks for your reply.
  
  Our FreeRadius server is servering the WLAN authentication.
  
 For some reason, we need know the result for each authentication request, pass or fail.
  
 We know the post-authentication query can do something which we know who is pass.
  
 We don't have a method to log the rejected request.
  
 Thanks!
  
  ------------------ Original ------------------
  From:  "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
 Date:  Fri, Apr 20, 2012 03:30 PM
 To:  "freeradius-users"<freeradius-users at lists.freeradius.org>; 
 
 Subject:  Freeradius-Users Digest, Vol 84, Issue 63

  
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Alan Buxey)
   2. Re: Perl, MySQL & auth (Alan Buxey)
   3. Re: Freeradius Access Requet ID (Alan DeKok)
   4. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour)
   5. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Fajar A. Nugraha)
   6. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour)
   7. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Fajar A. Nugraha)


----------------------------------------------------------------------

Message: 1
Date: Fri, 20 Apr 2012 07:30:20 +0100
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
To: "wassim.zaarour at navlink.com" <wassim.zaarour at navlink.com>,
"freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <9339D497-E840-42EF-A2D5-779F77E0F5D9 at lboro.ac.uk>
Content-Type: text/plain; charset="utf-8"

Please read the mailing list archives, this very question and setup is often mentioned

alan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/e4365248/attachment-0001.html>

------------------------------

Message: 2
Date: Fri, 20 Apr 2012 07:35:24 +0100
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
To: "fabrifloresg at gmail.com" <fabrifloresg at gmail.com>,
"freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject: Re: Perl, MySQL & auth
Message-ID: <EEA07012-72B5-438B-B5CE-039B6D237BA0 at lboro.ac.uk>
Content-Type: text/plain; charset="utf-8"

Hi,

Some interesting system problems. Did you compile FR with PERL support....or if using distros version do they have additional packages you need to install eg freeradius-perl ?

We use PERL here...FR compiled with it supported and just 'use DBI;' at the top of the PERL script....no need to do ANYTHING with system libs or running parameters

alan

--
This smartphone has free WiFi worldwide with eduroam, now that IS smart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/61a728b2/attachment-0001.html>

------------------------------

Message: 3
Date: Fri, 20 Apr 2012 08:50:56 +0200
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Freeradius Access Requet ID
Message-ID: <4F910750.7040104 at deployingradius.com>
Content-Type: text/plain; charset=UTF-8

?????? wrote:
> What is the parameter name for freeradius access requet ID?
>  
> For example,        
> Called-Station-Id  = "46-E7-CF-62-78-11"
> Called-Station-Id is the parameter name for NAS MAC address.

  You can't look at the access request ID.  It doesn't mean anything,
and there's no reason to look at it.

  Alan DeKok.


------------------------------

Message: 4
Date: Fri, 20 Apr 2012 10:09:18 +0300
From: Wassim Zaarour <wassim.zaarour at navlink.com>
To: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>,
"freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <CBB6E5E1.ECFF%wassim.zaarour at navlink.com>
Content-Type: text/plain; charset="us-ascii"

Hi Alan,

I went through the archives and did some changes but still getting the
error, appreciate of you can help me a bit here.

I think I read that the ldap request must be proxied to the inner tunnel for
it work, is that true? How can we do that?

Thanks



Wassim.















From:  Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
Date:  Friday, April 20, 2012 9:30 AM
To:  Wassim Zaarour <wassim.zaarour at navlink.com>,
"freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject:  Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.

Please read the mailing list archives, this very question and setup is often
mentioned

alan



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/a4e6bd5e/attachment-0001.html>

------------------------------

Message: 5
Date: Fri, 20 Apr 2012 14:15:59 +0700
From: "Fajar A. Nugraha" <list at fajar.net>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID:
<CAG1y0scEv7ZrF9OkB5-FKEyJuKOiGW=mmAUQNjt=5AS6j4OnHw at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Apr 20, 2012 at 2:09 PM, Wassim Zaarour
<wassim.zaarour at navlink.com> wrote:
> Hi Alan,
>
> I went through the archives and did some changes but still getting the
> error, appreciate of you can help me a bit here.
>
> I think I read that the ldap request must be proxied to the inner tunnel for
> it work, is that true? How can we do that?

Short version: you won't be able to get PEAP-MSCHAPv2 (i.e. what
windows use) to work with your LDAP. Period.

Long version:
MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
whatever), OR
- an active directory

If you don't have either, then it won't work.

-- 
Fajar


------------------------------

Message: 6
Date: Fri, 20 Apr 2012 10:22:30 +0300
From: Wassim Zaarour <wassim.zaarour at navlink.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <CBB6E904.ED05%wassim.zaarour at navlink.com>
Content-Type: text/plain; CHARSET=US-ASCII





On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:

>On Fri, Apr 20, 2012 at 2:09 PM, Wassim Zaarour
><wassim.zaarour at navlink.com> wrote:
>> Hi Alan,
>>
>> I went through the archives and did some changes but still getting the
>> error, appreciate of you can help me a bit here.
>>
>> I think I read that the ldap request must be proxied to the inner
>>tunnel for
>> it work, is that true? How can we do that?
>
>Short version: you won't be able to get PEAP-MSCHAPv2 (i.e. what
>windows use) to work with your LDAP. Period.
>
>Long version:
>MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
>- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
>whatever), OR
>- an active directory
>
>If you don't have either, then it won't work.

Hi Farja,

Passwords are stored as clear text in my LDAP, that should make MSCHAPv2
work right?

Wassim




------------------------------

Message: 7
Date: Fri, 20 Apr 2012 14:30:42 +0700
From: "Fajar A. Nugraha" <list at fajar.net>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID:
<CAG1y0sch+7s+r9+G5Gp5oxhca6wAjbek=j9L6_4gqDWU_sEztg at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour
<wassim.zaarour at navlink.com> wrote:

> On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:

>>Long version:
>>MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
>>- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
>>whatever), OR
>>- an active directory
>>
>>If you don't have either, then it won't work.
>
> Hi Farja,
>
> Passwords are stored as clear text in my LDAP, that should make MSCHAPv2
> work right?

Yes, if FR can find them. This part of the log says it can't:

[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=pk)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?

You might need to play around with the user used to login to LDAP,  as
some systems only give out passwords to admin accounts. Testing manual
LDAP lookup using command line tool (e.g. ldapsearch) helps. If you
CAN get your ldap server to return cleartext password with ldapsearch,
then you should be able to configure FR to get that as well.

-- 
Fajar


------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 84, Issue 63
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/064538d9/attachment-0001.html>


More information about the Freeradius-Users mailing list