Topic: Radius

[Knuddi]

cc_skavenger did you create the certificates that seem to be needed for Windows 802.1x Clients or did you live without them?

I compiled a new RPM with the final release 1.0.0 of FreeRadius and tried again but once again without luck. Once again the AP can connect to the server (via clients.conf configuration) but the WLAN laptop will not get authenticated even though I have created a user in "users". Notice that the user is recogniced but that the password is not found in the request?!?!

rad_recv: Access-Request packet from host 192.168.212.50:1239, id=25, length=127
        User-Name = "jkn"
        NAS-IP-Address = 192.168.212.50
        NAS-Port = 0
        Called-Station-Id = "00-40-05-D0-7C-50"
        Calling-Station-Id = "00-05-5D-5A-A9-17"
        NAS-Identifier = "DWL-900AP+"
        Framed-MTU = 1380
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02010008016a6b6e
        Message-Authenticator = 0xb94c73581c0a0a342a5b57f5d2f5ca85
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "jkn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 1 length 8
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched jkn at 94
radius_xlat:  'Hello, jkn'
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.

[cc_skavenger]

I am only authenticating what devices can connect to the wireless network.  That is the only thing that my radius server seems to be able to do.  That is all I could get it to do.  I played with this for several months before finding an article on how to set it up using local authentication, not mysql or anything else. I have not been able to get it to assign IPs like I should be able to or anything else I should be able to do with radius.  

Here is a line from my users file:

00X0X3-1X2Xec    Auth-Type := Local, User-Password == "XXXXXXX"

When a wireless client connects to the AP, it sends its mac address as the user and the AP supplies the password that you setup in the AP.  If both match a line in the users file, it gives it access; otherwise, it is denied.  The mac address is sent in all lower case and in a 6 X 6 pattern, ie. abcabc-abcabc.  

HTH

[Knuddi]

But the strange thing is that it matches the user from the users file "jkn" by doing the 'Hello, jkn' but then cannot see a password in the request from the client so it cannot match with the password I have written in the users file.

"jkn"   Auth-Type := Local, User-Password == "XXXXXXX"
        Reply-Message = "Hello, %u"

[cc_skavenger]

can you post some of the radius log.  

Marco

[Knuddi]

Which log would you want more than the snippet from my last port? I run RADIUS as Radiusd -X while I try to figure out what is wrong.

[jsturm]

Is there a graphical user interface for freeRadius on SME 6.0?
I can't find it, please help me

THX
Achim

[Medimo]

No there isn't.
Log files can be viewed using the server-manager
Setup must be done in /etc/raddb/

clients.conf - who can do requests
users - which users can be authenticated and how
radiusd.conf - general setup

[duncan]

Out of curiosity - why use the script "radiusrestart" as opposed to "service radiusd restart".

[cc_skavenger]

Easier for my non linux guys to remember.  

 
Just kidding, totally forgot about service whatever restart at that point in the night.  Got used to using it and never changed.  Seriously, my guys remember that better then service whatever restart.

[duncan]

 And here was me expecting some little discussed - highly important - freeradius related reason.

[cc_skavenger]

sorry

[buknoy]

I once had a RH 7.3 FreeRADIUS server installed for me. Although I have no idea with it's technicalities, I tried to modify the Freeradius by making a backup of the /dialupadmin directory. I protected the folder with .htaccess to make sure only allowed clients can access it.

Next, I modified the PHP scripts pertaining to queries and deleted all admin-related scripts. Whenever my dialup clients tries to access this particular folder, Apache authenticates them. After authentication, the PHP scripts uses the authenticated user's info to display only his usage plus an invoice. (This is my own idea of using it for client-side web interface)

The original /dialupadmin folder is also protected as I use it for administration.

All worked well until I crashed my server and the person I had it installed is out of reach. I cannot reconstruct it because of my limited knowledge.

Can somebody show me how to set up an SME 6 server with a CISCO 2511 router using the sme-radius-1.0-1? What configuration files should I modify?  

[idyll]

Hello cc_skavenger...

is your "how to" still available in any form? Your link at the top of the thread is broken.

thanks in advance.

regards,

patrick

[Franco]

cc_skavenger,
I'm tryingo to do the same for my wireless net, can you share how you implemented it?
I have it running and #radiusd -X returns ok, I have changed the settings on radiusd.conf and clients.conf, added an user and password on the users file, and need directions on where to go now!
Regards,

[Medimo]

Am no expert on this, but on http://www.freeradius.org/mod_auth_radius/ you can find an Apache module to use radius authentication. You can use any radius server, so for example your own freeradius one. This way you can also implement some radius token authentication.

Richard