Beginner need help

Himanshu Pandey wrote:
> I modified users configuration file and radiusd.conf.

  If you don't know what you're doing, DO NOT EDIT THE FILES.

  This isn't difficult.

> I have attached radiusd.conf file.

  I'm not going to read it.  The default radiusd.conf file works.  Use it.

> Please tell me what shall I not modify in
> radiusd.conf file. Actually I did some modifications in radiusd.conf
> file since I was getting some error in starting the radius server.

  Nonsense.  The default configuration works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

>    radiusd.conf file. Please tell me what shall I not modify in radiusd.conf

in the first instance, NONE of it.


your primary cause of failure is this:


#$INCLUDE sites-enabled/


WHY did you comment that out? without the virtual servers stuff the server will do nothing.


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi Alan, 

Now I have taken default radiusd.conf. But I am getting the error:

Get your own FREE website, FREE domain & FREE mobile app with Company email.

Know More >

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi, 


As suggested by you I have taken default radiusd.conf. But I am getting the error:
From: Alan DeKok <[hidden email]>
Sent: Mon, 22 Sep 2014 18:22:39
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: Beginner need help
Himanshu Pandey wrote:
> I modified users configuration file and radiusd.conf.

If you don't know what you're doing, DO NOT EDIT THE FILES.

This isn't difficult.

> I have attached radiusd.conf file.

I'm not going to read it. The default radiusd.conf file works. Use it.

> Please tell me what shall I not modify in
> radiusd.conf file. Actually I did some modifications in radiusd.conf
> file since I was getting some error in starting the radius server.

Nonsense. The default configuration works.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Get your own FREE website, FREE domain & FREE mobile app with Company email.

Know More >

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

>    "/etc/raddb/sites-enabled/default[252]: No such attribute Auth-Type"

so the default server has been hacked around too

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On 22/09/14 14:52, [hidden email] wrote:
> Hi,
>
>>     "/etc/raddb/sites-enabled/default[252]: No such attribute Auth-Type"
>
> so the default server has been hacked around too

Might be dictionaries, I see it's installed in /opt so maybe he messed
up the build/install bit.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Himanshu Pandey wrote:
> Hi Alan,
>
> Now I have taken default radiusd.conf. But I am getting the error:
>
> /etc/raddb/sites-enabled/default[252]: No such attribute Auth-Type

  Because the dictionaries are broken, too.

  I have NO IDEA what you did.  All I know is you didn't install it from
a package, and you didn't do the standard:

$ ./configure
$ make
$ make install

  Since you're not installing it from a package, why are you using
version 2.2.0?  Why not use 2.2.5?

  And if you are installing it from a package, how did you make it NOT
install the dictionaries?

  You worked VERY HARD to destroy the standard installation.  Why?

  Follow the standard way to build and install the server.  It isn't
hard.  By doing your own thing, you've wasted your time, and ours.

  Delete EVERYTHING you've done related to FreeRADIUS.  It's all wrong.

  Them, follow the standard installation.  It will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

I'm confused about the definition of "NAS-IP-Address" in RFC 2865:

/////////////////////////////////////////////////////////////////////////
This Attribute indicates the identifying IP Address of the NAS
which is requesting authentication of the user, and SHOULD be
unique to the NAS within the scope of the RADIUS server. NAS-IPAddress
is only used in Access-Request packets. Either NAS-IPAddress
or NAS-Identifier MUST be present in an Access-Request
packet.

Note that NAS-IP-Address MUST NOT be used to select the shared
secret used to authenticate the request. The source IP address of
the Access-Request packet MUST be used to select the shared
secret.
/////////////////////////////////////////////////////////////////////////
The description first said NAS-IP-Address is the IP Address of the NAS which is requesting authentication of the user.
Then description said the source IP address (not the NAS-IP-Address) of the Access-Request packet MUST be used to select the shared secret.

My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description.

Could anybody explain?

Best Regards,


-----Original Message-----
From: freeradius-users-bounces+frank.wei=[hidden email] [mailto:freeradius-users-bounces+frank.wei=[hidden email]] On Behalf Of Alan DeKok
Sent: Tuesday, 23 September 2014 12:45 a.m.
To: FreeRadius users mailing list
Subject: Re: Beginner need help

Himanshu Pandey wrote:
> I modified users configuration file and radiusd.conf.

  If you don't know what you're doing, DO NOT EDIT THE FILES.

  This isn't difficult.

> I have attached radiusd.conf file.

  I'm not going to read it.  The default radiusd.conf file works.  Use it.

> Please tell me what shall I not modify in
> radiusd.conf file. Actually I did some modifications in radiusd.conf
> file since I was getting some error in starting the radius server.

  Nonsense.  The default configuration works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

> My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description.
>
> Could anybody explain?

sure.

the NAS-IP-Address is set by the NAS - so it SHOULD be its IP address in a nice world. okay
thats clear....however, the packet might be reaching your RADIUS server via some other
route - lets say, eg a NAT gateway, a RADIUS server (it has been proxied) or from some
central controller (thinking of some of the WiFi solutions out there) - in which case
the NAS-IP-Address is NOT the source IP address of the packet.


the NAS-IP-Address is also part of the RADIUS datagram - so you've already started to
analyse the packet contents really before you can - eg how did you ensure the packet
contents were correct, verify the message authenticator or ensured the content values
by using the shared secret?  you didnt.  

the RADIUS datagram comes in. you see the source address of the packet. look up the client,
get its shared secret, work on the packet.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

>    "request from unknown client IP.1645 ignored. I get reject message from
>    server.
>    Message authenticator is not present in request under AVP attributes.

IP details etc not in the clients.conf that the server is reading

message-authenticator is required but client not sending it?


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Dear friends,

I have added clients

client private-network-1 {
                      ipaddr          = 192.168.0.244
                      netmask         = 24
                      secret          = testing123-1
                      shortname       = private-network-1
              }

To the clients.conf.

And run command "radius -X". From the debug message I can see the added client loaded.

Then from my NAS (with IP 192.168.0.244) I sent a "authentication only" request to the server. The server showed me a message:

Ignored,.....Unrecognized client "192.168.0.244" port "1222".

What is wrong with my config?

Regards,
Frank


-----Original Message-----
From: freeradius-users-bounces+frank.wei=[hidden email] [mailto:freeradius-users-bounces+frank.wei=[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, 25 September 2014 6:49 p.m.
To: FreeRadius users mailing list
Subject: Re: Beginner need help

Hi,

> My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description.
>
> Could anybody explain?

sure.

the NAS-IP-Address is set by the NAS - so it SHOULD be its IP address in a nice world. okay
thats clear....however, the packet might be reaching your RADIUS server via some other
route - lets say, eg a NAT gateway, a RADIUS server (it has been proxied) or from some
central controller (thinking of some of the WiFi solutions out there) - in which case
the NAS-IP-Address is NOT the source IP address of the packet.


the NAS-IP-Address is also part of the RADIUS datagram - so you've already started to
analyse the packet contents really before you can - eg how did you ensure the packet
contents were correct, verify the message authenticator or ensured the content values
by using the shared secret?  you didnt.

the RADIUS datagram comes in. you see the source address of the packet. look up the client,
get its shared secret, work on the packet.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

> To the clients.conf.

which file did you edit? the same clients.conf that the server reads in (check its path in radiusd -X output_

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

I believe it is the same clients.conf the server reads in. When I use command "radius-X" the output shows the new client is configured.

Cheers,

-----Original Message-----
From: freeradius-users-bounces+frank.wei=[hidden email] [mailto:freeradius-users-bounces+frank.wei=[hidden email]] On Behalf Of [hidden email]
Sent: Monday, 29 September 2014 10:02 p.m.
To: FreeRadius users mailing list
Subject: Re: Beginner need help (unrecognized clients)

Hi,

> To the clients.conf.

which file did you edit? the same clients.conf that the server reads in (check its path in radiusd -X output_

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

I've just installed "freeradius" in another linux PC running UBUNTU as my old linux PC has some issues. In this version of "freeraius" I have to run command "freeradius -X" (rather than "radius -X"). The output shows an error message of

Failed binding to authentication address * port 1812: Address already in use
/etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812



What is the reason it is not working?

Cheers,
#############################################################################
Below is the full output
main {
        user = "freerad"
        group = "freerad"
        allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
        name = "freeradius"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/freeradius"
        run_dir = "/var/run/freeradius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/freeradius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/freeradius/freeradius.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = yes
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
        allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
        radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
        default_eap_type = "md5"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        CA_path = "/etc/freeradius/certs"
        pem_file_type = yes
        private_key_file = "/etc/freeradius/certs/server.key"
        certificate_file = "/etc/freeradius/certs/server.pem"
        CA_file = "/etc/freeradius/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/freeradius/certs/dh"
        random_file = "/dev/urandom"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/freeradius/certs/bootstrap"
        ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
  preprocess {
        huntgroups = "/etc/freeradius/huntgroups"
        hints = "/etc/freeradius/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius/modules/files
  files {
        usersfile = "/etc/freeradius/users"
        acctusersfile = "/etc/freeradius/acct_users"
        preproxy_usersfile = "/etc/freeradius/preproxy_users"
        compat = "no"
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
  detail {
        detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
  radutmp {
        filename = "/var/log/freeradius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/freeradius/attrs.accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
        attrsfile = "/etc/freeradius/attrs.access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
 } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
Failed binding to authentication address * port 1812: Address already in use
/etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

> Failed binding to authentication address * port 1812: Address already in use
> /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
>
>
>
> What is the reason it is not working?

wondering what bit of the output was not clear? "Address already in use"

if you do

ps aux | grep radius

you'll see its running already.


killall freeradiusd

or use the system scripts to stop/start the service (stop, debug, kill debug, start)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

> I believe it is the same clients.conf the server reads in. When I use command "radius-X" the output shows the new client is configured.
 ^^^^^^^^^^^

thats not really good enough. you need to ensure/guarantee that its the same file.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

> client private-network-1 {
>                       ipaddr          = 192.168.0.244
>                       netmask         = 24
>                       secret          = testing123-1
>                       shortname       = private-network-1
>               }

how about just

client private-network-1 {
                       ipaddr          = 192.168.0.244
                       secret          = testing123-1
                       shortname       = private-network-1
               }


?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html