Freeradius-Users Digest, Vol 128, Issue 64

dahili.network at gmail.com dahili.network at gmail.com
Tue Dec 22 21:17:08 CET 2015 

Dear friends,

i read message from 
http://lists.freeradius.org/pipermail/freeradius-users/2013-January/064662.html
so i know many people are experianced with freeradius
please let me know if you are available to write custom config file for me?

i use FreeRadius + MySQL + Radius Manager (DMA-Soft)

ppoe user that created in RM for example test at test.com succesfuly loged in 
to MikroTik nas
with radius offered ip pool or radius offered statik ip

when users service expired

as a user there is no way to know if is fault or service expired

what i need

regexp user  *@test.com

regexp get ip from sql ip pool named  "expired"

ip pool from mysql "expired"
gateway 1.1.1.1 (this will open status page from our server)



update reply {
        DHCP-Domain-Name-Server = 8.8.8.8
        DHCP-Domain-Name-Server += 8.8.4.4
        DHCP-Subnet-Mask = 255.255.255.255
        DHCP-Router-Address = 1.1.1.1
        DHCP-IP-Address-Lease-Time = 7200
        DHCP-DHCP-Server-Identifier = 1.1.1.1
    }



my best regards

oguz




----- Original Message ----- 
From: <freeradius-users-request at lists.freeradius.org>
To: <freeradius-users at lists.freeradius.org>
Sent: Tuesday, December 22, 2015 6:13 PM
Subject: Freeradius-Users Digest, Vol 128, Issue 64


> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. Re: Freeradius + LDAP - WARNING: No "known good" password was
>      found in LDAP (Anirudh Malhotra)
>   2. Re: Freeradius + LDAP - WARNING: No "known good" password was
>      found in LDAP (Kermes - -)
>   3. Proxy server rejects/failed auth request (srithar jeevadurai)
>   4. Re: Problem with handshake (Mario Guerri Maglia)
>   5. Re: Compilation error (Alan DeKok)
>   6. Re: Problem with handshake (Alan DeKok)
>   7. Re: Proxy server rejects/failed auth request (srithar jeevadurai)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 22 Dec 2015 17:10:31 +0530
> From: Anirudh Malhotra <amalhotra.sp-dl at nkn.in>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius + LDAP - WARNING: No "known good" password was
> found in LDAP
> Message-ID: <567936AF.8040003 at nkn.in>
> Content-Type: text/plain; CHARSET=US-ASCII; format=flowed
>
> Hi,
>
> Your LDAP is returning ok
>
> So the only problem is
> unhash
> Auth-Type LDAP {
>                 ldap
>         }
>
> from authenticate section and check.
>
> BR,
> Anirudh Malhotra
>
> On Monday 21 December 2015 07:30 PM, Alan DeKok wrote:
>> On Dec 21, 2015, at 3:38 AM, Kermes - - <kermes at gmx.es> wrote:
>>>    I need some help with my freeradius + LDAP configuration, I'm stuck
>>>    with a "WARNING: No "known good" password was found in LDAP" message,
>>>    and I don't know how to continue with the debugging of this problem.
>>    The user isn't found in LDAP.  The debug output shows that, including 
>> the LDAP query.
>>
>>>    First, versions:
>>>    freeradius-ldap-2.2.6-6.el6_7.x86_64
>>>    freeradius-2.2.6-6.el6_7.x86_64
>>>
>>>    This is the output from "radiusd -X":
>>    The debug output is from "radiusd -Xx", which adds timestamps... and 
>> makes the output more difficult to read.  Please use just "radiusd -X".
>>>    Mon Dec 21 08:14:30 2015 : Debug:   [ldap] performing search in
>>>    ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local with 
>>> filter
>>>    (uid=test)
>>>    Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for check items in
>>>    directory...
>>>    Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for reply items in
>>>    directory...
>>    And nothing was found.
>>
>>    What happens when you use that LDAP search string in an LDAP client 
>> utility?
>>
>>    Test it with an LDAP client.  Once you get the search string correct, 
>> fix the FreeRADIUS query to use the correct search string.
>>
>>>        basedn =
>>>    "ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local"
>>>        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>>    One or both of those is wrong for your LDAP system.
>>
>>    I don't know what the *right* query is, because I don't know your how 
>> LDAP system is set up.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 22 Dec 2015 15:03:52 +0100
> From: "Kermes - -" <kermes at gmx.es>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Freeradius + LDAP - WARNING: No "known good" password was
> found in LDAP
> Message-ID:
> <trinity-c224afb0-39a9-48d3-b0ac-f8cc5577644e-1450793032362 at 3capp-mailcom-bs05>
>
> Content-Type: text/plain; charset="UTF-8"
>
>   Hi Anirudh,
>
>   that was exactly my problem, the authenticate section!
>
>   Thanks a lot!
>   BR
>
>   Enviar: martes 22 de diciembre de 2015 a las 12:40
>   De: "Anirudh Malhotra" <amalhotra.sp-dl at nkn.in>
>   Para: "FreeRadius users mailing list"
>   <freeradius-users at lists.freeradius.org>
>   Asunto: Re: Freeradius + LDAP - WARNING: No "known good" password was
>   found in LDAP
>   Hi,
>   Your LDAP is returning ok
>   So the only problem is
>   unhash
>   Auth-Type LDAP {
>   ldap
>   }
>   from authenticate section and check.
>   BR,
>   Anirudh Malhotra
>   On Monday 21 December 2015 07:30 PM, Alan DeKok wrote:
>   > On Dec 21, 2015, at 3:38 AM, Kermes - - <kermes at gmx.es> wrote:
>   >> I need some help with my freeradius + LDAP configuration, I'm stuck
>   >> with a "WARNING: No "known good" password was found in LDAP"
>   message,
>   >> and I don't know how to continue with the debugging of this problem.
>   > The user isn't found in LDAP. The debug output shows that, including
>   the LDAP query.
>   >
>   >> First, versions:
>   >> freeradius-ldap-2.2.6-6.el6_7.x86_64
>   >> freeradius-2.2.6-6.el6_7.x86_64
>   >>
>   >> This is the output from "radiusd -X":
>   > The debug output is from "radiusd -Xx", which adds timestamps... and
>   makes the output more difficult to read. Please use just "radiusd -X".
>   >> Mon Dec 21 08:14:30 2015 : Debug: [ldap] performing search in
>   >> ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local with
>   filter
>   >> (uid=test)
>   >> Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for check items in
>   >> directory...
>   >> Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for reply items in
>   >> directory...
>   > And nothing was found.
>   >
>   > What happens when you use that LDAP search string in an LDAP client
>   utility?
>   >
>   > Test it with an LDAP client. Once you get the search string correct,
>   fix the FreeRADIUS query to use the correct search string.
>   >
>   >> basedn =
>   >> "ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local"
>   >> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>   > One or both of those is wrong for your LDAP system.
>   >
>   > I don't know what the *right* query is, because I don't know your how
>   LDAP system is set up.
>   >
>   > Alan DeKok.
>   >
>   >
>   > -
>   > List info/subscribe/unsubscribe? See
>   [1]http://www.freeradius.org/list/users.html
>   -
>   List info/subscribe/unsubscribe? See
>   [2]http://www.freeradius.org/list/users.html
>
> References
>
>   1. http://www.freeradius.org/list/users.html
>   2. http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 22 Dec 2015 19:53:48 +0530
> From: srithar jeevadurai <srijeevadurai1 at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Proxy server rejects/failed auth request
> Message-ID:
> <CAC5rx4xtLWJcytnjhfxeVXzxm2DnvmVLEq6rYs==12nyFA4BAg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Friends,
>
> I have created the proxy setup ready and made configuration changes as per
> my knowledge.
>
> While trying to send request from NAS simulator, it is giving below error
> message in radius.log
>
> *Tue Dec 22 19:36:46 2015 : Auth: Login incorrect: [asdf at company.com
> <asdf at company.com>] (from client 234.224.654.123 port 16679 cli 
> 355545455)*
>
>
> config file Users has below difference compare to installation file users.
> Can you please help me to fix the same?
>
>
>
> < DEFAULT Service-Type == Framed-User, Framed-Protocol == 7
> <         Framed-IP-Netmask = 255.255.255.255,
> <         MS-Primary-DNS-Server == 195.68.0.1,
> <         MS-Secondary-DNS-Server == 195.68.0.2,
> <         Service-Type == Framed-User,
> <         Framed-Protocol == 7,
> <         Fall-Through == no
>
> One more request, I could not find any connection between proxy radius and
> home server radius, Is the connection only happen when it is required? 
> i.e.
> while sending request from proxy to home server.
>
>
>
> -- 
> Regards,
> Srithar Durairaj
> Alternate Mail I.D: srijeevadurai1 at yahoo.co.in
> Mobile: +919886251852
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 22 Dec 2015 12:41:55 -0300
> From: Mario Guerri Maglia <mario.guerri at seciu.edu.uy>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Problem with handshake
> Message-ID: <56796F43.1000901 at seciu.edu.uy>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi,
>
> sadly the hints you gave me didn't work.
> First of all I must say I'm a new user of FreeRadius, so I'll try to
> give a detailed explanation of my problem.
>
> In the begining the radius was functioning ok, the authentication was
> ok, it consulted the LDAP and if the user was right, the user could
> connect to the Wi-Fi. We had few defined users and for many weeks nobody
> connected to it.
>
> After that we tried to connect again and this error message appeared:
>
> Tue Nov 17 11:26:04 2015 : Error: TLS Alert read:fatal:handshake failure
> Tue Nov 17 11:26:04 2015 : Error:     TLS_accept: failed in SSLv3 read
> client certificate A
> Tue Nov 17 11:26:04 2015 : Error: rlm_eap: SSL error error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> Tue Nov 17 11:26:04 2015 : Error: SSL: SSL_read failed inside of TLS
> (-1), TLS session fails.
> Tue Nov 17 11:26:04 2015 : Auth: Login incorrect (TLS Alert
> read:fatal:handshake failure): [mguerri] (from client AP_RAU_red_2 port
> 8 cli CC-AF-78-2B-9F-65) Usuario Rechazado
>
>
> So now the users can't connect, more precisely some devices can't
> connect. For example some notebooks with Ubuntu 14.04 and newer mobile
> phones with android. But on the other hand some older movile phones with
> android can connect to the Wi-Fi, the user is validated.
>
> Previously to write to the list I found in the Internet the problem was
> related to the size of the certification and the solution was to
> generate cerfication of 2048 size. Because ours were of 1024. I changed
> it the size to 2048 and after that I did these:
>
> openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out
> cacert.pem
>
> openssl req -new -keyout radius.key -out radius.seciu.edu.uy.csr -days 
> 3650
>
> openssl ca -policy policy_anything -out radius.seciu.edu.uy.crt
> -extensions xpserver_ext -extfile xpextensions -infiles
> radius.seciu.edu.uy.csr
>
> openssl x509 -inform PEM -outform DER -in cacert.pem -out ca.der
>
> openssl dhparam -check -text -5 512 -out dh
>
> dd if=/dev/urandom of=random count=2
>
>
> But it didn't function, the message is the same.
>
> I did what you told me to do, I passed cacert.pem, radius.key and
> radius.seciu.edu.uy.crt to the client. But I got the same error message.
> I don't realize what am I doing wrong...
>
> Hope you can help me, thanks in advance
>
>
> Mario
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 22 Dec 2015 10:42:47 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Compilation error
> Message-ID: <FD5AC9BB-0D65-46DA-AD54-81EFFEFF918D at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Dec 22, 2015, at 4:27 AM, srithar jeevadurai <srijeevadurai1 at gmail.com> 
> wrote:
>> I am getting below error message while compiling freeRadius.
>
>  Use a recent version of OpenSSL.
>
>  Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 22 Dec 2015 10:46:16 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Problem with handshake
> Message-ID: <B0DDD21F-20B2-4925-8363-D332753993C8 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Dec 22, 2015, at 10:41 AM, Mario Guerri Maglia 
> <mario.guerri at seciu.edu.uy> wrote:
>> sadly the hints you gave me didn't work.
>
>  Did you follow the instructions?
>
>  If so, *which step* failed?  Simply saying "it didn't work" is unhelpful.
>
>> First of all I must say I'm a new user of FreeRadius, so I'll try to give 
>> a detailed explanation of my problem.
>
>  That's good.  But I pointed you to detailed documentation which says how 
> to get this to work.  Did you follow it?
>
>> In the begining the radius was functioning ok, the authentication was ok, 
>> it consulted the LDAP and if the user was right, the user could connect 
>> to the Wi-Fi. We had few defined users and for many weeks nobody 
>> connected to it.
>>
>> After that we tried to connect again and this error message appeared:
>
>  Which you already said.  There's no need to post it again.
>
>> Previously to write to the list I found in the Internet the problem was 
>> related to the size of the certification and the solution was to generate 
>> cerfication of 2048 size. Because ours were of 1024. I changed it the 
>> size to 2048 and after that I did these:
>
>  The directory raddb/certs contains configuration files and scripts which 
> create new certificates.  Did you use them?
>
>  Apparently not.
>
>> But it didn't function, the message is the same.
>
>  Running server-side OpenSSL scripts doesn't change the client 
> configuration.
>
>> I did what you told me to do, I passed cacert.pem, radius.key and 
>> radius.seciu.edu.uy.crt to the client. But I got the same error message.
>> I don't realize what am I doing wrong...
>
>  You need to follow the instructions *exactly*.  And if something goes 
> wrong, say *which* step is going wrong.
>
>  Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 22 Dec 2015 21:43:15 +0530
> From: srithar jeevadurai <srijeevadurai1 at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Proxy server rejects/failed auth request
> Message-ID:
> <CAC5rx4xDxQb7jGC0Gt1pWFtb0HQJZ21O_LmUygV5pcs_Nj8Q3w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Team,
>
> Do we need to keep listen config as below for proxy server?
>
> File: radiusd.conf
>
> -- auth proxy
> listen {
>        ipaddr = 234.223.454.556
>        port = 1812
>        type = proxy
> }
>
> --account proxy
> listen {
>        ipaddr = 234.223.454.556
>        port = 1813
>        type = proxy
> }
>
>
>
>
> On Tue, Dec 22, 2015 at 7:53 PM, srithar jeevadurai <
> srijeevadurai1 at gmail.com> wrote:
>
>> Hi Friends,
>>
>> I have created the proxy setup ready and made configuration changes as 
>> per
>> my knowledge.
>>
>> While trying to send request from NAS simulator, it is giving below error
>> message in radius.log
>>
>> *Tue Dec 22 19:36:46 2015 : Auth: Login incorrect: [asdf at company.com
>> <asdf at company.com>] (from client 234.224.654.123 port 16679 cli 
>> 355545455)*
>>
>>
>> config file Users has below difference compare to installation file 
>> users.
>> Can you please help me to fix the same?
>>
>>
>>
>> < DEFAULT Service-Type == Framed-User, Framed-Protocol == 7
>> <         Framed-IP-Netmask = 255.255.255.255,
>> <         MS-Primary-DNS-Server == 195.68.0.1,
>> <         MS-Secondary-DNS-Server == 195.68.0.2,
>> <         Service-Type == Framed-User,
>> <         Framed-Protocol == 7,
>> <         Fall-Through == no
>>
>> One more request, I could not find any connection between proxy radius 
>> and
>> home server radius, Is the connection only happen when it is required? 
>> i.e.
>> while sending request from proxy to home server.
>>
>>
>>
>> --
>> Regards,
>> Srithar Durairaj
>> Alternate Mail I.D: srijeevadurai1 at yahoo.co.in
>> Mobile: +919886251852
>>
>>
>>
>
>
> -- 
> Regards,
> Srithar Durairaj
> Alternate Mail I.D: srijeevadurai1 at yahoo.co.in
> Mobile: +919886251852
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 128, Issue 64
> *************************************************
>

More information about the Freeradius-Users mailing list