/etc/samba/smbpasswd
Hai All, If am using /etc/samba/smbpasswd how can I specify the etc/smbpasswd through network . is it possible like this filename = 192.168. XX. XX:/etc/samba/smbpasswd Regards. VIJAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could not link driver rlm_sql_mysql: rlm_sql_mysql.so
Hi Why do i get this error message *Could* *not* *link* *driver* *rlm_sql_mysql*: *rlm_sql_mysql*.*so* ** ** *Regards* *Devinder* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least I know it is possible to use EAP-TLS, and then use some attribute from the certificate and query LDAP about it. If that's the case in your configuration, you should be able to see that from the config files in your $raddb directory. You can post the config if you have questions. Matt On Wed, Jun 11, 2008 at 6:44 PM, Newall, Bryce [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 10:30 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/samba/smbpasswd
Am 12.06.2008 um 08:58 schrieb vijayakumar: Hai All, If am using /etc/samba/smbpasswd how can I specify the etc/ smbpasswd through network . is it possible like this filename = 192.168. XX. XX:/etc/samba/ smbpasswd I suppose that you need something valid for the operating system. So if you have something UNIX-like try to mount the remore directoy (NFS or SMB/CIFS through SAMBA or something else, depending on what you would consider secure enough for your installation). Regards. VIJAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/samba/smbpasswd
vijayakumar wrote: If am using /etc/samba/smbpasswd how can I specify the etc/smbpasswd through network . is it possible like this filename = 192.168. XX. XX:/etc/samba/smbpasswd $ man unlang This will tell you how to construct policies. In 2.0.5, see raddb/modules/smbpasswd. I suggest also learning how to use grep. The configuration files are filled with references to all sorts of things. It's faster to look through the configuration for things like smbpasswd than to ask questions on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql: rlm_sql_mysql.so
Have you tried reading the FAQ? Ivan Kalik Kalik Informatika ISP Dana 12/6/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Why do i get this error message *Could* *not* *link* *driver* *rlm_sql_mysql*: *rlm_sql_mysql*.*so* ** ** *Regards* *Devinder* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help on accounting - authentication
Hi is there a way to config Freeradius to use the same port for Accounting Authentication if yes, please let me know how to edit Thanks Ha` - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on accounting - authentication
Do Nguyen Ha wrote: is there a way to config Freeradius to use the same port for Accounting Authentication No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help EAP-TNC
Hi all, I'm working in setting up a basic scenario which involves 3 components: a client using Xsupplicant a AP making use of hostapd and a Radius server using FreeRadius ;). I'm trying to probe the EAP-TNC method but i have received this message from the FreeRadius server: rlm_eap: ERROR: EAP-TNC must be run inside of a TLS method. I've configured EAP-TLS and this method alone it is working properly. So when I put in configuration file -- default_eap_method = tnc FreeRadius shows the message before. I think that in some way TLS must be configured or something to transport EAP-TNC, ok? (is possible to do this?) is posible test EAP-TNC with the current version of FreeRadius? Regards, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Could not link driver rlm_sql_mysql: rlm_sql_mysql.so
You haven't installed the MySQL headers. If you're on Linux, you're likely to need to install a package called something along the lines of mysql-devel. If this isn't an FAQ listed query, it should be .. :) //anders 2008/6/12 Ivan Kalik [EMAIL PROTECTED]: Have you tried reading the FAQ? Ivan Kalik Kalik Informatika ISP Dana 12/6/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Why do i get this error message *Could* *not* *link* *driver* *rlm_sql_mysql*: *rlm_sql_mysql*.*so* ** ** *Regards* *Devinder* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help EAP-TNC
[EMAIL PROTECTED] wrote: I'm working in setting up a basic scenario which involves 3 components: a client using Xsupplicant a AP making use of hostapd and a Radius server using FreeRadius ;). I'm trying to probe the EAP-TNC method but i have received this message from the FreeRadius server: rlm_eap: ERROR: EAP-TNC must be run inside of a TLS method. The EAP-TNC code needs is experimental. is posible test EAP-TNC with the current version of FreeRadius? You will need to edit the source code to make EAP-TNC work. It is not (yet) suite for production use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. //anders 2008/6/11 Alan DeKok [EMAIL PROTECTED]: Anders Holm wrote: Hitting Reply All in most MUAs would do this. The list should be smart enough to only forward on one copy per recipient ... It's not. We get 2 copies of every mail you send to the list. ALL mails I receive for this list has the list in *both* TO and CC headers Must be a local mailer thing. I see: From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
This is getting off-topic, but... Anders Holm wrote: quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. (1) You said you see the list address in to and cc. There is no cc in the default headers. (2) If your mailer is replying to *both* to and reply-to, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
1/ Indeed I did. I did see that in the original mail I replied to. Where that was added is a good question, but I saw it in the mail that was replied to .. I'm saying that this is the way the mail was crafted, as I received it, before replying to it. 2/ Indeed it would be, if it did. Has anyone seen this on any more mails after I responded to the initial request to ask me to stop sending dupes? Yes, this is getting quite off topic .. :) //anders 2008/6/12 Alan DeKok [EMAIL PROTECTED]: This is getting off-topic, but... Anders Holm wrote: quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. (1) You said you see the list address in to and cc. There is no cc in the default headers. (2) If your mailer is replying to *both* to and reply-to, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Am 12.06.2008 um 14:42 schrieb Anders Holm: 1/ Indeed I did. I did see that in the original mail I replied to. Where that was added is a good question, but I saw it in the mail that was replied to .. I'm saying that this is the way the mail was crafted, as I received it, before replying to it. 2/ Indeed it would be, if it did. Has anyone seen this on any more mails after I responded to the initial request to ask me to stop sending dupes? For me it has worked since then. I have seen only one of each of your messages. Have a nice day! Yes, this is getting quite off topic .. :) //anders 2008/6/12 Alan DeKok [EMAIL PROTECTED]: This is getting off-topic, but... Anders Holm wrote: quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. (1) You said you see the list address in to and cc. There is no cc in the default headers. (2) If your mailer is replying to *both* to and reply-to, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.05 peap and ldap bind?
Ivan, Alan, We now have peap and ttls-pap working. It turns out you were both right. What tricked us for a long period of time is that we had to comment out unix because our testing server had the ldap users on it for other testing purposes. The unix module was thwarting the ldap module for ttls-pap. If this had not been the case, we probably would have had ttls - pap working as fast as peap. In our live environment, we don't have end users on the same server so this normally wouldn't have been an issue. Commenting out unix allowed ttls-pap to work properly. Thanks! Tim At 12:56 PM 6/11/2008, Ivan Kalik wrote: We just installed freeradius 2.05 on a Centos 5 system. We got PEAP working rather quickly against our ldap server against LM/NT passwords. We would also like to allow clients using Securew2 supplicants configured for TTLS -PAP connections against (crypt and SSHA) passwords stored in our ldap database. You have done it. If PEAP works, so will EAP-TTLS/PAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
2008/6/12 Nicolas Goutte [EMAIL PROTECTED]: [snip] For me it has worked since then. I have seen only one of each of your messages. Have a nice day! Excellent! One problem solved, and on to the next one. To get back on topic a tad then so, and to describe my experience with the SSL side of things ... I've managed to get stunnel working happily. A few things of note there though .. A/ It wasn't possible to set port numbers for some reson for the SQL connection. Default port was the only way to get it working. B/ Due to A, what I then did was to create virtual interfaces on the loopback interface, as many needed as there are backend SQL servers. C/ Setup stunnel in client mode on the radius box. Forward each virtual interface:3306 to db_host:pick a good port D/ Setup stunnel on db_host in server mode. Forward all_interfaces:your good port to localhost:3306 E/ Change sql.conf to point each sql server to the respective virtual interface... When I tried setting the port number to something different I used port = port number .. That yielded cannot connect to server using socket error when running radiusd in debug mode. So, there's two things to take away from that experience. 1/ SSL would be a great option to add to the MySQL shim. 2/ Ability to change port numbers of the MySQL server. Someone may need it, for some interesting reason. I hope this helps others with similar requirements! If I find the time I'll see if I can brush up enough of my C knowledge to create a patch or two for these things, but no promises. Incidentally, I'm also heading off on vacation for a bit, so it won't be tomorrow.. :) //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Hi, When I tried setting the port number to something different I used port = port number .. That yielded cannot connect to server using socket error when running radiusd in debug mode. So, there's two things to take away from that experience. whoah. one missing step. did you test this setup was actually operational with a simple bit of mysql client action on the FreeRADIUS box... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 1:14 PM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue Newall, Bryce wrote: See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. Yes. Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can FreeRADIUS proxy accounting requests to multiple systems?
Me again ...
I have two FreeRADIUS-2.0.3 systems provinding AAA for our wireless
networks and a couple of other (less widely used) services. The NAS
devices are configured with both, and which one is likely receive
access-request or accounting-request packets at any given time from any
given NAS is essentially undefined (though they appear to be functioning
in a mostly failover fashion, rather than any sort of load-balancing,
given that there is a large majority of traffic going to one of the two
FreeRADIUS servers).
I'm looking to have both of these systems proxy incoming accounting
data to each other, so that they both have complete, up-to-date data
regarding which users are presently authenticated on which services, but
I'd also like to have them proxy the accounting data to a third system
(commercial appliance type of system, though I understand that it does
use FreeRADIUS as its RADIUS server) which might act as our wireless
network management system (we're presently evaluating it).
It would use this accounting data to correlate end-user systems (by MAC
addresses obtained from NAS devices) with user account names (from the
RADIUS accounting data).
I've been trying to understand the comments in
raddb/sites-available/copy-acct-to-home-server, raddb/proxy.conf, and
the relevant parts of raddb/radiusd.conf, but I'm not sure I have yet
understood whether what I want can be done: proxy accounting-request
packets from both production RADIUS servers to each other AND to the
wireless network management system (though I expect that the NMS would
get from each RADIUS server only accounting-request packets that weren't
already proxied from the partner RADIUS server, to avoid it receiving
duplicate data).
I've started setting up proxy.conf as indicated below my signature, and I
expect I'll need a sites-enabled/copy-acct-to-home-server, but I'm pretty
sure that the proxy.conf as I now have it would not proxy the requests
to both the partner RADIUS server and the wireless network management
system at the same time (not failover nor load-balance, but proxy
to both simultaneously). I'm hoping that someone can offer guidance.
Desired flow of accounting-request packets:
+-+
+| RADIUS2 |
+-+ +-+| +-+
| NAS || RADIUS1 |+
+-+ +-+| +-+
+| WIFINMS |
+-+
OR
+-+
+| RADIUS1 |
+-+ +-+| +-+
| NAS || RADIUS2 |+
+-+ +-+| +-+
+| WIFINMS |
+-+
--
--
Sylvain Robitaille [EMAIL PROTECTED]
Systems and Network analyst Concordia University
Instructional Information TechnologyMontreal, Quebec, Canada
--
--- old/proxy.conf.20080612 2008-03-27 12:47:55.0 -0500
+++ proxy.conf 2008-06-12 13:16:39.0 -0400
@@ -57,7 +57,7 @@
#
# allowed values: {yes, no}
#
- default_fallback = no
+ default_fallback = yes
}
@@ -114,7 +114,7 @@
# acct - Handles Accounting-Request packets
# auth+acct - Handles Access-Request packets at port,
# and Accounting-Request packets at port + 1
- type = auth
+ type = acct
#
# Configure ONE OF the following two entries:
@@ -146,7 +146,7 @@
# Usually 1812 for type auth, and 1813 for type acct.
# Older servers may use 1645 and 1646.
#
- port = 1812
+ port = 1813
#
# The shared secret use to encrypt and sign packets between
@@ -306,6 +306,30 @@
# Useful range of values: 3 to 10
num_answers_to_alive = 3
}
+home_server radius2 {
+ type = acct
+ ipaddr = radius2
+ port = 1813
+ secret = testing123
+ response_window = 20
+ zombie_period = 40
+ revive_interval = 120
+ status_check = status-server
+ check_interval = 30
+ num_answers_to_alive = 3
+}
+home_server wifinms {
+ type = acct
+ ipaddr = wifinms
+ port = 1813
+ secret = testing123
+ response_window = 20
+ zombie_period = 40
+ revive_interval = 120
+ status_check = status-server
+ check_interval = 30
+ num_answers_to_alive = 3
+}
##
@@ -320,7 +344,7 @@
# 10 'realm sections, and one home_server_pool section to tie the
# two together.
#
-home_server_pool my_auth_failover {
+home_server_pool
Re: Forcing lowercase User-Name with rlm_perl
Hi Chris,
your perl-module for lower_user works perfectly!
It was important, to use it in the right order, which
means in my case before files ...
authorize {
preprocess
perl
files
}
preacct {
preprocess
perl
files
}
Doing this, User-Name is lower-cased in the auth AND acct packets.
A small problem I just had when I recompiled my freeradius-2.0.3 with
libperl-dev to make rlm_perl available. At the end of make install
I've got:
[...]
if [ ! -f /usr/local/etc/raddb/sites-enabled/inner-tunnel ]; then \
cd /usr/local/etc/raddb/sites-enabled/; \
ln -s ../sites-available/inner-tunnel; \
fi
ln: creating symbolic link `./inner-tunnel' to
`../sites-available/inner-tunnel': File exists make[2]: *** [install]
Error 1 make[2]: Leaving directory
`/usr/local/src/freeradius-server-2.0.3/raddb' make[1]: *** [common]
Error 2 make[1]: Leaving directory
`/usr/local/src/freeradius-server-2.0.3' make: *** [install] Error 2
I decided to ignore it, because the symbolic link inner-tunnel
alread existed from my first compilation an that seems to cause the
error (is this fixed in 2.0.5 eventually?).
Thanks,
oz
Wow Chris, looks great and is very helpful!
I will test it tomorrow and give a short feedback whether it works.
Thanks a lot,
oz
On Wed, 11 Jun 2008 14:28:13 -0700
Chris [EMAIL PROTECTED] wrote:
I'm doing this:
perl_tolower.pm:
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
#
# This the remapping of return values
#
use constantRLM_MODULE_REJECT=0;# /* immediately
reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed,
don't reply */
use constantRLM_MODULE_OK=2;# /* the module is
OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module
handled the request, so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module
considers therequest invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the
request (useris locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found
*/
use constantRLM_MODULE_NOOP= 7;# /* module succeeded
withoutdoing anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs
modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many
return codes there are */
sub authorize {
$RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'});
return RLM_MODULE_OK;
}
sub preacct {
$RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'});
return RLM_MODULE_OK;
}
radiusd.conf:
modules {
...
perl {
module = /usr/local/etc/perl_tolower.pm
}
...
}
In sites-enabled/default:
authorize {
preprocess
perl
...
}
preacct {
preprocess
perl
...
}
Works great as long as you don't have occasion for upper-case in User-
Name.
I am pretty sure when you define the module, you can have multiple
instances. It might be better to name this module perl-lc-username
and use perl-lc-username in the authorize{} and preacct{} sections of
sites-enabled/default.
Like this:
radiusd.conf:
modules {
...
perl-lc-username {
module = /usr/local/etc/perl_tolower.pm
}
...
}
In sites-enabled/default:
authorize {
preprocess
perl-lc-username
...
}
preacct {
preprocess
perl-lc-username
...
}
That'd be a lot clearer when you're looking at it months or years
later. I haven't tried this but it works with other modules.
On Jun 11, 2008, at 1:04 PM, oz wrote:
On Sat, 17 May 2008 18:09:09 -0700
Chris [EMAIL PROTECTED] wrote:
Thanks. I'll look at lc.
I was actually more concerned about the interfacing with
freeradius than the perl itself.
Hello, another user here, who needs lower_user = before to be able
to
switch to freeradius-2.0.x. Our database is an historically grown
users-file.
Were you or somebody else able to follow the advice of using
rlm_perl and lc()?
I must admit, I'm not able to program freeradius-perl-plugins :-/, but
would test it if necessary. At the moment I don't even have the
rlm_perl in /usr/local/lib/, but that I could solve by myself I guess
(libperl-dev wasn't already installed during compile-time on my
minimal
Debian/lenny etc.).
I know, there is nothing like a wishlist, but the lowercase-feature is
essential if we want to use 2.x it in the future.
kind regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? EAP-TLS is certificate based authentication. All you need in order to get authenticated is a valid certificate. Do you mean authorization? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRADIUS proxy accounting requests to multiple systems?
Sylvain Robitaille wrote: I'm looking to have both of these systems proxy incoming accounting data to each other, so that they both have complete, up-to-date data regarding which users are presently authenticated on which services, That should be easy. See the detail file readers in raddb/sites-available/copy-acct-to-home-server. but I'd also like to have them proxy the accounting data to a third system (commercial appliance type of system, though I understand that it does use FreeRADIUS as its RADIUS server) which might act as our wireless network management system (we're presently evaluating it). It's one of 3 products, all of which are (so far as I know) years out of date in their version of FreeRADIUS. I've been trying to understand the comments in raddb/sites-available/copy-acct-to-home-server, raddb/proxy.conf, and the relevant parts of raddb/radiusd.conf, but I'm not sure I have yet understood whether what I want can be done: proxy accounting-request packets from both production RADIUS servers to each other AND to the wireless network management system (though I expect that the NMS would get from each RADIUS server only accounting-request packets that weren't already proxied from the partner RADIUS server, to avoid it receiving duplicate data). That can be done. You just have to set it up carefully. If all else fails, add attributes to the accounting packet saying where it was proxied to, and then don't re-proxy it there... I've started setting up proxy.conf as indicated below my signature, and I expect I'll need a sites-enabled/copy-acct-to-home-server, but I'm pretty sure that the proxy.conf as I now have it would not proxy the requests to both the partner RADIUS server and the wireless network management system at the same time (not failover nor load-balance, but proxy to both simultaneously). I'm hoping that someone can offer guidance. You will need two versions of copy-acct-to-home-server, one for each destination. Set up one first and get it working. Then set up another one and get it working. Then, ensure that requests sent to one server don't end up getting proxied through 2 other servers back to itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP authenication issues - sort of
I have FreeRADIUS setup do LDAP authentication against AD and also PEAP
which ultimately uses ntlm_auth against AD. Both work fine for the most
part except some users that I have started to add to the PEAP enabled
wireless network. If I connect to this network, I authenticate fine.
If one of these other accounts connects, the authentication fails for
some reason. Here are the entries from the radius.log file:
Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 1 cli 00-0E-35-6F-A3-7D)
Thu Jun 12 13:21:54 2008 : Auth: Login incorrect (rlm_ldap: User not
found): [DOMAIN\\nonworkinguser/via Auth-Type = EAP] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:21:54 2008 : Auth: Login incorrect:
[DOMAIN\\nonworkinguser/via Auth-Type = EAP] (from client WLANCTRLR1
port 1 cli 00-0C-F1-12-49-DD)
Thu Jun 12 13:22:12 2008 : Auth: Login incorrect (rlm_ldap: User not
found): [DOMAIN\\nonworkinguser/via Auth-Type = EAP] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:22:12 2008 : Auth: Login incorrect:
[DOMAIN\\nonworkinguser/via Auth-Type = EAP] (from client WLANCTRLR1
port 1 cli 00-0C-F1-12-49-DD)
Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 2 cli 00-0E-35-6F-A3-7D)
If I try the samba authentication from a command line on the FreeRADIUS
server, it completes successfully:
[EMAIL PROTECTED] raddb]# /usr/local/samba/bin/wbinfo -a
nonworkinguser%testpassword
plaintext password authentication succeeded
challenge/response password authentication succeeded
If I test authentication of the user using radtest, it works fine and is
able to find the user:
[EMAIL PROTECTED] ~]# radtest nonworkinguser testpassword 10.1.1.1 1
testing123
Sending Access-Request of id 221 to 10.1.1.1 port 1812
User-Name = nonworkinguser
User-Password = testpassword
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Accept packet from host 10.1.1.1 port 1812, id=221,
length=20
What I believe to be the relevant part of the radiusd -X output is:
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for nonworkinguser with NT-Password
expand: --username=%{mschap:User-Name} -
--username=nonworkinguser
mschap2: 85
expand: --challenge=%{mschap:Challenge:-00} -
--challenge=3c2921ed60ab0f28
expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=9b2c345dd9585a0b79b19cd2fe360474a737271903b6989c
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/via
Auth-Type = EAP] (from client WLANCTRLR1 port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Anyone have any ideas as to what the problem might be?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forcing lowercase User-Name with rlm_perl
oz wrote: A small problem I just had when I recompiled my freeradius-2.0.3 with Answer: 2.0.5. I decided to ignore it, because the symbolic link inner-tunnel alread existed from my first compilation an that seems to cause the error (is this fixed in 2.0.5 eventually?). Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Thursday, June 12, 2008 12:20 PM To: FreeRadius users mailing list Subject: RE: FreeRadius/eDirectory/802.1X authentication issue Dumb question perhaps, but without configuring LDAP, how does EAP-TLS know where to send authentication requests? EAP-TLS is certificate based authentication. All you need in order to get authenticated is a valid certificate. Do you mean authorization? Ahh, your answer just made our current RADIUS configuration more understandable to me! As I may have mentioned, I inherited this setup from someone else who left the district. The way it is currently working, we do not have to install certificates on a laptop. The Validate server certificate option on our laptops' wireless configuration is turned off. The idea was to keep it as simple as possible for users, yet maintain some semblance of security. Apparently, the way we're doing it right now is using EAP-TLS with PEAP authentication, which is passing the user's credentials through an encrypted tunnel to the RADIUS server, which is in turn passing the credentials through to eDirectory via LDAP. At least, I *think* I'm explaining that correctly. :) I'd like to maintain that setup with FreeRADIUS 2.0.5, but I'm still having a hard time following the configuration and authentication path with the current 1.1.0 setup. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FreeRADIUS proxy accounting requests to multiple systems?
I'm looking to have both of these systems proxy incoming accounting data to each other, so that they both have complete, up-to-date data regarding which users are presently authenticated on which services, but I'd also like to have them proxy the accounting data to a third system (commercial appliance type of system, though I understand that it does use FreeRADIUS as its RADIUS server) which might act as our wireless network management system (we're presently evaluating it). I hope you are using the same database to store authentication data for your users. And that both are witing accounting data into the same radacct table. If that is so, you don't need to proxy accounting from one radius server to the other - they already have a complete picture. Just configure them both to proxy accounting to the NMS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2.0.3 - UCD-SNMP 4.2.7 communication does not work on 64 bits Freebsd (but does on 32 bit Freebsd)
Alan DeKok wrote: Thomas Fagart wrote: Do you think I can report a bug about that issue ? Please don't. The SMUX code is old, and is deprecated by the the net-snmp people. It will NOT be fixed. It's much better to write new code against the AgentX API, which is supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello, Ok I'll try to write code. Just before doing that I've try to find out how I can query radius with radclient to get the statistics ? Is there anything special in the configuration that I should enable, to collect statistics ? How could I simply query my test radius to get statistics ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2.0.3 - UCD-SNMP 4.2.7 communication does not work on 64 bits Freebsd (but does on 32 bit Freebsd)
Thomas Fagart wrote: Ok I'll try to write code. Just before doing that I've try to find out how I can query radius with radclient to get the statistics ? You can't. Is there anything special in the configuration that I should enable, to collect statistics ? No. You have to write new code to get the statistics. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and radwho
Copy the configs to a test machine. Run radsniff on the production machine to grab packets. Play them back on the test machine. Run radiusd -X on the test machine. Ok, wasn't aware of the functionality. I don't see a radsneeze, so I'm guessing you pipe them back in via echoing it to radclient? But it seems somehow they are able to race it : Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 4 cli 00-13-02-20-F9-DC) Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD The NAS is delaying the accounting packets. DD-WRT running O-L-D Chillispot. Would switching to SQL be better? (Or is this something that MUST have a radiusd -X to resolve?) No. The way to fix it is to fix the code so that the user is marked conditionally logged in for 10-20 seconds after the Access-Accept. if there's no Accounting start, that record is erased. Otherwise, the accounting start marks the users as really logged in. That way, when the second login request comes, the server discovers that the first user is likely to be logged in, and rejects the second request. I'd love to help, but I'm a C compiler (I can find includes/functions and missing libraries) and not a C programmer. Is this something I should put a bug report in about a race condition or Dealing with slow NAS accounting or some other title? Is there someone on the list that maybe would be interested in working on a patch (I'm a great tester. :) ) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug 517 - Can it make the next release?
Hi, Can Bug 517 (Patch for radwho to correct time output and IP address outpu) be included in the next release? I've used the supplied patch and find it works quite well. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple radius servers on one machine
I have two applications that authenticate via radius. These applications require separate radius conf files, log files, users files, etc. How can I run two distinct radius servers on one server to serve these applications? Also, these applications run on one server, so how can I have their server connect each application to the appropriate radius server? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers on one machine
might i suggest using virtual machines, instead of messing around with multiple instances. (radius is rather non resource intensive) On Thu, Jun 12, 2008 at 8:11 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have two applications that authenticate via radius. These applications require separate radius conf files, log files, users files, etc. How can I run two distinct radius servers on one server to serve these applications? Also, these applications run on one server, so how can I have their server connect each application to the appropriate radius server? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Like an unchecked cancer, hate corrodes the personality and eats away its vital unity. Hate destroys a man's sense of values and his objectivity. It causes him to describe the beautiful as ugly and the ugly as beautiful, and to confuse the true with the false and the false with the true. - Martin Luther King Jr. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers on one machine
might i suggest using virtual machines, instead of messing around with multiple instances. (radius is rather non resource intensive) If I can avoid it, I would not like to mess around with virtual machines. On Thu, Jun 12, 2008 at 8:11 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have two applications that authenticate via radius. These applications require separate radius conf files, log files, users files, etc. How can I run two distinct radius servers on one server to serve these applications? Also, these applications run on one server, so how can I have their server connect each application to the appropriate radius server? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers on one machine
[EMAIL PROTECTED] wrote: I have two applications that authenticate via radius. These applications require separate radius conf files, log files, users files, etc. How can I run two distinct radius servers on one server to serve these applications? $ man radiusd Use the '-d' parameter to have completely separate configuration directories. Also, these applications run on one server, so how can I have their server connect each application to the appropriate radius server? The RADIUS servers will have to listen on different ports. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
