Re: Problem ms-chapv2
Hi, Hello.Please help me.I try to setup FreeRadius (FreeBSD 7.2-RELEASE amd64)to setup as proxy.Windows clients can`t connect this default settings in pppoe connection (on tab security enabled all auth protocols) server send 691 error.If i disable all protocols except mschapv1 everything works fine without errors. Please tell me what I am doing wrong.All settings in the conf files by default, changed only proxy.conf and client.conf. I tried 2.1.10 ,2.1.9 versions. in this case, FreeRADIUS is only doing what its told. which its told by your remote server to do - reject . cut Mon Feb 7 10:28:40 2011 : Info: Proxy! ing request 65 to home server 172.20.192.19 port 1812 Sending Acces s-Request of id 255 to 172.20.192.19 port 1812 snip rad_recv: Access-Reject packet from host 172.20.192.19 port 1812, id=255, length=43 Reply-Message = Authorization failed. cut okay.so MSCHAPv2 etc are very fussy. my assumption here would be that in your proxy.conf, for the 'moco' realm, you havent got 'nostrip' defined.. so user-name is getting altered. this really plays merry games with end authentication systems that use that as part of the hashing etc. define that realm as 'nostrip' and then you should see 'test-user@moco' being sent off as User-Name to 172.20.192.19 and it will work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius authentication support for telnet server.
Thank you very very much Mr.Fajar. After making changes in /etc/pam.d/login it's working. authentication request is coming to freeradius server and authentication is successful. :) Thanks amp; Regards,Vijay S.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't authenticate using LDAP (ldap+mysql+eap_ttls)
Hi,
*It says Found Auth-Type = EAP although in sites-enabled/inner-tunnel I
have uncommented:
Auth-Type LDAP {
ldap
}
but if inner-tunnel is invoked that means its an EAP session being used
By the way, if I try to autnenticate using same user via radtest server,
of course, don't go into the inner-tunnel and so I get authenticated.
if you read the config files you will see that you can directly poke
the inner-tunnel on the localhost by using the right port - assuming
you are using a recent version of freeradius. you should also be using
the eap testing tools rather than radtest if you want to directly
simulate the types of packets being sent to your server (otherwise
you are comparing apples and oranges...or HTTP to SSH!)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius authentication support for telnet server.
Thank you very very much Mr.Fajar. After making changes in /etc/pam.d/login it's working. authentication request is coming to freeradius server and authentication is successful. :)I need one more help, Please let me know the configuration file for FTP alo. i have crated a wu-ftpd file inside /etc/pam.d/ but it is not working. Thanks amp; Regards,Vijay S. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius authentication support for telnet server.
On Mon, Feb 7, 2011 at 3:23 PM, vijay s sheelavantar s_vija...@rediffmail.com wrote: Thank you very very much Mr.Fajar. After making changes in /etc/pam.d/login it's working. authentication request is coming to freeradius server and authentication is successful. :) I need one more help, Please let me know the configuration file for FTP alo. i have crated a wu-ftpd file inside /etc/pam.d/ but it is not working. Well, basically you need to know how that program interacts with pam. If it's previously does not have a file on /etc/pam.d, then most likely it does not use pam, or use something else for authentication (like the fact that telnet use login). The logs (/var/log/messages, etc) should show what service is authenticating against pam. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
On Mon, Feb 07, 2011 at 08:48:27AM +0200, Tyller D wrote:
if ( $device =~ /^nomadix/i ) {
if ($DATABANK != '') {
if ( $DATABANK le 0 ) {
$RAD_REPLY{'Reply-Message'}
= You have no more Data Left;
return RLM_MODULE_REJECT;
}else {
return RLM_MODULE_REJECT;
$RAD_REPLY{'Nomadix-MaxBytesDown'} = $DATABANK;
}
That logic returns RLM_MODULE_REJECT in both branches of the if statement,
so I imagine you haven't copy-pasted it correctly. But I think I see what
you're getting at.
exctract from radcheck:
+--+--+++--+
| id | username | attribute | op | value|
+--+--+++--+
| 3069 | Joe | databank | := | 52428800 |
| 3068 | Joe | Cleartext-Password | := | Joe123 |
| 3070 | Joe | Auth-Type | := | Perl |
+--+--+++--+
OK, so you're using radcheck as a convenient place to store the user's
remaining quota. I guess that should work.
but it not always exectuting stop request correctly because
mysql select sum(acctinputoctets + acctoutputoctets) from radacct
where username='scotty';
+-+
| sum(acctinputoctets + acctoutputoctets) |
+-+
| 1840263628 |
+-+
mysql select value from radcheck where username='scotty' and
attribute='databank';
++
| value |
++
| -302340151 |
++
Well, those are two different things. The databank value will be whatever
original value you put in databank (which you haven't told us), minus the
bytes in and bytes out. So that would be correct if the initial value was
1537923477
I have to say this looks like a pretty fragile way of doing accounting,
because you are relying 100% on Stop packets. This means:
(1) A lost stop packet will not update databank
(2) If a user stays online solidly for months, they won't get their quota
updated in the database
Doing accounting based on interim-update packets is more robust. However,
they are cumulative (each interim-update packet shows the *total* used so
far for that session, just as if it were a Stop packet), so you can't just
subtract them from an accumulator. You need to add together the last values
seen for each session.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't authenticate using LDAP (ldap+mysql+eap_ttls)
Hi,
*It says Found Auth-Type = EAP although in sites-enabled/inner-tunnel
I
have uncommented:
Auth-Type LDAP {
ldap
}
but if inner-tunnel is invoked that means its an EAP session being
used
Of course! How did I miss that!
So I should use EAP-TTLS/PAP? But how do I do that?
By the way, if I try to autnenticate using same user via radtest server,
of course, don't go into the inner-tunnel and so I get authenticated.
if you read the config files you will see that you can directly poke
the inner-tunnel on the localhost by using the right port - assuming
you are using a recent version of freeradius. you should also be using
the eap testing tools rather than radtest if you want to directly
simulate the types of packets being sent to your server (otherwise
you are comparing apples and oranges...or HTTP to SSH!)
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Pagarbiai,
Edgaras Lukoševičius
Kauno kolegijos kompiuterių centro administratorius
Pramones 20, Kaunas.
edga...@kauko.lt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FREE RADIUS client
Hi, Can any one tell me that FREE RADIUS client is inernally doing UTF-8 conversion for the multilingual characters or It is replying on some other underlying module who is suppling credentials like username and password? Regards, Karnik Jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
Sorry, the values I gave before were on a test db after I tested out the
stop queries in the dialup.conf fille manually, so the values were
incorrect. Here is the correct info
mysql select sum(acctinputoctets + acctoutputoctets ) from radacct where
username='scotty';
+--+
| sum(acctinputoctets + acctoutputoctets ) |
+--+
| 1840263628 |
+--+
1 row in set (0.00 sec)
mysql select * from radcheck where username='scotty';
+--+--++++
| id | username | attribute | op | value |
+--+--++++
| 5192 | Scotty | Auth-Type | := | Perl |
| 5191 | Scotty | databank | := | -302340151 |
| 5190 | Scotty | Cleartext-Password | := | DALNIC |
+--+--++++
3 rows in set (0.00 sec)
original databank value = 262141750
as you can see the amount of traffic used, far exceeds what was assigned
originally. I understand the negative value, Its something I can deal with
to be a certain amount off but this is really bad. When I ran the queries
manually I noticed that without quoting the radcheck.value in the
accounting_stop_query_alt querie, it would not update the radcheck.value for
databank. but once it is quoted seems, to work. I am going to keep an eye on
it to see if it resolves itself.
Im not too clued up on freeradius, so just to clear my mind to only way for
a session to end is on a stop request(correct?) and even if interim updates
are send, on the stop request it will show all data used in the session (not
just just since the last update)
On Mon, Feb 7, 2011 at 11:13 AM, Brian Candler b.cand...@pobox.com wrote:
On Mon, Feb 07, 2011 at 08:48:27AM +0200, Tyller D wrote:
if ( $device =~ /^nomadix/i ) {
if ($DATABANK != '') {
if ( $DATABANK le 0 ) {
$RAD_REPLY{'Reply-Message'}
= You have no more Data Left;
return RLM_MODULE_REJECT;
}else {
return RLM_MODULE_REJECT;
$RAD_REPLY{'Nomadix-MaxBytesDown'} = $DATABANK;
}
That logic returns RLM_MODULE_REJECT in both branches of the if statement,
so I imagine you haven't copy-pasted it correctly. But I think I see what
you're getting at.
You are correct, it was a copy error
exctract from radcheck:
+--+--+++--+
| id | username | attribute | op | value|
+--+--+++--+
| 3069 | Joe | databank | := | 52428800 |
| 3068 | Joe | Cleartext-Password | := | Joe123 |
| 3070 | Joe | Auth-Type | := | Perl |
+--+--+++--+
OK, so you're using radcheck as a convenient place to store the user's
remaining quota. I guess that should work.
but it not always exectuting stop request correctly because
mysql select sum(acctinputoctets + acctoutputoctets) from radacct
where username='scotty';
+-+
| sum(acctinputoctets + acctoutputoctets) |
+-+
| 1840263628 |
+-+
mysql select value from radcheck where username='scotty' and
attribute='databank';
++
| value |
++
| -302340151 |
++
Well, those are two different things. The databank value will be whatever
original value you put in databank (which you haven't told us), minus the
bytes in and bytes out. So that would be correct if the initial value was
1537923477
I have to say this looks like a pretty fragile way of doing accounting,
because you are relying 100% on Stop packets. This means:
(1) A lost stop packet will not update databank
(2) If a user stays online solidly for months, they won't get their quota
updated in the database
Doing accounting based on interim-update packets is more robust. However,
they are cumulative (each interim-update packet shows the *total* used so
far for that session, just as if it were a Stop packet), so you can't just
subtract them from an accumulator. You need to add together the last
values
seen for each session.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This is something that I have been wanting to look at but I need to get this
atleast to work as it should and I can update the process when I have some
time. Thanks for the advice.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x on Active Directory: no errors in debug but auth fails
Hi, } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731 3133303545423545354633383131 Message-Authenticator = 0x State = 0x37523e803658245973dcd634f3fc6f7a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731 3133303545423545354633383131 Message-Authenticator = 0x State = 0x37523e803658245973dcd634f3fc6f7a [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 54 to 10.63.1.207 port 1025 EAP-Message = 0x010a004a1900170301003f89859944848beaa1a1150d04b44af7343d3f0867517b48dcfa7c 1a3a38468e2c7f73a4a6d760ee589d34d3ae808c8fe81be20e246f39c054d1efa38ae39490 Message-Authenticator = 0x State = 0xc2330ef2ca39179b10e022abbe73f133 ..this is where it ends - an access challenge never gets responded to. do you have the CA of the RADIUS server installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
On Mon, Feb 07, 2011 at 04:05:41PM +0530, karnik jain wrote: Can any one tell me that FREE RADIUS client is inernally doing UTF-8 conversion for the multilingual characters or It is replying on some other underlying module I think that's a meaningless question. RADIUS deals with bytes. It will send as User-Name whatever chunk of bytes you give it. It doesn't mangle values. who is suppling credentials like username and password? What exactly are you asking about - the program called radclient? In that case it is you, the person who invokes radclient, who supplies the username and password on stdin. If you're asking about something else, please be more specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x on Active Directory: no errors in debug but auth fails
..this is where it ends - an access challenge never gets responded to. do you have the CA of the RADIUS server installed on the client? No but I disabled Validate Server Certificate on the client. Is it not enough? Thanks again for quick reply -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x on Active Directory: no errors in debug but auth fails
Hi, ..this is where it ends - an access challenge never gets responded to. do you have the CA of the RADIUS server installed on the client? No but I disabled Validate Server Certificate on the client. Is it not enough? add the CA alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
Hello, I think that's a meaningless question. RADIUS deals with bytes. It will send as User-Name whatever chunk of bytes you give it. It doesn't mangle values. I am under the impression that RADIUS client (radclient) is itself is doing the UTF-8 conversion as per RFC 2865 while sending multilingual username attribute if it is not in UTF-8 form. So I think this is not at all a meaning less. correct me if i am wrong. What exactly are you asking about - the program called radclient? In that case it is you, the person who invokes radclient, who supplies the username and password on stdin. If you're asking about something else, please be more specific. Yes, You have hit the correct nail. I am talking about radclient only. If supplied USER-NAme is not UTF-8 encoded by some means suppose the scenario where UTF-8 support is not there then at that time what radclient does. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? Regards, Karnik jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible typo in share/dictionary.dhcp
Bjørn Mork wrote: DHCP-Keep=Alive-Garbage ^ I believe Alexander refers to this '=', which does look a tiny bit suspicious Ah... I'll go fix that. Blame it on small font or bad eyes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
karnik jain wrote: I am under the impression that RADIUS client (radclient) is itself is doing the UTF-8 conversion as per RFC 2865 while sending multilingual username attribute if it is not in UTF-8 form. So I think this is not at all a meaning less. correct me if i am wrong. Your question is meaningless and inappropriate for this forum. If you're writing your own RADIUS client, then pretending to ask questions about radclient is not nice. If you want to know how radclient handles UTF-8, go read the source code. It's publicly available. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? This question was already answered on the list, in a message describing how a RADIUS client works. If you're not going to read the messages on this list, there's no point in asking questions here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x on Active Directory: no errors in debug but auth fails
..this is where it ends - an access challenge never gets responded to. do you have the CA of the RADIUS server installed on the client? No but I disabled Validate Server Certificate on the client. Is it not enough? add the CA Done but same problem. I read certs/README file with MANY other caveats about Windows: - Windows requires certain OID's in the certificates. If it doesn't see them, it will stop doing EAP. The most visibile effect is that the client starts EAP, gets a few Access-Challenge packets, and then a little while later re-starts EAP. If this happens, see the FAQ, and the comments in raddb/eap.conf for how to fix it. - Windows requires the root certificates to be on the client PC. If it doesn't have them, you will see the same issue as above. - Windows XP post SP2 has a bug where it has problems with certificate chains. i.e. if the server certificate is an intermediate one, and not a root one, then authentication will silently fail, as above. I'm sorry to blamed Freeradius. I'm forced to abandone this project and resort to M$'NAP server :( Thanks -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x on Active Directory: no errors in debug but auth fails
Domenico Viggiani wrote: Done but same problem. I read certs/README file with MANY other caveats about Windows: http://deployingradius.com has *complete* and *detailed* instructions for getting EAP to work with Windows. I'm forced to abandone this project and resort to M$'NAP server :( If it works with NAP, you can get it to work with FreeRADIUS. There are 10's of 1000's of sites using Windows clients with FreeRADIUS. There is *every* reason to believe that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
On Mon, Feb 07, 2011 at 05:07:03PM +0530, karnik jain wrote: I am talking about radclient only. If supplied USER-NAme is not UTF-8 encoded by some means suppose the scenario where UTF-8 support is not there then at that time what radclient does. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? It just sends the bytes as-is. If you have data in another encoding, which you want to convert to UTF-8 for sending, then you need to transcode it yourself first using something like 'iconv'. In any case, the data which you provide to radclient needs to use the standard ASCII characters for equals, double-quotes and so on, so that it can parse the lines. UTF-8 fulfils that requirement. HTH, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x on Active Directory: no errors in debug but auth fails
I'm forced to abandone this project and resort to M$'NAP server :( If it works with NAP, you can get it to work with FreeRADIUS. There are 10's of 1000's of sites using Windows clients with FreeRADIUS. There is *every* reason to believe that it works. Of course. Sorry for my previous complaints. http://deployingradius.com has *complete* and *detailed* instructions for getting EAP to work with Windows. I'm looting that site without moderation! Questions: 1) I installed certs/ca.der under Trusted Root Certification Authorities of *computer* account on the client PC 2) I noticed that self-generated certs would contain XP extensions, specified here http://deployingradius.com/documents/configuration/oid.html 3) I didn't installed Microsoft fix: http://support.microsoft.com/kb/885453/en-us because I have XP SP3. What did I forget? Thanks again -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x on Active Directory: no errors in debug but auth fails
Hi, I'm forced to abandone this project and resort to M$'NAP server :( if you do, then its your loss and you'll be limited for the future of your infrastructure. use freeRADIUS - after all, at least it will give you information and debug detailed informationwhen NPS goes wrong...well, good luck. this is probably a trivial issue - how did you create your CA? how did you sign the radius CRT/PKCS12 file? if you use the out of the box basic cert creation script (as pre generated the first time you run FR straight from compiled from source) then it works. I can guarantee that after running such installs many times myself (and then going ahead to use own CA and signed server cert). I deal with 4 of the major RADIUS server platforms...and FR is the only one that can deal with every issue and corner case that comes along, the rest are very limited...and you dont want a limiting server as it then places limits of what you can do with it and what clients you can support. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x on Active Directory: no errors in debug but auth fails
if you do, then its your loss and you'll be limited for the future of your infrastructure. use freeRADIUS - after all, at least it will give you information and debug detailed informationwhen NPS goes wrong...well, good luck. I understand very well: I used older M$'IAS and it offered NO debug info at all! this is probably a trivial issue - how did you create your CA? how did you sign the radius CRT/PKCS12 file? I used the self-generated certificates, at first startup of Freeradius service (installed from Red Hat official RPM package, not compiled). What else can I do? A client PC with an OS different from XP? -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x on Active Directory: no errors in debug but auth fails
Hi, service (installed from Red Hat official RPM package, not compiled). What else can I do? A client PC with an OS different from XP? for initial testing/verification, use a client that isnt stupid or fussy. I'd say start with basic reference system - eg Linux with wpa_supplicant (eg modern Ubuntu on laptop).then try a Mac OSX system (10.6) with PEAP or EAP-TTLS - then look at Windows and smartphones. your issue could be due to client or NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strategy question
In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: strategy question
Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of localh...@mac.hush.com Sent: Monday, February 07, 2011 1:08 PM To: freeradius-users@lists.freeradius.org Subject: strategy question In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strategy question
Hi, In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach it seems a fairly sensible approach to migration into an 802.1X world - I guess your guest/failed VLAN will be just the same as the normal VLAN that real clients will go onto? (we were one of the sites to ask cisco to reverse their decision that a failed VLAN - ie where 802.1X was attempted but failed - should be an operative VLAN rather than marked as some for of malicious attack). how are you going to go about configuring the PCs - GPO can be used to push out the setting if they are corporate/in ActiveDirectory alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: strategy question
On Mon, 07 Feb 2011 20:44:37 +0100 Gary Gatten ggat...@waddell.com wrote: Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? Yes. -lh -Original Message- From: freeradius-users- bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users- bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of localh...@mac.hush.com Sent: Monday, February 07, 2011 1:08 PM To: freeradius-users@lists.freeradius.org Subject: strategy question In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strategy question
I think there will be Group Policies in place. -lh On Mon, 07 Feb 2011 20:48:08 +0100 Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach it seems a fairly sensible approach to migration into an 802.1X world - I guess your guest/failed VLAN will be just the same as the normal VLAN that real clients will go onto? (we were one of the sites to ask cisco to reverse their decision that a failed VLAN - ie where 802.1X was attempted but failed - should be an operative VLAN rather than marked as some for of malicious attack). how are you going to go about configuring the PCs - GPO can be used to push out the setting if they are corporate/in ActiveDirectory alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Maintenance Process
So are there any other options then restarting radiusd? I have tried to comment out a home_server and even send a hup: radmin -e hup But that doesn't see to make freeradius reread the proxy.conf file... I don't see in the radmin command how I can disable a server (except mark it dead but since my backend server still replies to heartbeat messages its marked alive immediately). -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Brian Carpio Sent: Friday, February 04, 2011 11:47 AM To: FreeRadius users mailing list Subject: RE: Proxy Maintenance Process Part of the problem is that during an upgrade our radius application still listens on port 1813 and 1812 and replies to the keepalves (working with development to resolve that since I think that is a problem) so in the mean time I'd like to be able to mark and upgrading server dead then decide when it should be marked alive. Thanks for the quick reply! Brian -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, February 04, 2011 11:45 AM To: FreeRadius users mailing list Subject: Re: Proxy Maintenance Process Brian Carpio wrote: Currently we are using freeradiusd to proxy / load balance requests to our backend radius application. However as I’m sure many of you encounter there are times which require maintenance / upgrades of the backend servers, what is the “best practice” in regards to putting home_servers into maintenance so that freeradiusd doesn’t attempt to send traffic to them? Use radmin radmin set home server state IP PORT dead I’m not sure if there is a simple command we can run? Or is the only option to comment out the home_server from the home_server_pool and then kill -1 to the radiusd process? Nope. Mark it dead. When it comes back up, the server will figure that out (if Status-Server is enabled) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x on Active Directory: no errors in debug but auth fails
Hi Not sure if your just having issues with the OID or something else, but I found the thread really helped to fix cert issues I had. http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.html . I used the MS cert server as described in this listing as well as used our Novell Cert server and both worked for issuing a Cert that MS clients will accept. I am sure OpenSSL can do it to just never looked far enough into it to see the exact syntax. Hope this helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Monday, February 07, 2011 at 7:27 AM, in message 00a301cbc6db$90153ec0$b03fbc40$@it, Domenico Viggiani dviggi...@tiscali.it wrote: if you do, then its your loss and you'll be limited for the future of your infrastructure. use freeRADIUS - after all, at least it will give you information and debug detailed informationwhen NPS goes wrong...well, good luck. I understand very well: I used older M$'IAS and it offered NO debug info at all! this is probably a trivial issue - how did you create your CA? how did you sign the radius CRT/PKCS12 file? I used the self-generated certificates, at first startup of Freeradius service (installed from Red Hat official RPM package, not compiled). What else can I do? A client PC with an OS different from XP? -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Maintenance Process
Brian Carpio wrote: So are there any other options then restarting radiusd? I have tried to comment out a home_server and even send a hup: radmin -e hup But that doesn't see to make freeradius reread the proxy.conf file... That won't work. Home servers aren't reloaded on HUP. I don't see in the radmin command how I can disable a server (except mark it dead but since my backend server still replies to heartbeat messages its marked alive immediately). Hmm... no, you can't disable a home server. The simplest thing would be to turn off the home server if it's not responsive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Maintenance Process
Perhaps some sort of access list or host (/32) null route to make the NAS think the home server is dead? -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, February 07, 2011 5:27 PM To: FreeRadius users mailing list Subject: Re: Proxy Maintenance Process Brian Carpio wrote: So are there any other options then restarting radiusd? I have tried to comment out a home_server and even send a hup: radmin -e hup But that doesn't see to make freeradius reread the proxy.conf file... That won't work. Home servers aren't reloaded on HUP. I don't see in the radmin command how I can disable a server (except mark it dead but since my backend server still replies to heartbeat messages its marked alive immediately). Hmm... no, you can't disable a home server. The simplest thing would be to turn off the home server if it's not responsive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strategy question
Hi, Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? Commenting on dumb printers... there's been some nice work even on that area. If you're lucky enough to have HP printers, the NICs can meanwhile do 802.1X just fine. Even the JetDirect 620n (which I understand is the entry-level thing) does PEAP: http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-378355-378357-1838265.html And if you throw in another 80 USD, you'll even get ... insert drum roll ... IPv6! http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-500078-500091-1838264.html Stefan -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of localh...@mac.hush.com Sent: Monday, February 07, 2011 1:08 PM To: freeradius-users@lists.freeradius.org Subject: strategy question In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREE RADIUS client
Hello B.Candler, Thank you so much sir for replying back. It is really helpful to my research on RADIUS client. Thanks, Karnik On Mon, Feb 7, 2011 at 7:50 PM, Brian Candler b.cand...@pobox.com wrote: On Mon, Feb 07, 2011 at 05:07:03PM +0530, karnik jain wrote: I am talking about radclient only. If supplied USER-NAme is not UTF-8 encoded by some means suppose the scenario where UTF-8 support is not there then at that time what radclient does. Does it send the same multilingual charcters to the RADIUS server or first of all convert that into UTF-8 as per RFC 2865 and send it to RADIUS server in ACCESS REQUEST packet as attribute or just send as it is to RADIUS server? It just sends the bytes as-is. If you have data in another encoding, which you want to convert to UTF-8 for sending, then you need to transcode it yourself first using something like 'iconv'. In any case, the data which you provide to radclient needs to use the standard ASCII characters for equals, double-quotes and so on, so that it can parse the lines. UTF-8 fulfils that requirement. HTH, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
