Re: Service radiusd Start vs radiusd
I have did number 1 :( Let me try number 2 now, and see what happen. btw my setup is: Red Hat Enterprise Linux Server 5.7 FreeRADIUS 2.1.7 PostgreSQL 9.1.2 -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432257.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Hi, that's a discussion / holy war admins are fighting over for *years* in the eduroam roaming consortium. I agree with all what was said in the thread, regarding security vs. convenience. Just to add one thing to the mix: if you allow bring your own device for your network, you'll have much less control over what hardware comes to visit you. For some supplicants it is very hard/impossible to add an own self-signed CA to the trust root. In these cases, being able to verify the issuing CA against the hard-wired trust store is arguably more secure than not being able to validate the cert at all with a self-signed CA. For Android 4.0 for example, pushing a new CA into the trust store is hard. Doing it in a non-interactive autoconfig way is to my knowledge impossible. So, BYOD is a factor to consider. Greetings, Stefan Winter McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. Self-signed CA. *Always*. And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes. I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Well, I wrote that README. It's correct. Here's a question for management. Do they want anyone on the planet to be able to set up a copy of their WiFi SSID, and grab user information? If yes, use a public CA. If no, use a self-signed CA. With web surfing, your web browser verifies that the site at facebook.com is holding an SSL certificate which says facebook.com. This prevents anyone else from using a facebook.com certificate, because no one else can control the facebook.com domain. For WiFi, there is no such control. If your company SSID is example.com, *anyone* can duplicate that SSID. The EAP supplicant doesn't check if the SSID matches the certificate. It can't check, for a whole host of reasons. So the situations are different. The result is that the security methods are different, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
hi, self-signed CA. the authentication is a closed-loop system. the only people that need to trust your RADIUS server for authentication are your own users (unlike eg a public web server). you have full control of your own CA..and know its policies. With an external CA you are a slave to their reputation and policies...wouldnt it be nice to come in on a monday morning and find your CA had been removed by the OS as happened recently... The issue is with the distribution/installation of that CA - but you already say you have that covered..so great! :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Organizing accounting attributes
Hi, Is it possible to sort accounting attributes and values in a certain order under the detail files ? you really might want to look at using SQL to store accounting rather than using flat detail files if there is some sort/select stuff you need to do with the records.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 20:54, Phil Mayers ha scritto: [...] So I *can* insert unlang code there! Perfect! No. This is not unlang. It's just a string expansion. Yup. Sorry, I was referencing the cut part. Unlang is a processing language that is only valid inside the virtual server authorize, post-auth, etc. sections. It's not valid in module configs. OK. Since it seems I have to do EXACTLY the same mapping both in default and inner-tunnel sites, I saved my if chain in unibo.map and used $INCLUDE to insert it in both virtual servers, just after the opening brace of authorize. Hope it's the correct thing to do :) (even if there's a suspect preprocess module in 'default' thats smells like a candidate...). Too bad it seems unlang doesn't like : if (cond) { ... } elsif (othercond) { ... } elsif (yetanother) { ... } (gives too many closing braces on the last line) or even: if (cond) { ... } else if (othercond) { ... } else if (yetanother) { ... } (this one evaluates 'othercond' and 'yetanother' even if 'cond' is true, completely discarding the 'else'). [The ratio to use the 'if' on another line is that doing so I can reorder the conditions w/o introducing errors] That seems quite a serious limit in the unlang grammar... BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
First I set SELinux back to enforcing reboot test (not working, fail to auth) setsebool -P radiusd_disable_trans=1 reboot test (everything works fine) ---lets try disable postgresql instead of radiusd setsebool -P radiusd_disable_trans=0 setsebool -P postgresql_disable_trans=1 reboot test (not working, fail to auth) I guess we have a winner: setsebool -P radiusd_disable_trans=1 Thank you -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432471.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
Hi, I guess we have a winner: setsebool -P radiusd_disable_trans=1 yes but as already said, RHEL SElinux policy should already be fine for this alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
i did some reading on SELinux... but there are pages and pages of info, and with my limited linux skill... I hardly understand a thing... Welcome if anyone have any instruction which I can try Thanks Eric -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432539.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
On 01/26/2012 10:27 AM, Alan Buxey wrote: Hi, I guess we have a winner: setsebool -P radiusd_disable_trans=1 yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except very, very basic FreeRADIUS usage. Has that changed now? Using sesearch I don't for example see any references to postgresql_t for unix socket connection, and it's not obvious to me that the policy permits ntlm_auth to be exec'd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
On 01/26/2012 12:08 AM, McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. This has been discussed extensively on the list! For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? We use a Verisign cert. We chose this because we decided the difficulty of deploying the certificate to unmanaged client desktop, laptop and mobile devices was excessive, given our client base. I should emphasise that this is a 5 year old decision; at the time, the various open-source cert deployment tools (e.g. su1x) were unavailable, and there was (indeed, still is) an unwillingness to pay for a solution such as CloudPath. I should also emphasise that, at the time, the client base included Windows Mobile 5 devices (on which it is practically impossible to install certs) as well as guest laptops (on which the hassle of installing a cert eats significantly into the time the guest is here). Therefore, we opted for a public cert. If we were starting from scratch, we'd probably use a private cert and su1x to deploy it. There is zero appetite to change certs (and reconfigure ~10,000 clients). And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes, very much so. Is is the safer and more secure default option. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
On 01/26/2012 01:43 AM, Matthew Newton wrote: Public CA - easier as you don't have to distribute the CA cert. You're open to spoofing attacks where someone can get another cert from the same CA and put it on a rogue RADIUS server. These days it seems anyone can get a public-CA certificate for any domain by just asking for it at the back door... This depends on the CA. As I've said before, anyone going down this route should pony up and pay top dollar for a reliable cert from a (reasonably!) reliable CA, AND ENSURE that clients are validating the certificate CN. I'm no fan of X.509 or CAs (oh, EAP-EKE - how I wish we could have been together!) but not every CA is terrible! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
On 01/26/2012 09:36 AM, NdK wrote: Since it seems I have to do EXACTLY the same mapping both in default and inner-tunnel sites, I saved my if chain in unibo.map and used $INCLUDE to insert it in both virtual servers, just after the opening brace of authorize. Hope it's the correct thing to do :) (even if there's a suspect preprocess module in 'default' thats smells like a candidate...). You can re-use bits of unlang as virtual modules. See policy.conf. This is often a bit neater than $INCLUDE. I do exactly this, for exactly this case (username/realm processing). Too bad it seems unlang doesn't like : if (cond) { ... } elsif (othercond) { Well, no. FreeRADIUS config is basically: block { item item = value sub-block { subitem } sub-block2 { subitem2 } } if, elsif are just blocks. Blocks need to start on their own line. The name is intended as a hint here - it's NOT a programming language. It's a syntax for writing authentication policies and rules, that is a bit like a language. That seems quite a serious limit in the unlang grammar... That's quite a statement. Can't you just hit return after }? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
Hi, yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except very, very basic FreeRADIUS usage. Has that changed now? Using sesearch I don't for example see any references to postgresql_t for unix socket connection, and it's not obvious to me that the policy permits ntlm_auth to be exec'd. perhaps I wrote my sentence lazily.the RHEL SElinux policy SHOULD already be fine for this ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 26/01/2012 12:24, Phil Mayers ha scritto: You can re-use bits of unlang as virtual modules. See policy.conf. This is often a bit neater than $INCLUDE. Perfect! Exactly what was needed. FreeRADIUS config is basically: [...] if, elsif are just blocks. Blocks need to start on their own line. The name is intended as a hint here - it's NOT a programming language. It's a syntax for writing authentication policies and rules, that is a bit like a language. Then maybe the second sentence (and following) in the second paragraph in the 'keywords' section of the man page could be more like: unlang is a sequence (ordered list) of action blocks. Each action block, identified by a keyword, starts on its own line and can span multiple lines where a sub-block is allowed. Processing of a block is sequential, from the first line to the last. This gives a pretty (quite regular) EBNF grammar... :) That seems quite a serious limit in the unlang grammar... That's quite a statement. Can't you just hit return after }? Sure. That statement was due to a misunderstanding: that error made me think I couldn't chain more than one elsif ! BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
NdK wrote: Been confused by the error: it pointed to the last line of the chain, not to the *first* closing brace followed by a keyword, forming an invalid entry. BTW, it stays unclear why the keyword can't be on the same line with the closing brace. Can't figure out unlang's grammar in EBNF. It doesn't use ABNF. Man page is somewhat contraddictory: first it says The language consists of a series of entries, each one one line. but then allows multi-line entries calling 'em blocks... And you conveniently deleted the NEXT sentence: Each entry begins with a keyword. But, reading again the man page, another doubt arises: in a chain, an else/elsif references to the immediately preceding 'if' entry or to the last evaluated 'if' entry (supposing elsif equivalent to else\nif)? Being it read line-by-line it could easily be the first (static binding), but my test suggests the common behaviour (once one is true, all the following aren't evaluated). But I could be wrong... Then you don't understand how if and else work. It works the same way as Perl, C, and other languages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Hi, I had implemented the idea given by Phil for authorizing the users of Active directory to use VPN or Wifi or whatever for which they are for depending upon the value of Active directory's extensionAttribute10 attribute as: ## /usr/local/etc/raddb/modules/ldap: filter = ((extensionAttribute10=%{control:Tmp-String-0})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) I have used extensionAttribute10 for storing values as VPN,wifi depending upon the users. ## /usr/local/etc/raddb/sites-enabled/default ## I tried using Called-Station-Id to check the condition; which is ok for now for testing ; but which I guess is not feasible if there are thousands of NAS devices. I don't know what would be best test condition for this. authorize { ... if (Called-Station-Id == ...) { update control { Tmp-String-0 := VPN } } else { update control { Tmp-String-0 := Wifi } } ldap if (notfound) { reject } ... } And also, I have implemented the idea of returning filter-id for the users of Active directory looking at OU of domain as: ldap if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) update control { Tmp-String-1 := %{1} } And returning the value of Filter-Id through users file as: DEFAULT Filter-Id := Enterasys:version=1:policy=%{control:Tmp-String-1} But now I am facing the problem that I can't use more than one If conditions inside unlang to test the conditions inside Ldap module. (If I am correct on my understanding) And, also using the filter defined as above inside Ldap module some user of active directory which doesn't have extensionAttribute10 might get rejected. These users should get default acceptance; but should be granted to access VPN, or wifi if value is assigned to them on extensionAttribute10. If don't have attribute defined still get accepted as default user. If I just use: filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) This allows all the users in Active Directory get accepted (doesn't reject if there is no extensionAttribute10 also); But how to get the goal of granting the authorization for VPN, wifi users accordingly if I use this? Is there any easy way to check condition for the particular attribute of active directory? And I don't know where to check this, If I am already using If conditional statement for returning the Filter-Id inside Ldap module. In my understanding; people use to check this type of condition for the users that are defined in users file as; bob User-Password == testing, Connection-Type := VPN But I am not sure how to check like this eventhough If I define in ldap.attrmap as: checkItem Connection-TypeextensionAttribute10 I don't know; whether I am confused or I am not getting how to achieve this. Your valuable idea would be really appreciated. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5433010.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems sending session-timeout
Hi guys, I have a problem with my freeradius service. I would like to get that freeradius sends to my NAS the session-timeout attribute. Can you tell my how could I get it? This is the output result: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 50 reject_delay = 3 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec
Re: mschap/NTLM and different membership-of with variables
sorry, I found my mistake and was on the AP device. the outer.reply work fine. But still want understand how this work so , if somebody can share a link that's explain how variables work in detail, it will be appreciate. Thanks. Gonzalo. -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-NTLM-and-different-membership-of-with-variables-tp5433169p5433223.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and rlm_perl auth
Hello I´m using a perl script to authenticate in a web services. My scrpit works with the web services but I want that with my scrpit authenticate in a freeradius server. I don´t know wich files I must modify and what I must modify to it works. Thaks for your answers. -- Fabricio A. Flores G. Egresado en Ingeniería en Sistemas MSN: fabri_flor...@hotmail.com Google: fabriflor...@gmail.com Twitter: fabricioflores Skype: fabriciofloresgallardo Blog Personal http://fabricioflores.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freradius Segmentation fault
I am testing out authentication with radtest. If I send the wrong group password I get invalid Message-Authenticator which is what I expect, the second I put in the correct password I get the Segmentation fault This is on Ubuntu 10.04.3 LTS. Is this a knows issue, or am I screwing something up? Thanks :/etc/freeradius# /usr/sbin/freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/freeradius/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module
Re: freradius Segmentation fault
Ski Mountain wrote: I am testing out authentication with radtest. If I send the wrong group password I get invalid Message-Authenticator which is what I expect, the second I put in the correct password I get the Segmentation fault Is this a knows issue, or am I screwing something up? Well, it's 2.1.8, which is old. See doc/bugs for instructions on helping us understand SEGVs. This kind of error is usually caused by using the wrong version of shared libraries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
On 01/26/2012 06:33 AM, Alan Buxey wrote: Hi, yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except very, very basic FreeRADIUS usage. Has that changed now? Using sesearch I don't for example see any references to postgresql_t for unix socket connection, and it's not obvious to me that the policy permits ntlm_auth to be exec'd. perhaps I wrote my sentence lazily.the RHEL SElinux policy SHOULD already be fine for this ;-) You say you're running RHEL 5.7 (and not some RHEL clone such as CentOS or Scientific Linux). That means you've paid us for a subscription and part of what you've paid for is a promise things will work. If they are not working please following the support procedures with your RHEL representative to get help and/or file a bug (sorry, I can't tell you how that process works because I sit on the other end inside of engineering). The issue will be assigned to one of us in engineering, because it appears to be an SELinux policy issue it won't likely come to me, rather it will go to an engineer assigned to SELinux policy issues. SELinux policy problems usually get fixed very quickly once they get reported, in the interim the engineer assigned to the bug will likely tell you the optimal temporary workaround. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
On 01/26/2012 02:41 PM, suggestme wrote: ## I tried using Called-Station-Id to check the condition; which is ok for now for testing ; but which I guess is not feasible if there are thousands of NAS devices. I don't know what would be best test condition for this. There are many options. You could match on Client-Shortname with the following client def: client VPN-1 { ipaddr = 192.0.2.1 secret = ... } ...and then in authorize: authorize { ... if (Client-Shortname =~ /^VPN/) { .. } } Or use Huntgroup-Name and huntgroups. But now I am facing the problem that I can't use more than one If conditions inside unlang to test the conditions inside Ldap module. (If I am correct on my understanding) Sorry, I don't understand what you mean here. And, also using the filter defined as above inside Ldap module some user of active directory which doesn't have extensionAttribute10 might get rejected. These users should get default acceptance; but should be granted to access VPN, or wifi if value is assigned to them on extensionAttribute10. If don't have attribute defined still get accepted as default user. Well, you need to write your LDAP filter correctly. I suggest you read the LDAP filter syntax. Another option, which you've almost figured out, is to pull the data from LDAP then do the decisions in unlang. Is there any easy way to check condition for the particular attribute of active directory? And I don't know where to check this, If I am already using If conditional statement for returning the Filter-Id inside Ldap module. In my understanding; people use to check this type of condition for the users that are defined in users file as; bob User-Password == testing, Connection-Type := VPN But I am not sure how to check like this eventhough If I define in ldap.attrmap as: checkItem Connection-TypeextensionAttribute10 Ok, several steps: 1. Define your attribute in /etc/raddb/dictionary e.g. ATTRIBUTE My-Extension10 3010string 2. Define the LDAP - RADIUS mapping in ldap.attrmap checkItem My-Extension10 extensionAttribute10 3. Run the LDAP module, then compare the attribute. Note - because you've mapped the item to check/control lists, you can't use a users file - you must use unlang, like so: authorize { ... ldap if (My-Extension10 == VPN) { .. } } ...or more likely: authorize { .. ldap if (Client-Shortname =~ /^VPN/) { if (My-Extension10 == VPN) { # permit } else { reject } } ... } HTH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
On 01/26/2012 04:42 PM, Phil Mayers wrote: 3. Run the LDAP module, then compare the attribute. Note - because you've mapped the item to check/control lists, you can't use a users file - you must use unlang, like so: Damn, sorry, this should be: authorize { ... ldap if (control:My-Extension10 == VPN) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freradius Segmentation fault
It was simply installed from the ubuntu repository with aptitiude. Does this mean that I should just try compiling a new version of freeradius from source, and if the source version does not work, compile it to enable core dumps. Thanks - Original Message - From: Alan DeKok al...@deployingradius.com To: Ski Mountain ski_the_mount...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: Sent: Thursday, January 26, 2012 11:39 AM Subject: Re: freradius Segmentation fault Ski Mountain wrote: I am testing out authentication with radtest. If I send the wrong group password I get invalid Message-Authenticator which is what I expect, the second I put in the correct password I get the Segmentation fault Is this a knows issue, or am I screwing something up? Well, it's 2.1.8, which is old. See doc/bugs for instructions on helping us understand SEGVs. This kind of error is usually caused by using the wrong version of shared libraries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Thanks a lot again for showing me the direction. Everything works perfect except the conditional checking for Client-Shortname. I tried using: *if (Client-Shortname =~ /^localhost/) {* It didn't work saying Client-Shortname as unknown attribute. Again I tried using: * if (%{client: shortname} =~ /^localhost/) {* It also showed the following test result: I am testing it with localhost; In the debug mode output it shows: +++? if (%{client: shortname} =~ /^localhost/) expand: %{client: shortname} - ? Evaluating (%{client: shortname} =~ /^localhost/) - FALSE +++? if (%{client: shortname} =~ /^localhost/) - FALSE Why is the condition checking for localhost is evaluated as FALSE? In my clients.conf I have just listed the default FreeRadius configuration for localhost as: client localhost { ipaddr = 127.0.0.1 secret = testing123 nastype = other } Can't it be tested using localhost shortname; should I need to use client in real environment testing instead of localhost ? OR is there any silly thing I am missing again.. For just trial purpose I used NAS-IP-Address and supplied my localhost IP address inside If condition; it is works. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5434013.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
On Thu, Jan 26, 2012 at 10:14 PM, tonimanel antoniofernan...@fabergames.com wrote: Hi guys, I have a problem with my freeradius service. I would like to get that freeradius sends to my NAS the session-timeout attribute. Can you tell my how could I get it? Just put it it radreply :) I think you meant this though: http://wiki.freeradius.org/Rlm_sqlcounter Read it, especially the parts that mention check-name and counter-name. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Hi, Everything works perfect except the conditional checking for Client-Shortname. I tried using: *if (Client-Shortname =~ /^localhost/) {* thats wrong It didn't work saying Client-Shortname as unknown attribute. Again I tried using: * if (%{client: shortname} =~ /^localhost/) {* thats wrong too - why have you put a space in it? %{client:shortname} alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
My RHEL 5.7 is only a 30 days evaluation, there wont be any support. Just trying it and doing some learning at home. At work we use RHEL 5.6, when we do setup the new server and if the same SELinux problem occur, i will try the support procedures. Thanks Eric -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5434222.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Self-signed provides stronger security in most cases. I'm using self-signed here, and distributing a certificate to unmanaged user devices is as easy as placing a p12 file on a USB drive and requiring users to stop by ops before getting on wireless. If you're using a public CA to sign certs, and you're not using TLS authentication (I'm guessing you're not. getting that many certs would be expensive), then anyone can impersonate your network and intercept perceivably protected traffic. this is BAD. Insofar as I know, nearly everyone on this list using certs is using self-signed. On 1/25/2012 16:08, McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Looking forward to your responses, and thanks in advance. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
I've attached android, windows 7, macosx, and ubuntu linux to an eap-tls network using wpa2-eap-tls, which requires client and CA certs. it's no issue once you know what you're doing. the hardest part is the nearly complete lack of documentation for any OS except linux. you're limited to what google provides from various blogs. On 1/26/2012 00:19, Stefan Winter wrote: Hi, that's a discussion / holy war admins are fighting over for *years* in the eduroam roaming consortium. I agree with all what was said in the thread, regarding security vs. convenience. Just to add one thing to the mix: if you allow bring your own device for your network, you'll have much less control over what hardware comes to visit you. For some supplicants it is very hard/impossible to add an own self-signed CA to the trust root. In these cases, being able to verify the issuing CA against the hard-wired trust store is arguably more secure than not being able to validate the cert at all with a self-signed CA. For Android4.0 for example, pushing a new CA into the trust store is hard. Doing it in a non-interactive autoconfig way is to my knowledge impossible. So, BYOD is a factor to consider. Greetings, Stefan Winter McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. Self-signed CA. *Always*. And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes. I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Well, I wrote that README. It's correct. Here's a question for management. Do they want anyone on the planet to be able to set up a copy of their WiFi SSID, and grab user information? If yes, use a public CA. If no, use a self-signed CA. With web surfing, your web browser verifies that the site at facebook.com is holding an SSL certificate which says facebook.com. This prevents anyone else from using a facebook.com certificate, because no one else can control the facebook.com domain. For WiFi, there is no such control. If your company SSID is example.com, *anyone* can duplicate that SSID. The EAP supplicant doesn't check if the SSID matches the certificate. It can't check, for a whole host of reasons. So the situations are different. The result is that the security methods are different, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html