Re: EAP-TTLS/EAP-TLS with freeRADIUS
Mr Dash Four wrote: In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS? If you're going to be an idiot, you can be unsubscribed from this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Mr Dash Four wrote: Networks, no matter how secure, can be compromised. As I pointed out previously - one can never be too careful. You're not smart if you regurgitate trite phrases. You're smart if you spend the time to understand what you're talking about. You haven't done that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External Authentication program problem
Ali Majdzadeh wrote: A while after radius up, it reports: Sat Nov 26 13:02:03 2011 : Error: Couldn't fork /etc/netbill/acct.pl : Cannot allocate memory Hmmm... you're probably using exec wait', right? And starting many, many, external programs. That's probably the issue. There may be a bug in the server, but there is a better way to run the script. Use the rlm_perl module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
On 11/27/2011 12:51 AM, Mr Dash Four wrote: No, the shared secret is not transmitted over the wire. For additinal information see RFC2865, §2: When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5. (see RFC131). MD5 is broken. Thanks for the public service announcement. Do you seriously think the IETF, and the people responsible for RADIUS protocol evolution, aren't aware of this? Seriously, what would you like us to do exactly? Travel back in time to the mid 1990s and re-do the first RADIUS implementations with end-to-end pluggable crypto, and at the same time arrange for the Wassenaar agreement to be revoked? If you want better security than that provided by the shared secret, you're free to arrange it between your NAS and your radius server. Some places use IPSec for this purpose, or things like OpenVPN. HOWEVER - before you do that, and before you make any more announcements on how insecure RADIUS is, perhaps you could actually put some time and effort into understanding the protocol. You are missing two critical bits of info: Firstly, all radius packets carrying EAP MUST carry a Message-Authenticator attribute. This provides secure integrity proof (and thus authentication) of the ENTIRE packet payload, using a HMAC and the shared secret as a key. Many NASes support this attribute on all packets (not just EAP), and FreeRADIUS supports a configuration option to MANDATE the presence of this attribute in requests from client NASes. Secondly, although radius packets are not encrypted, the payload data in EAP methods is. Put another way - EAP confidentiality and integrity is provided *by the EAP mechanisms*, not by the radius layer. For pre-EAP mechanisms, the shared secret encryption will encrypt some fields (e.g. User-Password, in PAP), and the remaining mechanisms tend to be challenge/response, with their own security properties. When using Message-Authenticator (which, as required by RFCs, is the case for ALL EAP-over-RADIUS) the only meaningful security problem is a mild information leak of some NAS-related metadata (NAS-Port, etc.) in the packet. The rest of the information (EAP payload, Calling/Called-Station-Id, outer User-Name) are all sent in the clear by the client anyway, often over Wi-Fi. Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS vendors support it? No. Can we afford to stop using RADIUS? No. The question is - how do I specify the CA, CA2, server certificate/key and server certificate/key second pair (for phase two) in RADIUS? Specify two different instances of the eap module. There is an example of this in the default configs in recent 2.1.x versions - see raddb/modules/inner-eap. Once you've done that, use the 2nd module inside your inner-tunnel, like so: eap { tls { ... cert setup } ttls { ... virtual-server = inner-tunne } } eap eap-inner { tls { ... 2nd ca setup } } ...then: sites-available/default: authorize { ... eap ... } authenticate { ... eap } sites-available/inner-tunnel: server inner-tunnel { authorize { ... eap-inner ... } authenticate { ... eap-inner } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Phil Mayers wrote: Thanks for the public service announcement. Do you seriously think And we stop there. He didn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
On 11/26/2011 11:49 PM, Mr Dash Four wrote: so it is, you can only protect your AP client with the shared secret key. Not necessarily. If the switch to which the WAP is connected supports 802.1x, it could act as a NAS and authenticate the WAP with EAP/TLS. By WAP I take it you mean the wireless client, right? If so, this is No. WAP == Wireless Access Point. indeed the case - the client will be a Linux-based device with wpa_supplicant and a driver which supports nl80211/cfg80211, so I can configure - at least on the client's part - EAP-TTLS/EAP-TLS authentication. My aim is to do the same on AP and RADIUS, which is the point of actually starting this thread as my experience with RADIUS is nil. So you keep saying. I note however that it doesn't stop you from making judgements on its security, and you're getting a lot of stick for that (from me and others). Seriously - it's good you want to learn. But why not do that first, then ask questions based on the knowledge you've acquired and, hopefully, understood? If you're missing basic terms like WAP i.e. a Wireless Access Point, then I've got to say, you've got some work to do on the fundamentals... In brief, Ian was suggesting it's possible for the wireless AP to act as an 802.1x client to the upstream ethernet switch (if that's the topology). This is correct, but not IMO relevant to your concerns (however misguided) or questions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
On 27 Nov 2011, at 00:40, Mr Dash Four wrote: In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS? It is. I believe you misunderstood how RADIUS works. Maybe, considering I've been reading about RADIUS for just over 2 days... Why don't you try reading about EAP and 802.1X too? The connection between the AP (called NAS in RADIUS) and the RADIUS-Server is only protected by the shared secret configured in clients.conf. Yes, this is kind of weak. It is *very* weak, not least because connections can be intercepted as, I presume is the case here, this shared secret is transmitted in the clear over the wire. If that is not the case and it is hashed, then, that's another story. No... and When would you ever send a shared secret over the wire in the clear? That negates the secret part... And because of this weakness a protocol like RADsec has been developed, which is essentially RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole RADIUS session. So far I have not seen any devices like APs, Dial-in-Servers, etc. support RADsec. But this is normally no problem, since those devices are usually located in a safe network with the RADIUS server. RADsec for example is used in the Deutsche Forschungsnetz (DFN), to secure inter-university RADIUS connections over the Internet to authenticate Eduroam users. Interesting, noted. It would be nice if this works in a similar way as the SSL handshake works - this is very secure, tested and already established in the real world. Of course it does, it's using TLS... You think the RADSEC guys are going to mess with it just because it's used for transporting RADIUS packets? Back to EAP-(T)TLS: The connection between a connecting device such as a laptop, which connects to a NAS, can be secured via EAP-(T)TLS, which is a protocol transported via RADIUS packets. This of course is supported by FreeRADIUS since ages. OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication happens in two distinct stages: the first stage (EAP-TTLS) is the outer authentication where the server presents its credentials/certificate to the client and then the secure channel is established. Phase two (EAP-TLS in my case) is where the client - via its client certificate - is actually authenticated to the RADIUS server. Now, I was hoping that the AP does this in a similar sort of way when authenticating itself to the RADIUS server, but it seems that is not the case and this is indeed a weak point. No the NAS (It can be a WAP, VPN concentrator, Switch, Router, Terminal Server) - Does not use EAP-TTLS or any EAP based authentication method to communicate with the RADIUS server directly. As previously mentioned RADSEC does what you're asking. There's also plans for a DTLS transport layer (http://tools.ietf.org/html/draft-dekok-radext-dtls-03). But neither have been implemented by NAS vendors yet. If you want to have a secure channel of communication between the RADIUS server run the UDP packets through a VPN, or implemented a local proxy on the NAS to translate between UDP and RADSEC. Additionally, if you're using EAP-TTLS-TLS, why do you need the RADIUS communications to be secure? The sensitive data is already encrypted. In fact why are you using EAP-TTLS-TLS unless you're transporting something extra in the TTLS tunnel? Seems sort of pointless to me... My question still remains though - since this is a two-phase authentication, two distinct sets of (ca, server, client) certificates can be used. How do I specify these in RADIUS? raddb/modules/eap.conf - You can specify the signing CA for peer certificates for EAP-TLS. You can use two instances of the module, one for outer and one for inner if it helps you understand the concept any better. I found that I could specify the ca, client and server certificates once (normally stored in raddb/certs if memory serves), but I potentially need two of each for each phase. I know I could use just one, but just for the sake of understanding the whole process and getting to know how it all works I need to know this. How do I do that? See above... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Hi, Firstly, all radius packets carrying EAP MUST carry a snip thanks Phil for this concise overview..however Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS vendors support it? No. Can we afford to stop using RADIUS? No. LANCOM do eg http://www.lancom.eu/fileadmin/produkte/lc_l54/L-54g_EN.pdf you can blame Stefan Winter for this... ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Am 27.11.2011 10:17, schrieb Phil Mayers: On 11/27/2011 12:51 AM, Mr Dash Four wrote: No, the shared secret is not transmitted over the wire. For additinal information see RFC2865, §2: When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5. (see RFC131). MD5 is broken. but I understand it correctly, the shared_secret is just using as trusted AP password? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Andreas Rudat wrote: but I understand it correctly, the shared_secret is just using as trusted AP password? No. Read the RFCs to understand what the shared secret does. Or read the RADIUS Wikipedia page. It's what we did. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change SQL Groupcheck Query in Dialup.conf
I need to change the structure of the radusergroup table so it includes the radcheck_id and radgroupcheck_id's. Currently it's set to use the username and groupname. I'm editing the following sections in dialup.conf group_membership_query = SELECT groupname \ FROM ${usergroup_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY priority However, I need to know if it possible to change SQL-User-Name to use the radcheck id instead? Is it possible to look up the user id prior to this statement running? Ideally, it would then look like this: group_membership_query = SELECT radgroup_id \ FROM ${usergroup_table} \ WHERE username = '%{SQL-User-ID}' \ ORDER BY priority If so, where do I do this? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Change-SQL-Groupcheck-Query-in-Dialup-conf-tp5026372p5026372.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Private namespace for dictionary attributes (was: Passing information from authenticate to post-auth)
Define your own [attributes]. That's why the dictionary files are editable. Is there a private name space for that (i.e., X-*) that is guaranteed not to conflict with future official attribute names? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change SQL Groupcheck Query in Dialup.conf
JennyBlunt wrote: I need to change the structure of the radusergroup table so it includes the radcheck_id and radgroupcheck_id's. Why? And even if there is a good reason, it's just SQL... However, I need to know if it possible to change SQL-User-Name to use the radcheck id instead? Yes. That's why the queries are editable. So you can edit them, Is it possible to look up the user id prior to this statement running? Yes. It's just another SQL query: update request { SQL-User-Id := %{sql: ...} } If so, where do I do this? In the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private namespace for dictionary attributes
Edgar Fuß wrote: Define your own [attributes]. That's why the dictionary files are editable. Is there a private name space for that (i.e., X-*) that is guaranteed not to conflict with future official attribute names? raddb/dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private namespace for dictionary attributes (was: Passing information from authenticate to post-auth)
On Sun, Nov 27, 2011 at 7:47 PM, Edgar Fuß e...@math.uni-bonn.de wrote: Define your own [attributes]. That's why the dictionary files are editable. Is there a private name space for that (i.e., X-*) that is guaranteed not to conflict with future official attribute names? You should be able to define any unused attribute name (e.g. MyModule-Attr-1), as long as the attribute number does not conflict with an existing one. From dictionary.freeradius.internal: # # Range: 2200-2999 # Free # # Range: 3000-3999 # Site-local attributes (see raddb/dictionary.in) # Do NOT define attributes in this range! # # Range: 4000-65535 # Unused # # Range: 65536- # Invalid. Don't use. # -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
always received Access-Reject using mysql
dear Guru need your help on solving my problem with Authentication. I just install freeradius-server-2.1.10.tar.bz2 on FreeBSD 8.2 using MySQL 5.5 to store list of users. after I complete the installation, I tried to test it : # radtest usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = usertest User-Password = passtest NAS-IP-Address = 10.1.1.28 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=180, length=20 these are my table's entry : mysql select * from radcheck; ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 1 | usertest | Cleartext-Password | == | passtest | ++--+++--+ mysql select * from radusergroup; +--+---+--+ | username | groupname | priority | +--+---+--+ | usertest | dynamic |1 | +--+---+--+ mysql select * from radgroupreply; ++---+++-+ | id | groupname | attribute | op | value | ++---+++-+ | 1 | dynamic | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 2 | dynamic | Framed-Protocol| = | PPP | | 3 | dynamic | Service-Type | = | Framed-User | | 4 | dynamic | Framed-MTU | = | 1500| ++---+++-+ is there something wrong with my table's entry? --- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private namespace for dictionary attributes
raddb/dictionary I already deduced from there that I'm supposed to use attribute numbers [3000...4000[, but I'm not sure about the attribute names. The suggestion seems to be to use a name unused at the present time hoping that it will stay unused in the future. Or what am I missing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: always received Access-Reject using mysql
Hi, after I complete the installation, I tried to test it : # radtest usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = usertest User-Password = passtest NAS-IP-Address = 10.1.1.28 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=180, length=20 dont really care about this - the 'radiusd -X' output is what is needed for this list. ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 1 | usertest | Cleartext-Password | == | passtest | ++--+++--+ wrong 'op' value. change that to := rather than == alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private namespace for dictionary attributes
Hi, raddb/dictionary I already deduced from there that I'm supposed to use attribute numbers [3000...4000[, but I'm not sure about the attribute names. The suggestion seems to be to use a name unused at the present time hoping that it will stay unused in the future. Or what am I missing? names? for humans. computers and RADIUS care about attribute numbers more than anything else in their lives ;-) obviously, if you want to USE the name for some reference then it should be unique for your own sanity 8-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS? If you're going to be an idiot, you can be unsubscribed from this list. It takes one to know one. I'd stop acting DeCock if I were you though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Networks, no matter how secure, can be compromised. As I pointed out previously - one can never be too careful. You're not smart if you regurgitate trite phrases. And you are not smart either when you start throwing insults around. You're smart if you spend the time to understand what you're talking about. You haven't done that. I know what I am talking about. When there is something I don't know, however - I ask, politely, and expect the same from others (that doesn't include you, apparently). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
MD5 is broken. Thanks for the public service announcement. Pleasure! Do you seriously think the IETF, and the people responsible for RADIUS protocol evolution, aren't aware of this? Seriously, what would you like us to do exactly? Travel back in time to the mid 1990s and re-do the first RADIUS implementations with end-to-end pluggable crypto, and at the same time arrange for the Wassenaar agreement to be revoked? If you want better security than that provided by the shared secret, you're free to arrange it between your NAS and your radius server. Some places use IPSec for this purpose, or things like OpenVPN. Up until yesterday, I wasn't aware that the only way AP/NAS can communicate with the RADIUS is via unencrypted channel. That's fair enough, I suppose, once I know what I am up against I will take the appropriate actions/measures to mitigate the possible security implications and reduce the risks, if I can. I wasn't making a public announcement, it was merely an observation - stop being so precious! HOWEVER - before you do that, and before you make any more announcements on how insecure RADIUS is, perhaps you could actually put some time and effort into understanding the protocol. You are missing two critical bits of info: [...] Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS vendors support it? No. Can we afford to stop using RADIUS? No. Thank you - if I knew where to look for this information, I would have done it ages ago. The question is - how do I specify the CA, CA2, server certificate/key and server certificate/key second pair (for phase two) in RADIUS? Specify two different instances of the eap module. There is an example of this in the default configs in recent 2.1.x versions - see raddb/modules/inner-eap. Once you've done that, use the 2nd module inside your inner-tunnel, like so: Thanks again, I wasn't aware that I could have inner/different instances. Apart from the various, rather scattered, files with sample configuration examples is there a more comprehensive manual which includes (and explains) all these options? I'd rather read those than relying on jamooks like DeCock to explain it all to me (or not, as it may be the case here)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
No. WAP == Wireless Access Point. Noted, thanks. indeed the case - the client will be a Linux-based device with wpa_supplicant and a driver which supports nl80211/cfg80211, so I can configure - at least on the client's part - EAP-TTLS/EAP-TLS authentication. My aim is to do the same on AP and RADIUS, which is the point of actually starting this thread as my experience with RADIUS is nil. So you keep saying. I note however that it doesn't stop you from making judgements on its security, and you're getting a lot of stick for that (from me and others). Again, I don't make judgements, it was merely an observation. Seriously - it's good you want to learn. But why not do that first, then ask questions based on the knowledge you've acquired and, hopefully, understood? If you're missing basic terms like WAP i.e. a Wireless Access Point, then I've got to say, you've got some work to do on the fundamentals... I would have done this ages ago if I knew where to find a more comprehensive manual explaining it all, rather than relying on bits of info scattered in thousand different places. The freeRADIUS wiki isn't terribly helpful either - this - http://wiki.freeradius.org/create/Extensible-Authentication-Protocol#EAP-TTLS - being the perfect example - in order to access it I have to log in because authentication is required (as if!). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Why don't you try reading about EAP and 802.1X too? I did. Interesting, noted. It would be nice if this works in a similar way as the SSL handshake works - this is very secure, tested and already established in the real world. Of course it does, it's using TLS... Thank you. You think the RADSEC guys are going to mess with it just because it's used for transporting RADIUS packets? Where did I said or implied that? Touche! OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication happens in two distinct stages: the first stage (EAP-TTLS) is the outer authentication where the server presents its credentials/certificate to the client and then the secure channel is established. Phase two (EAP-TLS in my case) is where the client - via its client certificate - is actually authenticated to the RADIUS server. Now, I was hoping that the AP does this in a similar sort of way when authenticating itself to the RADIUS server, but it seems that is not the case and this is indeed a weak point. No the NAS (It can be a WAP, VPN concentrator, Switch, Router, Terminal Server) - Does not use EAP-TTLS or any EAP based authentication method to communicate with the RADIUS server directly. As previously mentioned RADSEC does what you're asking. There's also plans for a DTLS transport layer (http://tools.ietf.org/html/draft-dekok-radext-dtls-03). But neither have been implemented by NAS vendors yet. If you want to have a secure channel of communication between the RADIUS server run the UDP packets through a VPN, or implemented a local proxy on the NAS to translate between UDP and RADSEC. Tunnelling is something I might consider as an alternative, thanks again for the explanation. Additionally, if you're using EAP-TTLS-TLS, why do you need the RADIUS communications to be secure? The sensitive data is already encrypted. In fact why are you using EAP-TTLS-TLS unless you're transporting something extra in the TTLS tunnel? Seems sort of pointless to me... Well, my understanding is that the communication between AP and RADIUS is not encrypted, isn't that so? My question still remains though - since this is a two-phase authentication, two distinct sets of (ca, server, client) certificates can be used. How do I specify these in RADIUS? raddb/modules/eap.conf - You can specify the signing CA for peer certificates for EAP-TLS. You can use two instances of the module, one for outer and one for inner if it helps you understand the concept any better. Yep, that seems like a good plan - Phil Mayers was kind enough to explain it to me. I'll probably do a bit of digging before delving in with RADIUS myself. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private namespace for dictionary attributes
Edgar Fuß wrote: raddb/dictionary I already deduced from there that I'm supposed to use attribute numbers [3000...4000[, but I'm not sure about the attribute names. Pick a name. The suggestion seems to be to use a name unused at the present time hoping that it will stay unused in the future. Or what am I missing? There is no registry of names. Make sure that the name you choose is unique. This is usually done by using a unique prefix. e.g. FreeRADIUS-*, of Cisco-*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Private namespace for dictionary attributes
names? Yes. computers and RADIUS care about attribute numbers more than anything else in their lives Both in rlm_perl and in unlang I'm supposed to use names, not numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Accept with multiple entries for VSA
Hi, I just subscribed to this mailing list and would like to try it with a problem ! I configured the users file with a vendor specific attribute to be sent as part of the Access-Accept packet. 1- The client expect to have as many entries of that attribute as needed. 2- Freeradius allows for one entry only (under the matched user name). As a consequence: Other entries of that same attribute are discarded. What would be the right way to have a reply with multiple entries of the same attribute (vendor-specific in that case) ? Thanks, Al Morce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Mr Dash Four wrote: It takes one to know one. I'd stop acting DeCock if I were you though. Congratulations. You've been unsubscribed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Accept with multiple entries for VSA
Al Morce wrote: 2- Freeradius allows for one entry only (under the matched user name). No. See man users. This is documented. *What would be the right way to have a reply with multiple entries of the same attribute (vendor-specific in that case) ?* Use += Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change SQL Groupcheck Query in Dialup.conf
Yes, it's a bit annoying Our front end management system is / will be built using ruby on rails. RoR seems a little funny with join tables when they don't use IDs. Hence the need for a change to the sql. The same went for the attribute column which we needed to alter too. Have things working fine - thanks for help -- View this message in context: http://freeradius.1045715.n5.nabble.com/Change-SQL-Groupcheck-Query-in-Dialup-conf-tp5026372p5027433.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Line too long
I have been configurating broadworks VSA into freeradius, but i still having problems on startup: freeradius -X FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/postgresql/broadsoft.conf /etc/freeradius/sql/postgresql/broadsoft.conf[204]: Line too long Errors reading /etc/freeradius/radiusd.conf There are some limits for VSA attributes for sql.conf ? Here is my broadsoft.conf: root@bravo:/etc/freeradius/sql/postgresql# cat broadsoft.conf accounting-request = INSERT INTO ${acct_table1} \ (Radius-Encoding-Version,Record-id, \ Service-provider,Type,Direction, \ Calling-Number,Calling-Presentation-Indic,Called-Number, \ Start-Time,Answer-Indic, \ Answer-Time,Release-Time,Termination-Cause, \ Network-Type,Dialed-Digits, \ Call-Category,Network-Call-Type,Network-Translated-Number, \ Network-Translated-Group,Releasing-Party,Route, \ Codec, \ Spare-29, \ Spare-31,Department,Account-Code, \ Authorization-Code,Original-Called-Number, \ Redirecting-Number, \ Charge-Indic,Type-Of-Network, \ VP-Calling-Invoke-Time,Local-Callid,Remote-Callid, \ Charging-Vector-Orig, \ Charging-Vector-Term,Acc-Per-Call-Invoke-Time,Acc-Per-Call-Fac-Result, \ Acb-Act-Invoke-Time,Acb-Act-Fac-Result,Acb-Deact-Invoke-Time, \ Acb-Deact-Fac-Result,Call-Park-Invoke-Time,Call-Park-Fac-Result, \ Call-Park-Retr-Invoke-Time,Call-Park-Retr-Fac-Result,Call-Pickup-Invoke-Time, \
Re: always received Access-Reject using mysql
thanks Alan I found the problem was in the attribute field where I put Cleartext-Password based on the wiki : http://wiki.freeradius.org/SQL-HOWTO after I changed the value to just password it works fine now. note: I put == in op field because that was the default value mysql desc radcheck; +---+--+--+-+-++ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-++ | id| int(11) unsigned | NO | PRI | NULL| auto_increment | | username | varchar(64) | NO | MUL | || | attribute | varchar(64) | NO | | || | op| char(2) | NO | | == || | value | varchar(253) | NO | | || +---+--+--+-+-++ just like the radgroupreply, where the default value is = mysql desc radgroupreply; +---+--+--+-+-++ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-++ | id| int(11) unsigned | NO | PRI | NULL| auto_increment | | groupname | varchar(64) | NO | MUL | || | attribute | varchar(64) | NO | | || | op| char(2) | NO | | = || | value | varchar(253) | NO | | || +---+--+--+-+-++ thanks again Alan. On Sun, 27 Nov 2011 16:26:13 +, Alan Buxey wrote Hi, after I complete the installation, I tried to test it : # radtest usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = usertest User-Password = passtest NAS-IP-Address = 10.1.1.28 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=180, length=20 dont really care about this - the 'radiusd -X' output is what is needed for this list. ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 1 | usertest | Cleartext-Password | == | passtest | ++--+++--+ wrong 'op' value. change that to := rather than == alan --- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: always received Access-Reject using mysql
On Mon, Nov 28, 2011 at 8:29 AM, Bogi Aditya b...@imtelkom.ac.id wrote: thanks Alan I found the problem was in the attribute field where I put Cleartext-Password based on the wiki : http://wiki.freeradius.org/SQL-HOWTO The example should be correct. From http://wiki.freeradius.org/SQL-HOWTO#Populating+SQL mysql select * from radcheck; ++++--+--+ | id | UserName | Attribute | Value| Op | ++++--+--+ | 1 | fredf | Cleartext-Password | wilma| := | | 2 | barney | Cleartext-Password | betty| := | | 2 | dialrouter | Cleartext-Password | dialup | := | ++++--+--+ 3 rows in set (0.01 sec) Note how it uses := as op? after I changed the value to just password it works fine now. It has different meaning, actually. If you use Password (or User-Password) with op ==, you're basically comparing the attribute User-Password in user request to the one in the database. It SHOULD work if the request is using PAP, but it won't work if the request is using MS-CHAPv2 (or some other authentication protocol that does not send user password as plain text in User-Password attribute). You can test it with radtest -t mschap (available in newer versions of FR) I highly suggest you change it to Cleartext-Password and := -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: always received Access-Reject using mysql
thanks Fajar I've tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = usertest NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0x7effa6d1eaf313a9 MS-CHAP-Response = 0x0001d21d03024f55ebcf8c36dc84 d85ab07e2b6c828184d3f151 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=108 Framed-Compression = Van-Jacobson-TCP-IP Framed-Protocol = PPP Service-Type = Framed-User Framed-MTU = 1500 MS-CHAP-MPPE-Keys = 0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 then I change my radcheck table : mysql select * from radcheck; ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 1 | usertest | Cleartext-Password | := | passtest | ++--+++--+ and tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = usertest NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0xf13ba049100393c3 MS-CHAP-Response = 0x0001733c2565a50ac6d4c28569b9 59eca8a14ef7951536c66172 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, length=108 Framed-Compression = Van-Jacobson-TCP-IP Framed-Protocol = PPP Service-Type = Framed-User Framed-MTU = 1500 MS-CHAP-MPPE-Keys = 0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 should I change it to Cleartext-Password and op=:= when it still work with password and op=== ? and why the default value is set to == when it suppose to be := ? so sorry, this is the first time I used FreeRADIUS (all this time I use OpenLDAP for authentication) On Mon, 28 Nov 2011 09:08:26 +0700, Fajar A. Nugraha wrote On Mon, Nov 28, 2011 at 8:29 AM, Bogi Aditya b...@imtelkom.ac.id wrote: thanks Alan I found the problem was in the attribute field where I put Cleartext-Password based on the wiki : http://wiki.freeradius.org/SQL-HOWTO The example should be correct. From http://wiki.freeradius.org/SQL-HOWTO#Populating+SQL mysql select * from radcheck; ++++- -+--+ | id | UserName | Attribute | Value | Op | ++++--- ---+--+ | 1 | fredf | Cleartext- Password | wilma| := | | 2 | barney | Cleartext-Password | betty| := | | 2 | dialrouter | Cleartext-Password | dialup | := | ++++--+-- + 3 rows in set (0.01 sec) Note how it uses := as op? after I changed the value to just password it works fine now. It has different meaning, actually. If you use Password (or User-Password) with op ==, you're basically comparing the attribute User-Password in user request to the one in the database. It SHOULD work if the request is using PAP, but it won't work if the request is using MS-CHAPv2 (or some other authentication protocol that does not send user password as plain text in User-Password attribute). You can test it with radtest -t mschap (available in newer versions of FR) I highly suggest you change it to Cleartext-Password and := -- Fajar --- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: always received Access-Reject using mysql
On Mon, Nov 28, 2011 at 9:40 AM, Bogi Aditya b...@imtelkom.ac.id wrote: thanks Fajar I've tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = usertest NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0x7effa6d1eaf313a9 MS-CHAP-Response = 0x0001d21d03024f55ebcf8c36dc84 d85ab07e2b6c828184d3f151 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, Weird. I just tested similar thing on my setup (FR-2.1.12), and got Access-Reject for both pap and mschap :) then I change my radcheck table : mysql select * from radcheck; ++--+++--+ | id | username | attribute | op | value | ++--+++--+ | 1 | usertest | Cleartext-Password | := | passtest | ++--+++--+ and tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = usertest NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0xf13ba049100393c3 MS-CHAP-Response = 0x0001733c2565a50ac6d4c28569b9 59eca8a14ef7951536c66172 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, length=108 At least with Cleartext-Password and := we got the same result should I change it to Cleartext-Password and op=:= when it still work with password and op=== ? Definitely. My best guess at this point is your FR version is old enough to permit password and == and activate some kind of compatibility code, which didn't exist in my version. Cleartext-Password and := is the correct way to specify plain text user password in current and future versions of FR. If you don't want future upgrades to break your setup, better use Cleartext-Password and := Running in debug mode (radiusd -X) should help in finding out why your setup works (when it shouldn't). In my test (I'm using files instead of db), I got these WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. [files] users: Matched entry testuser at line 5 ++[files] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [testuser] (from client localhost port 0) Here and why the default value is set to == when it suppose to be := ? == is useful in certain cases. For example, if you want the user to ONLY be able to login from a NAS with IP address = 10.0.0.1, you could use something like this: usertest | Cleartext-Password | := | passtest | usertest | NAS-IP-Address | == | 10.0.0.1 | so sorry, this is the first time I used FreeRADIUS No problem (all this time I use OpenLDAP for authentication) Did you know you can use LDAP as backend for FR, thus allowing your users to use the same user/password combination whether they're using FR or LDAP directly? :D -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: always received Access-Reject using mysql
On Mon, 28 Nov 2011 09:59:16 +0700, Fajar A. Nugraha wrote Did you know you can use LDAP as backend for FR, thus allowing your users to use the same user/password combination whether they're using FR or LDAP directly? :D yes, I'm fully aware of that :) but the data in OpenLDAP is based on the data in MySQL (using cron job to extract data from MySQL and add/modify the entry in OpenLDAP) so I prefer to connect freeRADIUS with MySQL directly. again, thanks Fajar --- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
New job - I'll be back - hopefully Unsubscribe font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free radius authentication with active directory using leap module
Hi, Would greatly someone's help on this. I need free radius to authenticate with using wpa. From the local radtest I can see, it is authenticating fine but when testing with a wpa device, this is the error m getting on the debug log: I just need it to work from wireless device, I think it is the eap.conf part. Would greatly appreciate someone's help on this::: FreeRADIUS Debugging Output This colorized output was produced by an automated tool from Network RADIUS FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/OLD_ldap-ORIG including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_badpass = Host %n msg_goodpass = Host %n } security { max_attributes = 200 reject_delay = 3 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123
Re: Free radius authentication with AD using ldap
On Mon, Nov 28, 2011 at 12:29 PM, Vikashgounder vikash.goun...@acu.edu.au wrote: From the local radtest I can see, it is authenticating fine but when testing ... and where is the debug log for that? with a wpa device, this is the error m getting on the debug log: It's quite informative, actually: [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? If you use AD as ldap, the user password is not accessible in any ldap attribute. Thus you normally have to use ntlm_auth. See - http://deployingradius.com/documents/configuration/active_directory.html - http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (old version, but some of it might be still relevant) Some other thing to check: - Are you setting Auth-Type manually? You shouldn't need to - If you REALLY have radtest working, then it's usually a matter of making sure configuration in sites-available/default (the one used if you use PAP directly, e.g. with radtest) is also in sites-available/inner-tunnel (the one used to handle AAA inside EAP tunnel, like when you use EAP-PEAP-MSCHAPv2) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unsubscribe font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bls: Unsubscribe
To Unsubscribe visit following link http://lists.freeradius.org/mailman/listinfo/freeradius-users brgds es Dari: Gary Gatten ggat...@waddell.com Kepada: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Dikirim: Senin, 28 November 2011 13:20 Judul: Unsubscribe Unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unsubscribe
Thanks! From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Edi Sujono Sent: Monday, November 28, 2011 12:38 AM To: FreeRadius users mailing list Subject: Bls: Unsubscribe To Unsubscribe visit following link http://lists.freeradius.org/mailman/listinfo/freeradius-users brgds es Dari: Gary Gatten ggat...@waddell.com Kepada: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Dikirim: Senin, 28 November 2011 13:20 Judul: Unsubscribe Unsubscribe font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change SQL Groupcheck Query in Dialup.conf
JennyBlunt wrote: Yes, it's a bit annoying Our front end management system is / will be built using ruby on rails. RoR seems a little funny with join tables when they don't use IDs. Hence the need for a change to the sql. The same went for the attribute column which we needed to alter too. That's... strange. The IDs aren't used by FreeRADIUS, and can be ignored. The attribute column is just the name of the attribute. Why would it change to anything else? Have things working fine - thanks for help It's what we do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Hi, You haven't done that. You're smart if you spend the time to understand what you're talking I know what I am talking about. When there is something I don't know, however - I ask, politely, and expect the same from others (that doesn't include you, apparently). I think what Alan was trying to point out is that it is easy to find answers to your basic questions without asking this mailing list. The security of RADIUS is incredibly well-documented, and not specific to FreeRADIUS. So if your problem is that you don't know whether or not a RADIUS shared secret is sent in clear text or not - and jump to false conclusions based on your *belief* how it *might* work (even if you are wrong in your assumptions) then that is typically called noise on a mailing list. You might rather want to clarify that aspect yourself. I just typed RADIUS shared secret into Google, and found actual on-topic results - on page one. Microsoft Technet unfortunately, but better than nothing. Now to get more down to the topic. You mention that security is paramount, which is correct. When you are using EAP-TLS or EAP-TTLS, security of your transmitted credentials comes by virtue of the TLS tunnel that is established within that EAP method. The transport-layer security of RADIUS adds nothing to the security of these credentials. In that case, it doesn't matter much - for security reasons - whether your Access Points talk RADIUS (IP+shared secret) or RADIUS/TLS. What *is* revealed if you use only RADIUS, is some of the not-so-significant attributes in the Access-Request like the MAC address of the connecting client in Calling-Station-Id. That you might possibly see as a rather minimal privacy invasion if an eavesdropper listens on the packet; in that case, RADIUS/TLS would be a way of mitigating that. Your thread contains lots of confusion, false assumptions and wrong conclusions. There is always a danger that that kind of half-knowledge spreads and leads to FUD. So to be abundantly clear: Transport security - * traditional: fixed bindings of IP address+shared secret; uses MD5 for hash calculation * TLS security: either TLS-PSK (drop-in replacement for shared secret) or certificate based Credential security -- * most EAP types roll their own, which makes transport security less relevant * EAP-TLS, TTLS, PEAP, FAST are among those * FreeRADIUS supports all of these EAP types just fine * some weak EAP types don't provide that security on their own, and either - need to be tunneled within TTLS and friends - or - - need to be secured by transport security I think this answers all the questions in your thread and counteracts all the conclusions you jumped onto mid-way. If I may add: almost none of these questions were specific to *FreeRADIUS - the product* - they were about the RADIUS protocol. This mailing list is not the place to ask random questions about RADIUS. Read up on it on the internet, buy a book, or visit a course about RADIUS. The mailing list is about configuring FreeRADIUS. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Line too long
Guilherme Domingues wrote: I have been configurating broadworks VSA into freeradius, but i still having problems on startup: The line too long message is because you've edited the configuration in a way that doesn't make sense. There are some limits for VSA attributes for sql.conf ? Inserting 100's of attributes in one SQL statement doesn't make sense. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Stefan Winter wrote: I think what Alan was trying to point out is that He's been unsubscribed from the list. It's OK to not understand RADIUS. It's OK to ask questions. It's OK to ask for help. That's what the list is for. It's *not* OK to say I've only been doing RADIUS for 2 days, and then to imply he's made a brilliant discovery that everyone else missed. it is easy to find answers to your basic questions without asking this mailing list. The security of RADIUS is incredibly well-documented, and not specific to FreeRADIUS. So if your problem is that you don't know whether or not a RADIUS shared secret is sent in clear text or not - and jump to false conclusions based on your *belief* how it *might* work (even if you are wrong in your assumptions) then that is typically called noise on a mailing list. It's a psychological issue common among certain people. Because he knows nothing about RADIUS, he has no basis for judging who is a RADIUS expert, and who is a newbie. Therefore, he thinks he (a newbie) is just as much of an expert as people who've done it for 15 years. Normal people don't do that. Your thread contains lots of confusion, false assumptions and wrong conclusions. There is always a danger that that kind of half-knowledge spreads and leads to FUD. So to be abundantly clear: Exactly. The reason to answer is for later people. We don't want anyone else to be confused and misled by his false statements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html