Re: compiling freeradius with oracle support
Alexandre Chapellon wrote: It says headers (oci.h) are not found, but this file realy is in the specified include path. The configure logs should say why it wasn't built, but even that isn't really worth looking at. Does anyone have a clue what i could do? $ vi src/modules/rlm_sql/drivers/rlm_sql_oracle/Makefile Set TARGET = rlm_sql_oracle, and edit the CFLAGS LDFLAGS lines to ave the appropriate values: -I/opt/oracle/instantclient_11_1/sdk/include, and -L /opt/oracle/instantclient_11_1/ -loracle (?) After than, cd to the directory, and type make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crash on x64?
John Dennis wrote: Actually, on Fedora RHEL you don't need to rebuild with debugging symbols on. All packages built for Fedora RHEL always have matching debuginfo packages which can optionally be installed, which once installed will give you line number information in the debugger. Nice. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking accounts after failed attempts. pam_tally ?
Mark Tunnell wrote: Is there a way to disable radius access for a user after a specified number of incorrect passwords using the standard Unix passwd system? I don't know of any way. I have pam_tally running and it correctly increments on failed SSH login attempts. However, failed Radius attempts do not increment the counter. Is there a way to make pam_tally work with Radius or do I need to find another way to do this? It's PAM magic. I'd suggest asking on a PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crash on x64?
Alan DeKok wrote: John Dennis wrote: Actually, on Fedora RHEL you don't need to rebuild with debugging symbols on. All packages built for Fedora RHEL always have matching debuginfo packages which can optionally be installed, which once installed will give you line number information in the debugger. Nice. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Whatever the problem was, it definitely went away on 32-bit Debian. Same version of Postgres, libpq, FreeRADIUS, etc. About the only thing that could possibly be different is the precise glibc2 revision. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've started to put the book online
http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
Just great! Thanks, I'll be sure to read it. 2008/8/19 Alan DeKok [EMAIL PROTECTED] http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding rlm_perl and Access-Challenge
Hi, I want to develop some test cases for a radius client I am developing and I would like to be able to use rlm_perl to simulate various scenarios. The one I am having major problems with is Access-Challenge. I really like rlm_perl and the flexibility it provides and I would like to be able to specify the reply type. I've looked through documentation and the rlm_perl code for any hints on how to do this and at this stage I'm thinking I'll have to create a new interface to allow my perl script to specify the correct reply type to rlm_perl. Do any of you know of an existing way to do this? -- Harry J Walsh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding rlm_perl and Access-Challenge
Harry J Walsh wrote: I want to develop some test cases for a radius client I am developing and I would like to be able to use rlm_perl to simulate various scenarios. The one I am having major problems with is Access-Challenge. I really like rlm_perl and the flexibility it provides and I would like to be able to specify the reply type. I've looked through documentation and the rlm_perl code for any hints on how to do this and at this stage I'm thinking I'll have to create a new interface to allow my perl script to specify the correct reply type to rlm_perl. Configure the reply with Response-Packet-Type = Access-Challenge, and make sure that the authenticate section returns handled. That should do it. And yes, this isn't documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding rlm_perl and Access-Challenge
Thanks for the swift reply Dekok. I tried what you suggested and it
doesn't work. Looking at dictionary.freeradius.internal and double
checking the values in the pair everything looks okay.I'm going to
play about with this a bit, but in the mean time here's some more
details and I would greatly appreciate it if you would scan over them
to see if there is anything obvious I am missing.
Here's my authenticate sub.
# Function to handle authenticate
sub authenticate {
# For debugging purposes only
log_request_attributes;
if (($RAD_REQUEST{'User-Name'} =~ /^test/)
($RAD_REQUEST{'User-Password'} =~ /^pass/)) {
$RAD_REPLY{'State'} = challenge;
$RAD_REPLY{'Reply-Message'} = Challenge: ;
$RAD_REPLY{'Response-Packet-Type'} = Access-Challenge;
log_request_attributes;
return RLM_MODULE_HANDLED;
}
else {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by
rlm_perl function;
return RLM_MODULE_REJECT;
}
}
And here's the debug output:
perl_pool: item 0x827b1a0 asigned new request. Handled so far: 1
found interpetator at address 0x827b1a0
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = pass
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170
rlm_perl: RAD_REQUEST: NAS-Port = 6
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = pass
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170
rlm_perl: RAD_REQUEST: NAS-Port = 6
rlm_perl: RAD_REPLY: Reply-Message = Challenge:
rlm_perl: RAD_REPLY: Response-Packet-Type = Access-Challenge
rlm_perl: RAD_REPLY: State = challenge
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = pass
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair NAS-IP-Address = 10.250.0.170
rlm_perl: Added pair NAS-Port = 6
rlm_perl: Added pair Reply-Message = Challenge:
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair State = challenge
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x827b1a0
++[perl] returns handled
There was no response configured: rejecting request 0
==
The last line here is confusing me. Looking at the code that spits
out this error, it seems to only happen when there is no
Response-Packet-Type in a request_post_handler.
switch (request-packet-code) {
case PW_AUTHENTICATION_REQUEST:
gettimeofday(request-next_when, NULL);
if (request-reply-code == 0) {
/*
* Check if the lack of response is intentional.
*/
vp = pairfind(request-config_items,
PW_RESPONSE_PACKET_TYPE);
if (!vp) {
DEBUG2(There was no response configured: rejecting request %d,
request-number);
request-reply-code = PW_AUTHENTICATION_REJECT;
} else if (vp-vp_integer == 256) {
DEBUG2(Not responding to request %d,
request-number);
} else {
request-reply-code = vp-vp_integer;
}
}
On Tue, Aug 19, 2008 at 1:09 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Harry J Walsh wrote:
I want to develop some test cases for a radius client I am developing
and I would like to be able to use rlm_perl to simulate various
scenarios. The one I am having major problems with is
Access-Challenge. I really like rlm_perl and the flexibility it
provides and I would like to be able to specify the reply type. I've
looked through documentation and the rlm_perl code for any hints on
how to do this and at this stage I'm thinking I'll have to create a
new interface to allow my perl script to specify the correct reply
type to rlm_perl.
Configure the reply with Response-Packet-Type = Access-Challenge,
and make sure that the authenticate section returns handled. That
should do it.
And yes, this isn't documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Harry J Walsh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realms and proxying
I currently have a realm defined:
realm liv.ac.uk {
type= radius
authhost= LOCAL
accthost= LOCAL
}
I now have one of my departments, which for various complex reasons, has been
allowed to have its own user accounts.
They have the subdomain name csc.liv.ac.uk. I want to proxy RADIUS to their
server.
If I add:
realm csc.liv.ac.uk {
type= radius
authhost= server.csc.liv.ac.uk:1812
accthost= server.csc.liv.ac.uk:1813
}
Is this position dependant? Does it have to appear before the liv.ac.uk realm
to prevent [EMAIL PROTECTED] being caught by the first realm?
I have:
realm suffix {
format = suffix
delimiter = @
}
in radius.conf.
---
Barry Dean
Networks Team
Computing Services Department
Tel: 0151 794 5641 (x45641)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realms and proxying
Hi, Is this position dependant? Does it have to appear before the liv.ac.uk realm to prevent [EMAIL PROTECTED] being caught by the first realm? No, unless you use a regex in the realm stanza, the matches are *literal* realms. i.e. realm liv.ac.uk does not match foo.bar.liv.ac.uk. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crash on x64?
Alex Balashov wrote: Alan DeKok wrote: John Dennis wrote: Actually, on Fedora RHEL you don't need to rebuild with debugging symbols on. All packages built for Fedora RHEL always have matching debuginfo packages which can optionally be installed, which once installed will give you line number information in the debugger. Nice. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Whatever the problem was, it definitely went away on 32-bit Debian. Same version of Postgres, libpq, FreeRADIUS, etc. About the only thing that could possibly be different is the precise glibc2 revision. FWIW, I recently investigated a similar memory corruption problem with freeradius reported by glibc on RHEL 5. I was not able to reproduce it on a current RHEL 5.2 system. The fact I couldn't reproduce it does not in and of itself mean anything, the memory corruption could require a specific series of events to trigger it, but I do believe glibc had been updated between the original report and my efforts at reproducing it. This might corroborate your observation (or might not :-) -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
convert steel-belt radius .dct to freeradius dictionary
Hi everybody, I got a file that looks like this (utstarcom.dct) which would need to be translated to freeradius .. anyone can help? start of file # utstarcom.dct - Radius dictionary for UTStarcom BBS1000 @radius.dct # # UTStarcom specific parameters # MACRO UTStarcom-VSA(t,s) 26 [vid=7064 type1=%t% len1=+2 data=%s%] ATTRIBUTE Utstarcom-VLAN-ID Utstarcom-VSA(140, integer) r ATTRIBUTE Utstarcom-CommittedBandwidth Utstarcom-VSA(142, integer) r ATTRIBUTE Utstarcom-MaxBandwidthUtstarcom-VSA(143, integer) r ATTRIBUTE Utstarcom-PriorityUtstarcom-VSA(145, integer) r ATTRIBUTE Utstarcom-Error-ReasonUtstarcom-VSA(147, integer) r ATTRIBUTE Utstarcom-PrimaryDNS Utstarcom-VSA(152, integer) r ATTRIBUTE Utstarcom-SecondaryDNSUtstarcom-VSA(153, integer) r ATTRIBUTE Utstarcom-MaxBurstSizeUtstarcom-VSA(161, integer) r ATTRIBUTE Utstarcom-MaxDelayUtstarcom-VSA(162, integer) r ATTRIBUTE Utstarcom-MaxJitter Utstarcom-VSA(163, integer) r ATTRIBUTE Utstarcom-DeviceIdUtstarcom-VSA(165, string) cr ATTRIBUTE Utstarcom-Module-Id Utstarcom-VSA(166, integer) cr ATTRIBUTE Utstarcom-Port-No Utstarcom-VSA(167, integer) cr ATTRIBUTE Utstarcom-Logical-Port-No Utstarcom-VSA(168, integer) r ATTRIBUTE Utstarcom-UNI-MAX-MAC Utstarcom-VSA(169, integer) r ATTRIBUTE Utstarcom-Default-Gateway Utstarcom-VSA(170, integer) r ATTRIBUTE Utstarcom-CLI-Access-LevelUtstarcom-VSA(171, integer) r ATTRIBUTE Utstarcom-Act-Input-OctetsUtstarcom-VSA(180, string) r ATTRIBUTE Utstarcom-Act-Output-Octets Utstarcom-VSA(181, string) r ATTRIBUTE Utstarcom-Act-Input-FramesUtstarcom-VSA(182, string) r ATTRIBUTE Utstarcom-Act-Output-Frames Utstarcom-VSA(183, string) r ATTRIBUTE Utstarcom-Onu-MC-Filter-Enable Utstarcom-VSA(184, integer) r ATTRIBUTE Utstarcom-UNI-Auto-Negotiation Utstarcom-VSA(185, integer) r ATTRIBUTE Utstarcom-UNI-Speed Utstarcom-VSA(186, integer) r ATTRIBUTE Utstarcom-UNI-Duplex Utstarcom-VSA(187, integer) r ATTRIBUTE Utstarcom-ONU-Admin_status Utstarcom-VSA(188, integer) r ATTRIBUTE Utstarcom-ONU-FW-SC-Upgrade Utstarcom-VSA(189, integer) r EOF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
That one's pretty easy; have a peek at the other FreeRADIUS-formatted vendor dictionaries that come with the package and spy the nuances in the differences. On Tue, August 19, 2008 10:33 am, S Adrian wrote: Hi everybody, I got a file that looks like this (utstarcom.dct) which would need to be translated to freeradius .. anyone can help? start of file # utstarcom.dct - Radius dictionary for UTStarcom BBS1000 @radius.dct # # UTStarcom specific parameters # MACRO UTStarcom-VSA(t,s) 26 [vid=7064 type1=%t% len1=+2 data=%s%] ATTRIBUTE Utstarcom-VLAN-ID Utstarcom-VSA(140, integer) r ATTRIBUTE Utstarcom-CommittedBandwidth Utstarcom-VSA(142, integer) r ATTRIBUTE Utstarcom-MaxBandwidthUtstarcom-VSA(143, integer) r ATTRIBUTE Utstarcom-PriorityUtstarcom-VSA(145, integer) r ATTRIBUTE Utstarcom-Error-ReasonUtstarcom-VSA(147, integer) r ATTRIBUTE Utstarcom-PrimaryDNS Utstarcom-VSA(152, integer) r ATTRIBUTE Utstarcom-SecondaryDNSUtstarcom-VSA(153, integer) r ATTRIBUTE Utstarcom-MaxBurstSizeUtstarcom-VSA(161, integer) r ATTRIBUTE Utstarcom-MaxDelayUtstarcom-VSA(162, integer) r ATTRIBUTE Utstarcom-MaxJitter Utstarcom-VSA(163, integer) r ATTRIBUTE Utstarcom-DeviceIdUtstarcom-VSA(165, string) cr ATTRIBUTE Utstarcom-Module-Id Utstarcom-VSA(166, integer) cr ATTRIBUTE Utstarcom-Port-No Utstarcom-VSA(167, integer) cr ATTRIBUTE Utstarcom-Logical-Port-No Utstarcom-VSA(168, integer) r ATTRIBUTE Utstarcom-UNI-MAX-MAC Utstarcom-VSA(169, integer) r ATTRIBUTE Utstarcom-Default-Gateway Utstarcom-VSA(170, integer) r ATTRIBUTE Utstarcom-CLI-Access-LevelUtstarcom-VSA(171, integer) r ATTRIBUTE Utstarcom-Act-Input-OctetsUtstarcom-VSA(180, string) r ATTRIBUTE Utstarcom-Act-Output-Octets Utstarcom-VSA(181, string) r ATTRIBUTE Utstarcom-Act-Input-FramesUtstarcom-VSA(182, string) r ATTRIBUTE Utstarcom-Act-Output-Frames Utstarcom-VSA(183, string) r ATTRIBUTE Utstarcom-Onu-MC-Filter-Enable Utstarcom-VSA(184, integer) r ATTRIBUTE Utstarcom-UNI-Auto-Negotiation Utstarcom-VSA(185, integer) r ATTRIBUTE Utstarcom-UNI-Speed Utstarcom-VSA(186, integer) r ATTRIBUTE Utstarcom-UNI-Duplex Utstarcom-VSA(187, integer) r ATTRIBUTE Utstarcom-ONU-Admin_status Utstarcom-VSA(188, integer) r ATTRIBUTE Utstarcom-ONU-FW-SC-Upgrade Utstarcom-VSA(189, integer) r EOF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
That one's pretty easy; have a peek at the other FreeRADIUS-formatted vendor dictionaries that come with the package and spy the nuances in the differences. Ok, but what about that radius.dct .. should it affect what I enter in the new freeradius dictionary file ? # utstarcom.dct - Radius dictionary for UTStarcom BBS1000 @radius.dct # UTStarcom specific parameters # MACRO UTStarcom-VSA(t,s) 26 [vid=7064 type1=%t% len1=+2 data=%s%] Specific .. what the heck are these?! I'm sure they mean something .. ATTRIBUTE Utstarcom-VLAN-ID Utstarcom-VSA(140, integer) r that r and cr at the end should also mean something .. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
Here it is attached to this message. Thanks .. but still .. those thingies .. c .. cr .. 7064 .. what are they ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type := Accept - CHAP problems
Hi @ll, we're playing with the freeradius features and are getting confused in the way it behaves: We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more Login incorrect - but with other Options than a correct user. We appended in the config: DEFAULTAuth-Type := Accept ... various Options ... This works with PAP/CHAP, when the user is not listed in a users file. It also works with PAP when the user is in a list, but not with CHAP! Is there a way to realize this? Debug says: rad_recv: Access-Request packet from host XXX:XX, id=114, length=263 User-Name = XXX Acct-Session-Id = XXX CHAP-Password = XXX CHAP-Challenge = XXX Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = XXX Calling-Station-Id = XXX NAS-Port-Type = Ethernet NAS-Port = XXX NAS-Port-Id = XXX NAS-IP-Address = XXX NAS-Identifier = XXX Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module preprocess returns ok for request 10 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 10 rlm_realm: No '@' in User-Name = XXX, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 10 users: Matched entry DEFAULT at line 2 modcall[authorize]: module files returns ok for request 10 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 10 modcall: leaving group authorize (returns ok) for request 10 Found Autz-Type autz_DSL_B Processing the authorize section of radiusd.conf modcall: entering group autz_DSL_B for request 10 users: Matched entry XXX at line 335992 modcall[authorize]: module autzfile_DSL_B returns ok for request 10 modcall: leaving group autz_DSL_B (returns ok) for request 10 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 10 rlm_chap: login attempt by XXX with CHAP password rlm_chap: Using clear text password XXX for user XXX authentication. rlm_chap: Password check failed modcall[authenticate]: module chap returns reject for request 10 modcall: leaving group CHAP (returns reject) for request 10 auth: Failed to validate the user. -- Thomas Buchberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: final question about client certs using eap-tls (was: cert bootstrap bug?)
Sergio escribió: Hi, also was so many others. At this time i have got one eap module which authenticates users under a PKI. My client certs are issued by root ca (ca.pem) and everything works. I can manage the crl, because it is public, and authenticate any user against any server. So my question is, what's the final goal of signing certificates with server's? The only difference (i think) is about the crl managing, because in my case, the authority should provide the crl to the server administrators. I don't see any more difference. Thanks Any more goal? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP replyItems
back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server, which itself
checks against our LDAP Server. Additionally the server should also send back a
specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an attribute
called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the server sends
the attribute back as supposed, but for some weird reason in the access-accept
packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output:
rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=237,
length=182
User-Name = testuser
Calling-Station-Id = 00-0E-35-AE-DB-DF
Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test
NAS-Port = 29
NAS-IP-Address = 10.110.101.4
NAS-Identifier = WiSM-2
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 995
EAP-Message = 0x0202000d0173737065726c3232
Message-Authenticator = 0x1c08d8491b0ebb2a032ab1ebb8f7ee59
+- entering group authorize
++[preprocess] returns ok
rlm_eap: EAP packet type response id 2 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
expand: (|(uid=%u)(uid=%U)) - (|(uid=testuser)(uid=_))
expand: dc=mydomain,dc=ac,dc=at - dc=mydomain,dc=ac,dc=at
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.mydomain.com:389, authentication 0
rlm_ldap: bind as uid=service-user,ou=services,dc=mydomain,dc=ac,dc=at/passme
to ldap.mydomain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=ac,dc=at, with filter
(|(uid=testuser)(uid=_))
rlm_ldap: Added User-Password = testpwd in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute
Airespace-Interface-Name = 599
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns ok
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 237 to 10.110.101.4 port 32770
Airespace-Interface-Name = 599
EAP-Message = 0x0103001604104f56bcec8ceb0ba608af483ccb4111c9
Message-Authenticator = 0x
State = 0x33b5046233b6000c0bb076d000b26f5e
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=238,
length=193
User-Name = testuser
Calling-Station-Id = 00-0E-35-AE-DB-DF
Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test
NAS-Port = 29
NAS-IP-Address = 10.110.101.4
NAS-Identifier = WiSM-2
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 995
EAP-Message = 0x020300060319
State = 0x33b5046233b6000c0bb076d000b26f5e
Message-Authenticator = 0xae7227a437741cee122a96438eb2b8c6
+- entering group authorize
++[preprocess] returns ok
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No
Re: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
I hate to resurrect this long thread from July 22-28, but I have the
same problem and never saw a resolution.
I'm using FreeRadius 2.0.5 on CentOS 5.2 with wpa_supplicant 0.6.4
(latest to date).
I'm using the bootstrap script to generate example certificates.
I also created a client certificate using make client.pem. I configured
wpa_supplicant with ca.pem, client.pem and client.key.
EAP-TLS authentication fails with the fatal unknown ca message.
If I hack the Makefile like Sergio mentioned last month to sign the
client certificate with
the CA key, then authentication succeeds.
In last month's thread, Alan DeKok posted:
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
In my case, CA_file does indeed refer to ca.pem as created by the
bootstrap script. So I'm assuming that I don't need to touch the
server.pem file as created.
I'd really like to understand what's wrong. Could wpa_supplicant be
somehow incompatible with
the bootstrap certificate chain?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: web based certificate management
Tomoki Taniguchi wrote: is there a good web based certificate management system that users of freeradius recommend? i need something that will apply the needed xpextensions and generate the necessary .p12 and .der certificates for a windows xp client. i am looking into editing the ebox-ca to generate the additional certificates, but would perfer not to have to go through the trouble if possible. FWIW, Red Hat has open sourced the certificate management system it acquired when it purchased a number of assets from Netscape (the Netscape LDAP server has already been open sourced by Red Hat known under the name Directory Server). The certificate server which Red Hat open sourced is essentially the same one used by the DoD (Department of Defence) and many other high end enterprise clients. The open source version is known as DogTag. More information can found here: http://pki.fedoraproject.org/wiki/PKI_Main_Page The effort required to make Certificate Server available as open source was formidable, however Red Hat has a strong commitment to open source and I'm proud of the initiative by my collogues who made this sophisticated PKI technology available to everyone. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert steel-belt radius .dct to freeradius dictionary
S Adrian wrote: I got a file that looks like this (utstarcom.dct) which would need to be translated to freeradius .. anyone can help? http://github.com/alandekok/freeradius-server/tree/master/share/dictionary.utstarcom :) There's also a simple (i.e. dumb) script that does some of the conversion for anyone with many .dct files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type := Accept - CHAP problems
Thomas Buchberger wrote: we're playing with the freeradius features and are getting confused in the way it behaves: :) It's simple... just read 1000's of lines of debugging output, and hordes of miscellaneous unrelated unorganized documentation files. We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more Login incorrect - but with other Options than a correct user. We appended in the config: DEFAULTAuth-Type := Accept ... users: Matched entry DEFAULT at line 2 Is that entry at line 2 of the users file? If not, the server is matching an earlier entry, and not the one with Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding rlm_perl and Access-Challenge
Harry J Walsh wrote:
Thanks for the swift reply Dekok. I tried what you suggested and it
doesn't work.
Sorry... looking at the code again, the Response-Packet-Type should go
into the control/check items.
...
$RAD_REPLY{'Response-Packet-Type'} = Access-Challenge;
Change that to RAD_CHECK
...
The last line here is confusing me. Looking at the code that spits
out this error, it seems to only happen when there is no
Response-Packet-Type in a request_post_handler.
switch (request-packet-code) {
case PW_AUTHENTICATION_REQUEST:
gettimeofday(request-next_when, NULL);
if (request-reply-code == 0) {
/*
* Check if the lack of response is intentional.
*/
vp = pairfind(request-config_items,
config_items is the control/check list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding rlm_perl and Access-Challenge
Yes, that worked a charm. Thanks for the help Alan!
--
Harry
On Tue, Aug 19, 2008 at 6:03 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Harry J Walsh wrote:
Thanks for the swift reply Dekok. I tried what you suggested and it
doesn't work.
Sorry... looking at the code again, the Response-Packet-Type should go
into the control/check items.
...
$RAD_REPLY{'Response-Packet-Type'} = Access-Challenge;
Change that to RAD_CHECK
...
The last line here is confusing me. Looking at the code that spits
out this error, it seems to only happen when there is no
Response-Packet-Type in a request_post_handler.
switch (request-packet-code) {
case PW_AUTHENTICATION_REQUEST:
gettimeofday(request-next_when, NULL);
if (request-reply-code == 0) {
/*
* Check if the lack of response is intentional.
*/
vp = pairfind(request-config_items,
config_items is the control/check list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Harry J Walsh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Post in Netgear Accounting-Packet
In the Start-Packets and Interim-Update-Packets it seems to be right. But ALL the Stop-Packets have 0 as NAS-Port. So, you agree that this is a bug of the Access-Point? Thank you for your reply. Wolfgang Burger Hello, I've got three WG102 Access Points from Netgear. I'm using the latest firmware Version 4.0.27 because it should Fixed the issue that 802.1x Authentication does not work with machine authentication But I can confirm that the accounting it still NOT working everytime. Looking into my logfiles I can see that the cases which worked fine everytime the same port is used. Here are two examples, the first one worked fine, the Session-Id is always the same: Wed Aug 13 20:05:14 2008 Service-Type = Framed-User Acct-Status-Type = Start User-Name = test1 Framed-MTU = 1488 Acct-Session-Id =1 Acct-Authentic = RADIUS Acct-Delay-Time = 0 Called-Station-Id = 00184DC8:Network Calling-Station-Id = 001A73XX NAS-Identifier = APBuero NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b NAS-IP-Address = 192.168.XX.XX NAS-Port = 1 NAS-Port-Id = STA port # 1 Acct-Unique-Session-Id = 866e0c5655a05a0b Timestamp = 1218650714 Request-Authenticator = Verified Wed Aug 13 20:10:13 2008 Service-Type = Framed-User Acct-Status-Type = Interim-Update User-Name = test1 Framed-MTU = 1488 Acct-Session-Id =1 Acct-Authentic = RADIUS Acct-Session-Time = 299 Acct-Delay-Time = 0 Called-Station-Id = 00184DC8:Network Calling-Station-Id = 001A73XX NAS-Identifier = APBuero NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b NAS-IP-Address = 192.168.XX.XX NAS-Port = 1 NAS-Port-Id = STA port # 1 Acct-Unique-Session-Id = 866e0c5655a05a0b Timestamp = 1218651013 Request-Authenticator = Verified Wed Aug 13 20:34:33 2008 Service-Type = Framed-User Acct-Status-Type = Stop User-Name = test1 Framed-MTU = 1488 Acct-Session-Id =1 Acct-Authentic = RADIUS Acct-Session-Time = 1758 Acct-Terminate-Cause = User-Request Acct-Delay-Time = 0 Called-Station-Id = 00184DC8:Network Calling-Station-Id = 001A73XX NAS-Identifier = APBuero NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b NAS-IP-Address = 192.168.XX.XX NAS-Port = 1 NAS-Port-Id = STA port # 1 Acct-Unique-Session-Id = 866e0c5655a05a0b Timestamp = 1218652473 Request-Authenticator = Verified But this second one from today fails with the error: Tue Aug 19 18:11:30 2008 : Auth: Login OK: [test2 /via Auth-Type = EAP] (from client AP-Halle1 port 1 cli 001302BE) Tue Aug 19 18:12:30 2008 : Error: rlm_radutmp: Logout for NAS AP-Halle1 port 0, but no Login record When looking into detail log I can also see, that the Session-Id and the port changed and I don't know why Tue Aug 19 18:11:30 2008 Service-Type = Framed-User Acct-Status-Type = Start User-Name = test2 Framed-MTU = 1488 Acct-Session-Id =6 Acct-Authentic = RADIUS Acct-Delay-Time = 0 Called-Station-Id = :Network Calling-Station-Id = 001302BE NAS-Identifier = AP-Halle1 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b NAS-IP-Address = 192.168.xx.xx NAS-Port = 1 NAS-Port-Id = STA port # 1 Acct-Unique-Session-Id = 11f6ee9422434136 Timestamp = 1219162290 Request-Authenticator = Verified Tue Aug 19 18:12:30 2008 Service-Type = Framed-User Acct-Status-Type = Stop User-Name = test2 Framed-MTU = 1488 Acct-Session-Id =6 Acct-Authentic = RADIUS Acct-Session-Time = 60 Acct-Terminate-Cause = User-Request Acct-Delay-Time = 0 Called-Station-Id = :Network Calling-Station-Id = 001302BE NAS-Identifier = AP-Halle1 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b NAS-IP-Address = 192.168.xx.xx NAS-Port = 0 NAS-Port-Id = STA port # 0 Acct-Unique-Session-Id = 9c44efbf7672967b Timestamp = 1219162350 Request-Authenticator = Verified --- Obviously the netgear access point uses port 1 on start but port 0 on stop. Also the user is definitely NOT connected anymore but radwho shows the following: # radwho -R User-Name = test2 Acct-Session-Id =6
Re: I've started to put the book online
ok then I know what to do today to stop feeling stupid on this list :p Alan DeKok a écrit : http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Post in Netgear Accounting-Packet
Tue Aug 19 18:11:30 2008 : Auth: Login OK: [test2 /via Auth-Type = EAP] (from client AP-Halle1 port 1 cli 001302BE) Tue Aug 19 18:12:30 2008 : Error: rlm_radutmp: Logout for NAS AP-Halle1 port 0, but no Login record .. It's shows that the user is still connected... Does anyone know how this is possible? Login was on port 1. Logout on 0. Acct-Unique-Session-Id is different so session was never closed. Fix NAS to send proper information. Or get one that does. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
Alexandre Chapellon escribió: ok then I know what to do today to stop feeling stupid on this list :p Alan DeKok a écrit : http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html me too :) at least the links which are at this moment (concepts) will be very useful for beginners. concepts rules. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
its good news for everyone who love FreeRadius :) Date: Tue, 19 Aug 2008 09:23:06 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: I've started to put the book online To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 40, Issue 81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Ok the modules compils great. and it creates rlm_sql_oracle-2.0.5.so (and its symlink). I copy thoose two files in /usr/lib/freeradius but when launching freeradius -X i get: rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_oracle #0 freeradius: symbol lookup error: /usr/lib/freeradius/rlm_sql_oracle.so: undefined symbol: OCIEnvCreate Of course I installed the Oracle instantclient. I also added /opt/oracle/instantclient_11_1 in ld.so.conf and ran ldconfig afterwards. I tried to export ORACLE_HOME (to /opt/oracle and to /op/oracle/instantclient_11_1) as an enveronment variable prior to starting freeradius... but still with no success. I have to say that no oracle instance is installed on the server (only the client libs shipped in the basic.zip file, provided by oracle) and so the instance freeradius is trying to connect to doesn't exist yet but i doubt this should be a problem for starting freeradius. If anyone can help welcome. Alan DeKok a écrit : Alexandre Chapellon wrote: It says headers (oci.h) are not found, but this file realy is in the specified include path. The configure logs should say why it wasn't built, but even that isn't really worth looking at. Does anyone have a clue what i could do? $ vi src/modules/rlm_sql/drivers/rlm_sql_oracle/Makefile Set TARGET = rlm_sql_oracle, and edit the CFLAGS LDFLAGS lines to ave the appropriate values: -I/opt/oracle/instantclient_11_1/sdk/include, and -L /opt/oracle/instantclient_11_1/ -loracle (?) After than, cd to the directory, and type make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Alexandre Chapellon wrote: Ok the modules compils great. and it creates rlm_sql_oracle-2.0.5.so (and its symlink). I copy thoose two files in /usr/lib/freeradius but when launching freeradius -X i get: ... freeradius: symbol lookup error: /usr/lib/freeradius/rlm_sql_oracle.so: undefined symbol: OCIEnvCreate And we now see the reason why the configure script didn't work. Of course I installed the Oracle instantclient. I also added /opt/oracle/instantclient_11_1 in ld.so.conf and ran ldconfig afterwards. Is the library in that directory, or in /opt/oracle/instantclient_11_1/lib ? In any case, use the *same* library path here that you used in the Makefile, as the -L argument, It should then work. I have to say that no oracle instance is installed on the server (only the client libs shipped in the basic.zip file, provided by oracle) and so the instance freeradius is trying to connect to doesn't exist yet but i doubt this should be a problem for starting freeradius. That's fine. The error above is much earlier in the startup process than the connect to Oracle phase. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
