Re: Active Directory, PEAP and random works....
On Sun, May 16, 2010 at 10:06:34PM +0100, Alan Buxey wrote: freeradius 2.0.4 samba 3.2.5 you want to run the latest SAMBA but are happy with older FR? FreeRADIUS 2.1.8 with SAMBA 3.0.37 should be a good combo. Or, he was simply using the versions of FreeRADIUS and Samba shipped with Debian 5.0. Downgrading Samba probably isn't really an option. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COA default configuration...Need help to test radclient
On 2010/05/15 08:28 AM, Alan DeKok wrote: ... Do I have to do anything more than any default configuration? In 2.1.8, there's an example CoA server in raddb/sites-available/coa The coa example was missing from 2.1.8. Please have a look here. http://github.com/alandekok/freeradius-server/blob/master/raddb/sites-available/coa -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory, PEAP and random works....
Thanks Alan, I will try this evening the two combinations: - Freeradius 2.1.8 and samba 3.5.2 - Freeradius 2.1.8 and samba 3.0.37 -Message d'origine- De : freeradius-users-bounces+abdessamad=barakat...@lists.freeradius.org [mailto:freeradius-users-bounces+abdessamad=barakat...@lists.freeradius.org] De la part de Alan Buxey Envoyé : dimanche 16 mai 2010 23:07 À : FreeRadius users mailing list Objet : Re: Active Directory, PEAP and random works Hi, freeradius 2.0.4 samba 3.2.5 cisco aironet 1240 you want to run the latest SAMBA but are happy with older FR? FreeRADIUS 2.1.8 with SAMBA 3.0.37 should be a good combo. you might also want to try much recent SAMBA though as they may have reverted/changed the behaviour issue (3.5.2) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory, PEAP and random works....
Yes, its the debian lenny packages but I have also tried with freeradius 2.1.8 and samba 3.2.15 from source with the same effect Have you already seen this problem ? Thanks -Message d'origine- De : freeradius-users-bounces+abdessamad=barakat...@lists.freeradius.org [mailto:freeradius-users-bounces+abdessamad=barakat...@lists.freeradius.org] De la part de Josip Rodin Envoyé : lundi 17 mai 2010 09:24 À : FreeRadius users mailing list Objet : Re: Active Directory, PEAP and random works On Sun, May 16, 2010 at 10:06:34PM +0100, Alan Buxey wrote: freeradius 2.0.4 samba 3.2.5 you want to run the latest SAMBA but are happy with older FR? FreeRADIUS 2.1.8 with SAMBA 3.0.37 should be a good combo. Or, he was simply using the versions of FreeRADIUS and Samba shipped with Debian 5.0. Downgrading Samba probably isn't really an option. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP's with WPA sending Accounting info.
Hi, Hi List. I have been trying to get some Cisco 1130AG's to work with freeradius. I have go them to authentcate but can not get them to send accounting data. I think i has somthing to with with the peap tunnel. as i remember seeing it listed some where. My question is how do others to accounting on WPA wireless clients? There is accounting stuff that i have setup in the cisco AP but it doesnt seems to do anything. autonomous ('fat') or LWAPP/CAPWAP (thin, centrally managed)? you can ensure that you copy the inner tunnel to the outer (thats an option in eap.conf) but just ensure that you have the right options set on the NAS - if you dont get anything at the server end it would suggest the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: EAP_TLS
Dear Friends, I wanted to modify EAP-TLS protocol available in Freeradius. I found two files in src/modules/rlm_eap/libeap directory: eap_tls.c and tls.c. Can you please guide me to understand the code and which file does which functionality? Harshil A. Shah, Systems Engineer(SE), Convergence Labs, SETLabs, Bangalore, Contact#: 09742887966. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: EAP_TLS
Dear Friends, I wanted to modify EAP-TLS protocol available in Freeradius. I found two files in src/modules/rlm_eap/libeap directory: eap_tls.c and tls.c. Can you please guide me to understand the code and which file does which functionality? Harshil A. Shah, Systems Engineer(SE), Convergence Labs, SETLabs, Bangalore, Contact#: 09742887966. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ISG DHCP relay
I am sorry for contacting list for my problem, but i have searched for more than 15 days trying to find the solution with no success: 1. i have a cisco ISG with DHCP relay that points to freeradius 2. freeradius will send access accept or access reject based on mac address, nas ip etc. this scenario works ok for CPE devices, but not for CM devices because CM devices need TFTP server name and TFTP file name. I am unable to find right reply message format. So, my problem is BOOTP part. Is there any way to send those data to ISG so that ISG can combine those data and send it to CM device? Again, i am sorry for asking this question here but it is partially tied to freeradius functionality. I hope there is someone on this list that has more experience with ISG and freeradius to point me to right direction. Thank you... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
Hi, I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. how would that have worked anyway - you need the key exchange and the right type of EAP for WPA and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Address Authentication
hi finally, i installed freeradius and mysql .and i add users. Now i'm working whith daloradius. first, i add other user by daloradius and now i add MAC Address Authentication. I know i may do radtest user password ip-adress port secret to test a serin my radius . but i want to know how to test , in the shell, the MAC Address Authentication that i added or it is just to confirm to user added and don't need any command? _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ISG DHCP relay
Igor Smitran wrote: this scenario works ok for CPE devices, but not for CM devices because CM devices need TFTP server name and TFTP file name. I am unable to find right reply message format. So, my problem is BOOTP part. Is there any way to send those data to ISG so that ISG can combine those data and send it to CM device? What does the ISG documentation say? Again, i am sorry for asking this question here but it is partially tied to freeradius functionality. I hope there is someone on this list that has more experience with ISG and freeradius to point me to right direction. Ask the vendor how their product works... Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and MAC Authentication
Hi, I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. how would that have worked anyway - you need the key exchange and the right type of EAP for WPA and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The only way I can think of it working was if using Cisco's local MAC list on the AP itself. I tried testing briefly with EAP and MAC set FR only. In about a minute or so, I received about 2K EAP requests all returning Access-Reject. If I get a few spare moments to test, I'll try adding my MAC to the local list and tell the AP to use the local list for MAC and FR for EAP. I have a feeling this might work, but I am certainly not going back to maintaining MAC lists on all of our APs (both because I'd have to modify the APs again to have enough storage space to hold the MAC list and because it's a pain to keep that many lists in sync) and I think using a check in FR is a much cleaner solution in many ways. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group Authentication
I have compiled FreeRADIUS 2.1.8 on a fresh Ubuntu 9.10 install. I am using Microsoft SQL Server as a backend. I have installed and successfully configured UnixODBC and FreeTDS to get FreeRADIUS to communicate with the server. FreeRADIUS will authenticate users correctly from the radcheck and radreply tables. However, I am also trying to get it to return attributes based on their group assignment. I have uncommented the 'read_groups = yes' directive and also put a 'Fall-Through = yes' into the radreply table, and FreeRADIUS still will not check the group assignments. I am at a loss here as I have tried to get this working for almost a week now. Any help would be greatly appreciated! Below is the output of my radiusd -X. FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Mar 19 2010 at 16:33:42 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mssql/dialup.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir =
Supplicant authentication Issue
Hello . Why using Supplicant Intel PROSet or Supplicant Broadcom i can authenticate with users from AD , and with Windows supplicant no ? I see in radiusd -X log this diference: Windows Supplicant: [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 0791], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Intel PROSet Supplicant: [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 0791], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Im losing with windows supplicant: [peap] TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A This is my issue ? Cumprimentos Pedro Alves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with existing MySQL database
Alan DeKok wrote: Quentin Smith wrote: However, when I run freeradius -X, it appears that for some reason that setting is erased. The following is the pertinent output: Read the rest of the debug output. Which files is it reading? Which one contains the SQL configuration? Which one did you edit? I edited the sql.conf file, which was the file being read. I'm guessing the SQL query error is related to the fact that authorize_check_query is now an empty string, but I'm not sure why that's the case. You edited it locally. The default configuration doesn't have this issue. Find out which file was edited, and fix it. Alan DeKok. Quentin Smith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and MAC Authentication
how would that have worked anyway - you need the key exchange and the right type of EAP for WPA and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The only way I can think of it working was if using Cisco's local MAC list on the AP itself. I tried testing briefly with EAP and MAC set FR only. In about a minute or so, I received about 2K EAP requests all returning Access-Reject. If I get a few spare moments to test, I'll try adding my MAC to the local list and tell the AP to use the local list for MAC and FR for EAP. I have a feeling this might work, but I am certainly not going back to maintaining MAC lists on all of our APs (both because I'd have to modify the APs again to have enough storage space to hold the MAC list and because it's a pain to keep that many lists in sync) and I think using a check in FR is a much cleaner solution in many ways. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org Yes, when checking the MAC against the local list, it works. It checks the MAC against the local list before attempting to forward any packets to FR for EAP. When using a lightweight AP instead of an autonomous AP, I suppose this list is kept on the controller and distributed to the APs. This is the only way that seems like it would be of any use. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with existing MySQL database
Alan DeKok wrote: Quentin Smith wrote: However, when I run freeradius -X, it appears that for some reason that setting is erased. The following is the pertinent output: Read the rest of the debug output. Which files is it reading? Which one contains the SQL configuration? Which one did you edit? I edited the sql.conf file, which was the file being read. I'm guessing the SQL query error is related to the fact that authorize_check_query is now an empty string, but I'm not sure why that's the case. You edited it locally. The default configuration doesn't have this issue. Find out which file was edited, and fix it. Alan DeKok. After some closer inspection, I discovered the problem. In order to have the default configuration available for reference purposes, I had simply commented out the following line: authorize_check_query = SELECT id, UserName, Attribute, Value, op \ and replaced it with the following line: authorize_check_query = SELECT id, name as UserName, 'NT-Password' as Attribute, nthashpass as Value, ':=' as op \ However, I didn't realize that commenting the line didn't prevent the escaping of the return character at the end of the line, effectively commenting out the following lines as well. Deleting the backslash fixed the problem, and it now works as I intended. Thanks for the reply. -- Quentin Smith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP's with WPA sending Accounting info.
Hi Alan I tryed tweaking a few settings and then re did the config on the ap from scratch and it works. Thanks for your help Andrew Paternoster -- Andrew Paternoster GPK Computers Pty Ltd T 1300 854 223 F 1300 854 228 --- The information contained in or accompanying this e-mail is intended only for the use of the stated recipient and may contain information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited and may constitute a breach of confidence and/or privilege. If you have received this e-mail in error, please notify us immediately. Any views or opinions presented are those solely of the author and do not necessarily represent those of GPK Computers Pty Ltd.. Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this e-mail, the company cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments --- Did you know that you can now log faults just by sending an email to supp...@gpk.net.ausenior System Engineer From: freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org [freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org] on behalf of Alan Buxey [a.l.m.bu...@lboro.ac.uk] Sent: Monday, 17 May 2010 6:18 PM To: FreeRadius users mailing list Subject: Re: Cisco AP's with WPA sending Accounting info. Hi, Hi List. I have been trying to get some Cisco 1130AG's to work with freeradius. I have go them to authentcate but can not get them to send accounting data. I think i has somthing to with with the peap tunnel. as i remember seeing it listed some where. My question is how do others to accounting on WPA wireless clients? There is accounting stuff that i have setup in the cisco AP but it doesnt seems to do anything. autonomous ('fat') or LWAPP/CAPWAP (thin, centrally managed)? you can ensure that you copy the inner tunnel to the outer (thats an option in eap.conf) but just ensure that you have the right options set on the NAS - if you dont get anything at the server end it would suggest the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accouting
I have installed the following two rpms: freeradius-mysql-2.1.3-1.fc9.i386 and freeradius-postgresql-2.1.3-1.fc9.i386 on my Fedora machine. However, when I tried to configure sql server by using mysqladmin ..., system says command not found. Do I need to install anything else (and where I can download them) before executing that command? Thanks a lot in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accouting
rosect...@yahoo.com wrote: I have installed the following two rpms: freeradius-mysql-2.1.3-1.fc9.i386 and freeradius-postgresql-2.1.3-1.fc9.i386 on my Fedora machine. However, when I tried to configure sql server by using mysqladmin ..., system says command not found. Do I need to install anything else (and where I can download them) before executing that command? Thanks a lot in advance. Actually installing MySQL might be a good start considering that is what installs mysqladmin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypted password with FR+LDAP+Wireless Network
The password is encoded for PAP (when a User-Password is present). Its the only authentication method that uses decodable passwords. FR is displaying it in plain text for your convenience. Inýcio Alves wrote: Good Morning to all. I would like if is possible use FR+LDAP with Use-Password encrypted? I'm using FR 2.1.8 + OpenLDAP 2.4.21. I'm trying configure FR to authenticate users in wireless network. This is my debug output. When I try a radtest with login/pass from the users file I don't get warning, but LDAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recommended books on freeradius
Hi all, Trying to get my hands on a freeradius book for reading. Anyone might have any recommendations for this? Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accouting
Larry Brower wrote: rosect...@yahoo.com wrote: I have installed the following two rpms: freeradius-mysql-2.1.3-1.fc9.i386 and freeradius-postgresql-2.1.3-1.fc9.i386on my Fedora machine. However, when I tried to configure sql server by using mysqladmin ..., system says command not found. Do I need to install anything else (and where I can download them) before executing that command? Thanks a lot in advance. Actually installing MySQL might be a good start considering that is what installs mysqladmin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Try this command to start mysql service mysqld start Vu Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recommended books on freeradius
Mark wrote: Hi all, Trying to get my hands on a freeradius book for reading. Anyone might have any recommendations for this? The only RADIUS book is the O'Reilly one. It's old, nearly content-free, and not overly helpful. I've been working on a book forever, but have have recently re-focussed my efforts. Stay tuned. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html