Re: FreeRADIUS Beginner's Guide
Hi, I'm a complete newbie to RADIUS, looking to make use of the features of my new smart switches and wireless access point to secure my home network, so the title certainly sounds right. Has anyone had a look at this book yet? If so, what are your thoughts? I have finally found the time to give it a look, too. Here's my review: Book Review: FreeRADIUS Beginner's Guide The book „FreeRADIUS Beginner's Guide – Manage your network resources with FreeRADIUS“ by Dirk van der Walt has set itself a bold goal: to transform an ordinary Unix/Linux system administrator from a „Zero“ to a „Hero“ in the topic of Authentication, Authorisation and Accounting with FreeRADIUS. The book is in a very modest price range and available in traditional printed and also an eBook version right here: http://www.packtpub.com/freeradius-master-authentication-authorization-accessing-your-network-resources/book?tag=rk/freeradiusbg-abr1/0911 From my own experience, getting in first contact with the RADIUS protocol in general and FreeRADIUS in particular can be a dreadful exercise: there are many complex concepts to grasp and huge configuration files to master; and plenty of opportunity to break things if you touch the configuration without knowing the do's and don'ts. The FreeRADIUS software package has ample documentation in the form of man pages and comments in configuration files. What was sorely missing – up until now – was documentation that would take an innocent reader by the hand and show him the wonders of RADIUS without too much confusion. Dirk's book certainly achieves this goal, and more. It dives straight into the matter, touches the RADIUS specification only as much as is needed to understand the software that delivers it. The reader learns how easy it is to get to the „Hello, world!“ equivalent of RADIUS – the first successful authentication, an Access-Accept packet. From then on, the book builds on the milestones achieved by the reader and adds more and more features and complexity. Near the end of the book, the reader has all the required knowledge to run his own little hotspot, a federated „single-sign-on domain“ based on RADIUS or even be part of a large roaming consortium. Being heavily involved in RADIUS myself, as the lead RD engineer for the „eduroam“ roaming consortium in Europe, and as lecturer on the topic of Secure Network Admission at the University of Luxembourg, I was amazed how often I found myself thinking „Right, couldn't have said it better“ when the author explained some of the particularly hairy concepts – EAP with outer identity just being one example. Of course, there are always those few little things everyone likes to do a bit differently; I'm very much a compile-from-source person and was slightly disappointed to read that the author rather encourages his readers to use distribution packages or build their own RPMs/DEBs. Then again, the target audience is starting from zero, and adding “compile your own” to the stack of things to learn is probably asked a bit much. Another question of taste is the client to use for testing the more complex authentication mechanisms – the book uses a GUI client, JRadiusSimulator, while I very much prefer „eapol_test“ from the wpa_supplicant software suite. It can be so nicely scripted and is as flexible as a Swiss army knife – perfect for Nagios monitoring. In my humble opinion, it would have deserved a significant mention. Lastly, there is a nagging little oversight when it comes to the description of proxying on page 250: Proxying, when done in combination with mutually authenticating EAP methods and with anonymous outer identities doesn't expose usernames nor credentials to the roaming partner. The book doesn't make that aspect overly clear. Then again, peeking at the title, this topic is way advanced and few people will get to a point in their RADIUS life where they would need it. Summarising, I can highly recommend this book as a starter to get into FreeRADIUS. I'm sure the FreeRADIUS users' mailing list would see much less traffic on basic operational and conceptual questions if everyone were to read this book. If you need to get acquainted with FreeRADIUS, do yourself a favour and grab a copy. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Checking
Can anyone tell me if hungroup checking can be made to work on the group level, not just the user level? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
I have ntlm_auth working. I can auth my AD users with this command: radtest -t mschap aduser aspassword localhost 0 testing123 And it works. My problem is when I configure one of my Cisco switches to do 802.1x and authenticate with Freeradius my Windows (Windows 7 and Vista) machines fail to get authorized with the Windows supplicant. I am running Freeradius in debug mode and have tried to trace down where it is failing on my own but since I have no experience in this area I am just chasing my tail. Is it a problem with PEAP, EAP, TLS? Do I need a certificate? I just don't know and if I did I wouldn't know how to configure it. I have not been able to find any conclusive documentation in this area. I could put the output here of what Freeradius outputs during a connection attempt but I since I am testing this in our production environment, I don't want to put that kind of information out in a public forum. Any thoughts? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-with-Freeradius-and-802-1X-tp4865617p4958157.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Checking
You may need to inspect whether the groupcheck query in
mysql/dailup.conf (if you are using MySQL) looks in the huntgroup
table.
For example, this is the default query in my copy of freeRADIUS
provided by Debian:
authorize_group_check_query = SELECT id, groupname, attribute, \
Value, op \
FROM ${groupcheck_table} \
WHERE groupname = '%{Sql-Group}' \
ORDER BY id
Try modifying it as such:
authorize_group_check_query = SELECT id, groupname, attribute, \
value, op \
FROM ${groupcheck_table} \
WHERE ( groupname = '%{Sql-Group}' \
OR groupname = '%{Huntgroup-Name}' ) \
ORDER BY id
On Wed, Nov 2, 2011 at 9:07 AM, simonm123 simon.mor...@me.com wrote:
Can anyone tell me if hungroup checking can be made to work on the group
level, not just the user level?
Thanks
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Ben West
westbyw...@gmail.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
Alan,
i have no mention of ldap in my pap module file, but the auto_header
*WAS* set to no, fixed that same result:
[root@ops2 raddb]# cat modules/pap
# -*- text -*-
#
# $Id$
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption/hash schemes. See man rlm_pap
# for details.
#
# The auto_header configuration item can be set to yes.
# In this case, the module will look inside of the User-Password
# attribute for the headers {crypt}, {clear}, etc., and will
# automatically create the attribute on the right-hand side,
# with the correct value. It will also automatically handle
# Base-64 encoded data, hex strings, and binary data.
pap {
auto_header = yes
}
-m
On 11/1/2011 2:09 AM, freeradius-users-requ...@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: IPv6 ready? (Alan Buxey)
2. Re: cisco WAP/FreeRadius/OpenLDAP (Alan Buxey)
3. Re: add field in radcheck table (gary)
4. Re: add field in radcheck table (Fajar A. Nugraha)
5. Client hostname in clients.conf instead of IP address (tohaikmeng)
6. Re: Client hostname in clients.conf instead of IP address
(Fajar A. Nugraha)
7. Re: add field in radcheck table (gary)
8. Re: add field in radcheck table (Fajar A. Nugraha)
--
Message: 1
Date: Mon, 31 Oct 2011 19:23:09 +
From: Alan Buxeya.l.m.bu...@lboro.ac.uk
Subject: Re: IPv6 ready?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:20111031192309.gc19...@lboro.ac.uk
Content-Type: text/plain; charset=iso-8859-1
Hi,
Thank you all for your help. I added two more listen blocks in
radiusd.conf and I updated detail { ... with the following:
%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but
. (there's always a but). if we use an IPv6 address, then
Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and
the path becomes :
?? ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log
but FR crashes since it cannot create a folder with that name. Is there
any way of overcoming this issue? replace : with . or so???
well, you asked how it could be done..you didnt say you were
trying this on Windows! whats the next surprise?
I would do something like use PERL to make %{Packet-Src-IPv6-Address} become
sanitized. eg assign %{Tmp-String-0} and use SED to swap : with -
this means no single source code line change and easily adaptable to whatever
else you might come across
then use simly use %{Tmp-String-0} in your detail module config
alan
--
Message: 2
Date: Mon, 31 Oct 2011 19:25:49 +
From: Alan Buxeya.l.m.bu...@lboro.ac.uk
Subject: Re: cisco WAP/FreeRadius/OpenLDAP
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:20111031192549.gd19...@lboro.ac.uk
Content-Type: text/plain; charset=us-ascii
Hi,
so now the password is not clear text in the log as it was before but
still seeing that no good password errorbut then there is that line
towards the bottom that sasys user authorized to use remote access... do
i need to configure Filter-Id or something in the sites-enabled/default
or innertunnel or something like that?
getting confused with authorization and authentication? check your requirements
in LDAP - do they match (eg CN/DN?)
have you got PAP listed after the ldap and is the auto_header enabled in the pap
module?
alan
--
Message: 3
Date: Tue, 1 Nov 2011 10:07:00 +0800
From: garygary.y...@browan.com
Subject: Re: add field in radcheck table
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:003901cc983a$f335b490$cd15a8c0@ggyy40fbc8fbae
Content-Type: text/plain; format=flowed; charset=iso-8859-1;
reply-type=original
- Original Message -
From: Fajar A. Nugrahal...@fajar.net
To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org
Sent: Monday, October 31, 2011 8:34 PM
Subject: Re: add field in radcheck table
On Mon, Oct 31, 2011 at 5:23 PM, garygary.y...@browan.com wrote:
Hi Fajar
I think the secondname field may be realm instead of.
First rule before asking anything: make SURE you know what you want.
When you're not even sure, how can others help you?
I am thinking this
Re: Need help with Freeradius and 802.1X
Hi, I have ntlm_auth working. I can auth my AD users with this command: radtest -t mschap aduser aspassword localhost 0 testing123 And it works. My problem is when I configure one of my Cisco switches to do 802.1x and authenticate with Freeradius my Windows (Windows 7 and Vista) machines fail to get authorized with the Windows supplicant. I am running Freeradius in debug mode and have tried to trace down where it is failing on my own but since I have no experience in this area I am just chasing my tail. Is it a problem with PEAP, EAP, TLS? Do I need a certificate? I just don't know and if I did I wouldn't know how to configure it. I have not been able to find any conclusive documentation in this area. the windows clients need the CA for your RADIUS server installed in their certificate store alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
johnboy68 wrote: I have ntlm_auth working. I can auth my AD users with this command: radtest -t mschap aduser aspassword localhost 0 testing123 And it works. Good! My problem is when I configure one of my Cisco switches to do 802.1x and authenticate with Freeradius my Windows (Windows 7 and Vista) machines fail to get authorized with the Windows supplicant. I am running Freeradius in debug mode and have tried to trace down where it is failing on my own but since I have no experience in this area I am just chasing my tail. Is it a problem with PEAP, EAP, TLS? Do I need a certificate? I just don't know and if I did I wouldn't know how to configure it. I have not been able to find any conclusive documentation in this area. The Wiki describes this. See the Certificate Compatibility page. See also my AD integration guide: http://deployingradius.com. That should be pointed to from the Wiki, too. That guide contains *detailed* instructions for what to do. The only time it hasn't worked for people is when they didn't follow its instructions. I could put the output here of what Freeradius outputs during a connection attempt but I since I am testing this in our production environment, I don't want to put that kind of information out in a public forum. Run it in debug mode and read the output. What does it say? What warnings / errors does it produce? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
So based on a previous recommendation, i just upgraded my freeradius2 to
2.1.12. here is the latest radtest run:
[root@ops2 modules]# radtest marguin2 r0adkill localhost 0 secret
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = marguin2
User-Password = r0adkill
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=177,
length=30
Filter-Id = wireless
and here is the debug when i test a laptop connecting:
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57047, id=177,
length=78
User-Name = marguin2
User-Password = r0adkill
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x1ef5c6c6cf3f4ec1042b39d10a933a02
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = marguin2, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for marguin2
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - marguin2
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=marguin2)
[ldap] expand: ou=people,dc=currensee,dc=com -
ou=people,dc=currensee,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.local.currensee.com:389, authentication 0
[ldap] setting TLS CACert File to /etc/ldap/csca.crt
[ldap] bind as cn=manager,dc=currensee,dc=com/VcnxJbFqeAuAFyiu3zvi to
ldap.local.currensee.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=people,dc=currensee,dc=com, with
filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by radiusFilterId
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header == {CRYPT}tGS8HbszeyDmM
[ldap] looking for reply items in directory...
[ldap] radiusFilterId - Filter-Id = wireless
[ldap] user marguin2 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password r0adkill
[pap] Using CRYPT password tGS8HbszeyDmM
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 177 to 127.0.0.1 port 57047
Filter-Id = wireless
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 177 with timestamp +8
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=130, length=133
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x25e770a8cf7f8577f8a4915a0a234c74
EAP-Message = 0x0202000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 1911
NAS-Port-Id = 1911
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for anonymous
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - anonymous
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=anonymous)
[ldap] expand: ou=people,dc=currensee,dc=com -
ou=people,dc=currensee,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=currensee,dc=com, with
filter (uid=anonymous)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
#
Re: cisco WAP/FreeRadius/OpenLDAP
something else i just found radtest only seems to work from localhost.. [root@ops2 raddb]# radtest marguin2 r0adkill localhost 0 i6Lw7uNsG7pZDUGgxirg Sending Access-Request of id 235 to 127.0.0.1 port 1812 User-Name = marguin2 User-Password = r0adkill NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=235, length=30 Filter-Id = wireless [root@ops2 raddb]# radtest marguin2 r0adkill 192.168.10.31 0 i6Lw7uNsG7pZDUGgxirg Sending Access-Request of id 96 to 192.168.10.31 port 1812 User-Name = marguin2 User-Password = r0adkill NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x Sending Access-Request of id 96 to 192.168.10.31 port 1812 User-Name = marguin2 User-Password = r0adkill NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x Sending Access-Request of id 96 to 192.168.10.31 port 1812 User-Name = marguin2 User-Password = r0adkill NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x radclient: no response from server for ID 96 socket 3 On 11/2/2011 10:53 AM, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Huntgroup Checking (simonm123) 2. Re: Need help with Freeradius and 802.1X (johnboy68) 3. Re: Huntgroup Checking (Ben West) 4. Re: cisco WAP/FreeRadius/OpenLDAP (Matthew Arguin) 5. Re: Need help with Freeradius and 802.1X (Alan Buxey) 6. Re: Need help with Freeradius and 802.1X (Alan DeKok) -- Message: 1 Date: Wed, 2 Nov 2011 07:07:34 -0700 (PDT) From: simonm123simon.mor...@me.com Subject: Re: Huntgroup Checking To: freeradius-users@lists.freeradius.org Message-ID:1320242854156-4958155.p...@n5.nabble.com Content-Type: text/plain; charset=us-ascii Can anyone tell me if hungroup checking can be made to work on the group level, not just the user level? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155.html Sent from the FreeRadius - User mailing list archive at Nabble.com. -- Message: 2 Date: Wed, 2 Nov 2011 07:08:58 -0700 (PDT) From: johnboy68tripleada...@yahoo.com Subject: Re: Need help with Freeradius and 802.1X To: freeradius-users@lists.freeradius.org Message-ID:1320242938352-4958157.p...@n5.nabble.com Content-Type: text/plain; charset=us-ascii I have ntlm_auth working. I can auth my AD users with this command: radtest -t mschap aduser aspassword localhost 0 testing123 And it works. My problem is when I configure one of my Cisco switches to do 802.1x and authenticate with Freeradius my Windows (Windows 7 and Vista) machines fail to get authorized with the Windows supplicant. I am running Freeradius in debug mode and have tried to trace down where it is failing on my own but since I have no experience in this area I am just chasing my tail. Is it a problem with PEAP, EAP, TLS? Do I need a certificate? I just don't know and if I did I wouldn't know how to configure it. I have not been able to find any conclusive documentation in this area. I could put the output here of what Freeradius outputs during a connection attempt but I since I am testing this in our production environment, I don't want to put that kind of information out in a public forum. Any thoughts? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-with-Freeradius-and-802-1X-tp4865617p4958157.html Sent from the FreeRadius - User mailing list archive at Nabble.com. -- Message: 3 Date: Wed, 2 Nov 2011 09:22:25 -0500 From: Ben Westwestbyw...@gmail.com Subject: Re: Huntgroup Checking To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: CADSh-SNFZJ1dOx3S1D_sVKPHxxP7GfDq-4+=2rsrltuwbs+...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 You may need to inspect whether the groupcheck query in mysql/dailup.conf (if you are using MySQL) looks in the huntgroup table. For example, this is the default query in my copy of
Re: cisco WAP/FreeRadius/OpenLDAP
On 02/11/11 15:41, Matthew Arguin wrote:
and here is the debug when i test a laptop connecting:
Sigh. This is not the full debug. The full debug starts when radiusd
starts up, and dumps the module configs. This is why we never ask people
to give their configs - it's in the debug, and is redundant, but if you
trim the debug, that's unhelpful.
[gtc] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[gtc] +- entering group PAP {...}
[pap] login attempt with password r0adkill
[pap] Using CRYPT password *
Where is this ^^^ coming from?
i.e. CRYPT password star
Something is setting a password somewhere. If it's not the LDAP module,
it must be something else. Find it and remove it.
If I diff the modules that are running when you do your successful PAP
and your unsuccessful EAP/GTC inner-tunnel, I see the inner-tunnel has:
[unix] returns updated
snip
[control] returns noop
What are you updating in the inner-tunnel? You must have:
server inner-tunnel {
authorize {
...
# this isn't here in the default
unix
...
# this isn't here in the default
update control {
??? what here?
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ssh authentication only via Radius
Greetings everyone, We have few of linux servers which we are trying to get authenticated only via radius. I found out I'm able to authenticate using radius password or using local (system) password. I am trying to configure it in such a way that as long as radius server is up and responding user should only able to logon via ssh with his radius password (no login with local password or even other local user and password ) And in case of radius is unavailable/not responding, user should able to logon locally with local pass My question to all experts is 1) can it be done 2) what changes and where needs to be done (/etc/pam.d/sshd or system-auth-ac) Thanks Shri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
hi, that user is in the /etc/password or /etc/shadow file? the unix module is picking it up..and that password doesnt match the one you're tryin to use...which matches the username/password you added into the users file? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
Hi, something else i just found radtest only seems to work from localhost.. the option in radtest is the TARGET you are talking to. so, you can talk to 127.0.0.1 but you cant talk to 192.168.10.31what does 'radiusd -X' show? do you have any firewalling? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
Alan Buxey wrote: that user is in the /etc/password or /etc/shadow file? the unix module is picking it up..and that password doesnt match the one you're tryin to use...which matches the username/password you added into the users file? His system has passwords in /etc/shadow, and he hasn't configured the unix module to read /etc/shadow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Beginner's Guide
Hi, I have finally found the time to give it a look, too. Here's my review: you beat me :-) here is my review of the publication (summary - we've got a good FreeRADIUS book for beginners and those wanting to get familiar with FreeRADIUS) Book review: FreeRADIUS Beginner's Guide There are quite a few RADIUS books on the market so when I saw a new one entitled FreeRADIUS Beginner's Guide – Manage your network resources with FreeRADIUS By Dirk van der Walt, I did ponder about what audience it was aimed at. However, as the UK support for eduroam and the contact point for UK higher/further education RADIUS proxying I thought it best that I read it to see what it offered. So I downloaded the ebook from the Packt publishing page: http://www.packtpub.com/freeradius-master-authentication-authorization-accessing-your-n etwork-resources/book?tag=rk/freeradiusbg-abr1/0911 (Printed copies are also available for a reasonable price). Within a couple of hours of starting to read the book I was impressed with the material offered. The author starts off with a brief introduction and then its straight into FreeRADIUS itself. Installing the server by distribution package is covered and how to compile from source...however this mainly focuses on how to install by source package rather than from the main download site - I personally prefer getting the source direct. The author has clearly spent a lot of time using FreeRADIUS for specific tasks - there is quite a lot of Microtik and hotspot accounting material present in the book but that does detract from the overall content. Some functions of FreeRADIUS are not covered in depth with some modules given the light look or ignored, however the book does deliver in its promise of getting a FreeRADIUS newbie to a reasonable knowledge level before the end page. The book is targeted to the current version of FreeRADIUS (version 2) which is refreshing and it also covers and demystifies the built in configuration language 'unlang' - which is also a great starting point. I feel that this book is ideal for any RADIUS administrator who wants to operate FreeRADIUS (experience of the Linux operating system on which you'd run FreeRADIUS is taken for granted) and if an administrator read this book then it would give them a strong grounding in the subject and avoid a lot of beginner errors. Anyone who has read this book is also far less likely to ask trivial questions on the official FreeRADIUS users mailing list. There are a few typos and minor errors in the text - Packt publishing have a good errata system so these errors should be removed from the next edition of the book - but none of them are critical. The author covers useful testing methods - JRADIUSSimulator , which is a useful tool but FreeRADIUS comes with a suite of testing tools and there are alternatives that are well known by people in the sector, such as eapol_test. The small bits of code used in the book are also downloadable from the Packt publishing page for the book which is very useful for the beginner who may not have any scripting ability - nothing worse than everything failing due to a typo when following a tutorial, especially if you are dealing with new concepts. The book mentions eduroam, an international federated authentication system using RADIUS proxying but doesn't go into great detail - but the foundations and grounding for how it operates are well covered within the pages so the final requirements for a site shouldn't be daunting (a bit of 'unlang', some work in the proxy configuration and doing some attribute and dictionary work). Since reading this book I have recommended it to several people in the sector and to a couple of sites that I have done RADIUS consultancy work for. Anyone who uses FreeRADIUS but has never been happy with current books on offer or how the server works should buy a copy of this book. The only thing missing? An 'advanced users' companion book :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
