Hi all,<br><br>I have radius-ldap setup for authenticating network devices.<br><br>I have small doubt here.<br><br>Is it possible to have different enable passwords for different huntgroups?<br><br>For e.g. i have 2 huntgroups. one for cisco switches and one for cisco routers and I want to have different enable passwords for both.
<br><br>Currently i have only one entry for enable password and that is commom for all the cisco devices.<br><br><br><div><span class="gmail_quote">On 9/10/07, <b class="gmail_sendername"><a href="mailto:freeradius-users-request@lists.freeradius.org">
freeradius-users-request@lists.freeradius.org</a></b> <<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Send Freeradius-Users mailing list submissions to<br> <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br><br>To subscribe or unsubscribe via the World Wide Web, visit
<br> <a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>or, via email, send a message with subject or body 'help' to
<br> <a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a><br><br>You can reach the person managing the list at<br> <a href="mailto:freeradius-users-owner@lists.freeradius.org">
freeradius-users-owner@lists.freeradius.org</a><br><br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of Freeradius-Users digest..."<br><br><br>Today's Topics:<br><br>
1. RE: Freeradius+Active directory - router login authentciation<br> (Rakesh Jha)<br> 2. Re: Freeradius doesn't detect EAP when authenticating against<br> MySQL (Andrew Rowson)<br> 3. RE : LOGs of eap-tls authentication (inelec communication)
<br> 4. Re: Freeradius doesn't detect EAP when authenticating against<br> MySQL (Alan DeKok)<br><br><br>----------------------------------------------------------------------<br><br>Message: 1<br>Date: Mon, 10 Sep 2007 09:21:42 +0300
<br>From: "Rakesh Jha" <<a href="mailto:rakesh@burgan.com">rakesh@burgan.com</a>><br>Subject: RE: Freeradius+Active directory - router login authentciation<br>To: "FreeRadius users mailing list"<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>Message-ID:<br> <<a href="mailto:A928C53C7FC96746A7C07338F009DCA00C4D37@BB-MAIL.main.burgan.bnk">
A928C53C7FC96746A7C07338F009DCA00C4D37@BB-MAIL.main.burgan.bnk</a>><br>Content-Type: text/plain; charset="us-ascii"<br><br>Alan,<br><br>Please see the complete output of radiusd -X as following -<br><br>
Starting - reading configuration files ...<br>reread_config: reading radiusd.conf<br>Config: including file: /usr/local/etc/raddb/proxy.conf<br>Config: including file: /usr/local/etc/raddb/clients.conf<br>Config: including file: /usr/local/etc/raddb/snmp.conf
<br>Config: including file: /usr/local/etc/raddb/eap.conf<br>Config: including file: /usr/local/etc/raddb/sql.conf<br> main: prefix = "/usr/local"<br> main: localstatedir = "/usr/local/var"<br> main: logdir = "/usr/local/var/log/radius"
<br> main: libdir = "/usr/local/lib"<br> main: radacctdir = "/usr/local/var/log/radius/radacct"<br> main: hostname_lookups = no<br> main: max_request_time = 30<br> main: cleanup_delay = 5<br> main: max_requests = 1024
<br> main: delete_blocked_requests = 0<br> main: port = 0<br> main: allow_core_dumps = no<br> main: log_stripped_names = no<br> main: log_file = "/usr/local/var/log/radius/radius.log"<br> main: log_auth = no<br>
main: log_auth_badpass = no<br> main: log_auth_goodpass = no<br> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"<br> main: user = "(null)"<br> main: group = "(null)"<br> main: usercollide = no
<br> main: lower_user = "no"<br> main: lower_pass = "no"<br> main: nospace_user = "no"<br> main: nospace_pass = "no"<br> main: checkrad = "/usr/local/sbin/checkrad"<br> main: proxy_requests = yes
<br> proxy: retry_delay = 5<br> proxy: retry_count = 3<br> proxy: synchronous = no<br> proxy: default_fallback = yes<br> proxy: dead_time = 120<br> proxy: post_proxy_authorize = no<br> proxy: wake_all_if_all_dead = no<br>
security: max_attributes = 200<br> security: reject_delay = 1<br> security: status_server = no<br> main: debug_level = 0<br>read_config_files: reading dictionary<br>read_config_files: reading naslist<br>Using deprecated naslist file. Support for this will go away soon.
<br>read_config_files: reading clients<br>read_config_files: reading realms<br>radiusd: entering modules setup<br>Module: Library search path is /usr/local/lib<br>Module: Loaded exec<br> exec: wait = yes<br> exec: program = "(null)"
<br> exec: input_pairs = "request"<br> exec: output_pairs = "(null)"<br> exec: packet_type = "(null)"<br>rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>Module: Instantiated exec (exec)
<br>Module: Loaded expr<br>Module: Instantiated expr (expr)<br>Module: Loaded PAP<br> pap: encryption_scheme = "crypt"<br> pap: auto_header = yes<br>Module: Instantiated pap (pap)<br>Module: Loaded CHAP<br>Module: Instantiated chap (chap)
<br>Module: Loaded MS-CHAP<br> mschap: use_mppe = yes<br> mschap: require_encryption = no<br> mschap: require_strong = no<br> mschap: with_ntdomain_hack = yes<br> mschap: passwd = "(null)"<br> mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
<br>--domain=%{mschap:NT-D<br>omain:-burgan_dom} --username=%{mschap:User-Name:-None}<br>--challenge=%{mschap:Cha<br>llenge:-00} --nt-response=%{mschap:NT-Response:-00}"<br>Module: Instantiated mschap (mschap)<br>Module: Loaded System
<br> unix: cache = no<br> unix: passwd = "(null)"<br> unix: shadow = "(null)"<br> unix: group = "(null)"<br> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"<br> unix: usegroup = no
<br> unix: cache_reload = 600<br>Module: Instantiated unix (unix)<br>Module: Loaded eap<br>eap: default_eap_type = "tls"<br> eap: timer_expire = 60<br> eap: ignore_unknown_eap_types = no<br> eap: cisco_accounting_username_bug = no
<br>rlm_eap: Loaded and initialized type md5<br>rlm_eap: Loaded and initialized type leap<br> gtc: challenge = "Password: "<br> gtc: auth_type = "PAP"<br>rlm_eap: Loaded and initialized type gtc<br> tls: rsa_key_exchange = no
<br> tls: dh_key_exchange = yes<br> tls: rsa_key_length = 512<br> tls: dh_key_length = 512<br> tls: verify_depth = 0<br> tls: CA_path = "(null)"<br> tls: pem_file_type = yes<br> tls: private_key_file = "/usr/local/etc/raddb/certs/cert-
srv.pem"<br> tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"<br> tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"<br> tls: private_key_password = "whatever"
<br> tls: dh_file = "(null)"<br> tls: random_file = "/dev/urandom"<br> tls: fragment_size = 1024<br> tls: include_length = yes<br> tls: check_crl = no<br> tls: check_cert_cn = "(null)"<br> tls: cipher_list = "(null)"
<br> tls: check_cert_issuer = "(null)"<br>rlm_eap_tls: Loading the certificate file as a chain<br>rlm_eap_tls: Unable to open DH file - (null)<br>rlm_eap: Failed to initialize type tls<br>radiusd.conf[10]: eap: Module instantiation failed.
<br>radiusd.conf[1962] Unknown module "eap".<br>radiusd.conf[1909] Failed to parse authenticate section.<br><br>As you have written 'as are most "helpful" pages not on <a href="http://freeradius.org">
freeradius.org</a>',<br>can you please suggest some links which guide correctly to configure<br>radius, openssl and active directory.<br><br>Thanks a lot,<br>Rakesh Jha<br><br>-----Original Message-----<br>From: <a href="mailto:freeradius-users-bounces@lists.freeradius.org">
freeradius-users-bounces@lists.freeradius.org</a><br>[mailto:<a href="mailto:freeradius-users-bounces@lists.freeradius.org">freeradius-users-bounces@lists.freeradius.org</a>] On Behalf Of Alan<br>DeKok<br>Sent: Monday, September 10, 2007 8:35 AM
<br>To: FreeRadius users mailing list<br>Subject: Re: Freeradius+Active directory - router login authentciation<br><br>Rakesh Jha wrote:<br>...<br>> After following FreeRADIUS Tutorial for AD integration I am not able<br>
to<br>> start radius daemon as it complains -<br>><br>> radiusd.conf[10]: eap: Module instantiation failed.<br>> radiusd.conf[1962] Unknown module "eap".<br>> radiusd.conf[1909] Failed to parse authenticate section.
<br><br> I'm at a bit of a loss for why so many people are so insistent on<br>removing all useful messages.<br><br>Attention:<br>Any non-official business related views, opinions and other information presented in this electronic mail
<br>are solely those of the sender/author.<br>Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed<br>indicated in this mail or responsible for delivering this message to the intended,
<br>you should delete this message and notify the sender immediately.<br>-------------------------------------------------------<br>Burgan Bank S.A.K<br><a href="http://www.burgan.com">www.burgan.com</a><br><br><br><br>------------------------------
<br><br>Message: 2<br>Date: Mon, 10 Sep 2007 08:47:09 +0100<br>From: Andrew Rowson <<a href="mailto:freeradius@growse.com">freeradius@growse.com</a>><br>Subject: Re: Freeradius doesn't detect EAP when authenticating against
<br> MySQL<br>To: FreeRadius users mailing list<br> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>Message-ID: <<a href="mailto:b03eaa106466517b3d809c38044273f9@ticklemail.mrmen.home">
b03eaa106466517b3d809c38044273f9@ticklemail.mrmen.home</a>><br>Content-Type: text/plain; charset="UTF-8"<br><br><br><br>On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <<a href="mailto:aland@deployingradius.com">
aland@deployingradius.com</a>><br>wrote:<br>> Andrew Rowson wrote:<br>>> Looking over it, it seems that a problem comes up with the MSCHAP bit:<br>>><br>>> rlm_mschap: No User-Password configured. Cannot create LM-Password.
<br>>> rlm_mschap: No User-Password configured. Cannot create NT-Password.<br>>> rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password<br>>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
<br>>> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect<br>>> modcall[authenticate]: module "mschap" returns reject for request 14<br>>><br>>> This appears to imply that there's no User-Password entry found anywhere
<br>>> for the user in the database. This would be correct, as the attribute in<br>>> the radcheck table is set to Cleartext-Password. Anything other than<br>>> Cleartext-Password and freeradius doesn't attempt an auth-type of EAP,
<br>>> but Local instead, going back to my original problem.<br>><br>> What does the database contain? Cleartext-Password == password,<br>> or Cleartext-Password := password ?<br>><br><br>The database contains Cleartext-Password == password. I've tried it with
<br>:=, but if I remember correctly that fails as well, with the Auth-type<br>being set to local again. I'll see if I can get a log of that failure as<br>well, if it'd be helpful?<br><br>Andrew<br><br><br><br>------------------------------
<br><br>Message: 3<br>Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST)<br>From: inelec communication <<a href="mailto:inelec_communication@yahoo.fr">inelec_communication@yahoo.fr</a>><br>Subject: RE : LOGs of eap-tls authentication
<br>To: FreeRadius users mailing list<br> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>Message-ID: <<a href="mailto:60722.76768.qm@web26011.mail.ukl.yahoo.com">
60722.76768.qm@web26011.mail.ukl.yahoo.com</a>><br>Content-Type: text/plain; charset="iso-8859-1"<br><br>hello,<br> running radius in debug mode doesn't give any log file ,i meen it doesn't give logs in
radiusd.log ; if you give me your result when you have rubn radiusd -X -A perhaps i can help<br><br> regards<br><br><br><a href="mailto:anoop_c@sifycorp.com">anoop_c@sifycorp.com</a> a ?crit :<br><br>Hi 1 I am using eap-tls
authentication.My setup is working well with certificates. I am unable to get logs of user login ok or denied in the radius.log file [root@anoop sbin]# radiusd -X -A Starting - reading configuration files ... reread_config: reading
radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \"/usr/local\" main: localstatedir = \"/usr/local/var\" main: logdir = \"/usr/local/var/log/radius\" main: libdir = \"/usr/local/lib\" main: radacctdir = \"/usr/local/var/log/radius/radacct\" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names
<br> = yes main: log_file = \"/usr/local/var/log/radius/radius.log\" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main: user = \"(null)\" main: group = \"(null)\" main: usercollide = no main: lower_user = \"no\" main: lower_pass = \"no\" main: nospace_user = \"no\" main: nospace_pass = \"no\" main: checkrad = \"/usr/local/sbin/checkrad\" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients
<br> read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \"(null)\" exec: input_pairs = \"request\" exec: output_pairs = \"(null)\" exec: packet_type = \"(null)\" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \"(null)\" unix: shadow = \"(null)\" unix: group = \"(null)\" unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \"tls\" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = \"Password: \"
<br> gtc: auth_type = \"PAP\" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \"(null)\" tls: pem_file_type = yes tls: private_key_file = \"/etc/1x/07xwifi.pem\" tls: certificate_file = \"/etc/1x/07xwifi.pem\" tls: CA_file = \"/etc/1x/root.pem\" tls: private_key_password = \"password\" tls: dh_file = \"/etc/1x/DH\" tls: random_file = \"/etc/1x/random\" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \"(null)\" tls: cipher_list = \"(null)\" tls: check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in
eap.conf rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no<br> rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \"/etc/raddb/huntgroups\" preprocess: hints = \"/etc/raddb/hints\" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \"suffix\" realm: delimiter = \"@\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \"/etc/raddb/users\" files: acctusersfile = \"/etc/raddb/acct_users\" files: preproxy_usersfile = \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \"User-Name,
<br> Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = \"/usr/local/var/log/radius/radutmp\" radutmp: username = \"%{User-Name}\" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. 2 I am using certificate based authentication so do i need to edit anything in the users file/ Thanks and regards Anoop
<br><br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br><br><br>---------------------------------<br> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
<br>-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <<a href="https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html">https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html
</a>><br><br>------------------------------<br><br>Message: 4<br>Date: Mon, 10 Sep 2007 11:15:58 +0200<br>From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>Subject: Re: Freeradius doesn't detect EAP when authenticating against
<br> MySQL<br>To: <a href="mailto:freeradius@growse.com">freeradius@growse.com</a>, FreeRadius users mailing list<br> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org
</a>><br>Message-ID: <<a href="mailto:46E50B4E.9050407@deployingradius.com">46E50B4E.9050407@deployingradius.com</a>><br>Content-Type: text/plain; charset=ISO-8859-1<br><br>Andrew Rowson wrote:<br>> The database contains Cleartext-Password == password. I've tried it with
<br>> :=, but if I remember correctly that fails as well,<br><br> Use := for Cleartext-Password.<br><br>> with the Auth-type<br>> being set to local again. I'll see if I can get a log of that failure as<br>> well, if it'd be helpful?
<br><br> No.<br><br> Upgrade to 1.1.7, I think it solves this problem.<br><br> Alan DeKok.<br><br><br>------------------------------<br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">
http://www.freeradius.org/list/users.html</a><br><br><br>End of Freeradius-Users Digest, Vol 29, Issue 25<br>************************************************<br></blockquote></div><br>