Re: Service radiusd Start vs radiusd
I have did number 1 :( Let me try number 2 now, and see what happen. btw my setup is: Red Hat Enterprise Linux Server 5.7 FreeRADIUS 2.1.7 PostgreSQL 9.1.2 -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432257.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Hi, that's a discussion / holy war admins are fighting over for *years* in the eduroam roaming consortium. I agree with all what was said in the thread, regarding security vs. convenience. Just to add one thing to the mix: if you allow bring your own device for your network, you'll have much less control over what hardware comes to visit you. For some supplicants it is very hard/impossible to add an own self-signed CA to the trust root. In these cases, being able to verify the issuing CA against the hard-wired trust store is arguably more secure than not being able to validate the cert at all with a self-signed CA. For Android 4.0 for example, pushing a new CA into the trust store is hard. Doing it in a non-interactive autoconfig way is to my knowledge impossible. So, BYOD is a factor to consider. Greetings, Stefan Winter McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. Self-signed CA. *Always*. And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes. I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Well, I wrote that README. It's correct. Here's a question for management. Do they want anyone on the planet to be able to set up a copy of their WiFi SSID, and grab user information? If yes, use a public CA. If no, use a self-signed CA. With web surfing, your web browser verifies that the site at facebook.com is holding an SSL certificate which says facebook.com. This prevents anyone else from using a facebook.com certificate, because no one else can control the facebook.com domain. For WiFi, there is no such control. If your company SSID is example.com, *anyone* can duplicate that SSID. The EAP supplicant doesn't check if the SSID matches the certificate. It can't check, for a whole host of reasons. So the situations are different. The result is that the security methods are different, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
hi, self-signed CA. the authentication is a closed-loop system. the only people that need to trust your RADIUS server for authentication are your own users (unlike eg a public web server). you have full control of your own CA..and know its policies. With an external CA you are a slave to their reputation and policies...wouldnt it be nice to come in on a monday morning and find your CA had been removed by the OS as happened recently... The issue is with the distribution/installation of that CA - but you already say you have that covered..so great! :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Organizing accounting attributes
Hi, Is it possible to sort accounting attributes and values in a certain order under the detail files ? you really might want to look at using SQL to store accounting rather than using flat detail files if there is some sort/select stuff you need to do with the records.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 25/01/2012 20:54, Phil Mayers ha scritto:
[...]
So I *can* insert unlang code there! Perfect!
No. This is not unlang. It's just a string expansion.
Yup. Sorry, I was referencing the cut part.
Unlang is a processing language that is only valid inside the virtual
server authorize, post-auth, etc. sections. It's not valid in module
configs.
OK.
Since it seems I have to do EXACTLY the same mapping both in default
and inner-tunnel sites, I saved my if chain in unibo.map and used
$INCLUDE to insert it in both virtual servers, just after the opening
brace of authorize. Hope it's the correct thing to do :) (even if
there's a suspect preprocess module in 'default' thats smells like a
candidate...).
Too bad it seems unlang doesn't like :
if (cond) {
...
} elsif (othercond) {
...
} elsif (yetanother) {
...
}
(gives too many closing braces on the last line) or even:
if (cond) {
...
} else
if (othercond) {
...
} else
if (yetanother) {
...
}
(this one evaluates 'othercond' and 'yetanother' even if 'cond' is true,
completely discarding the 'else').
[The ratio to use the 'if' on another line is that doing so I can
reorder the conditions w/o introducing errors]
That seems quite a serious limit in the unlang grammar...
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
First I set SELinux back to enforcing reboot test (not working, fail to auth) setsebool -P radiusd_disable_trans=1 reboot test (everything works fine) ---lets try disable postgresql instead of radiusd setsebool -P radiusd_disable_trans=0 setsebool -P postgresql_disable_trans=1 reboot test (not working, fail to auth) I guess we have a winner: setsebool -P radiusd_disable_trans=1 Thank you -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432471.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
Hi, I guess we have a winner: setsebool -P radiusd_disable_trans=1 yes but as already said, RHEL SElinux policy should already be fine for this alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
i did some reading on SELinux... but there are pages and pages of info, and with my limited linux skill... I hardly understand a thing... Welcome if anyone have any instruction which I can try Thanks Eric -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432539.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
On 01/26/2012 10:27 AM, Alan Buxey wrote: Hi, I guess we have a winner: setsebool -P radiusd_disable_trans=1 yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except very, very basic FreeRADIUS usage. Has that changed now? Using sesearch I don't for example see any references to postgresql_t for unix socket connection, and it's not obvious to me that the policy permits ntlm_auth to be exec'd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
On 01/26/2012 12:08 AM, McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. This has been discussed extensively on the list! For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? We use a Verisign cert. We chose this because we decided the difficulty of deploying the certificate to unmanaged client desktop, laptop and mobile devices was excessive, given our client base. I should emphasise that this is a 5 year old decision; at the time, the various open-source cert deployment tools (e.g. su1x) were unavailable, and there was (indeed, still is) an unwillingness to pay for a solution such as CloudPath. I should also emphasise that, at the time, the client base included Windows Mobile 5 devices (on which it is practically impossible to install certs) as well as guest laptops (on which the hassle of installing a cert eats significantly into the time the guest is here). Therefore, we opted for a public cert. If we were starting from scratch, we'd probably use a private cert and su1x to deploy it. There is zero appetite to change certs (and reconfigure ~10,000 clients). And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes, very much so. Is is the safer and more secure default option. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
On 01/26/2012 01:43 AM, Matthew Newton wrote: Public CA - easier as you don't have to distribute the CA cert. You're open to spoofing attacks where someone can get another cert from the same CA and put it on a rogue RADIUS server. These days it seems anyone can get a public-CA certificate for any domain by just asking for it at the back door... This depends on the CA. As I've said before, anyone going down this route should pony up and pay top dollar for a reliable cert from a (reasonably!) reliable CA, AND ENSURE that clients are validating the certificate CN. I'm no fan of X.509 or CAs (oh, EAP-EKE - how I wish we could have been together!) but not every CA is terrible! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
On 01/26/2012 09:36 AM, NdK wrote:
Since it seems I have to do EXACTLY the same mapping both in default
and inner-tunnel sites, I saved my if chain in unibo.map and used
$INCLUDE to insert it in both virtual servers, just after the opening
brace of authorize. Hope it's the correct thing to do :) (even if
there's a suspect preprocess module in 'default' thats smells like a
candidate...).
You can re-use bits of unlang as virtual modules. See policy.conf.
This is often a bit neater than $INCLUDE.
I do exactly this, for exactly this case (username/realm processing).
Too bad it seems unlang doesn't like :
if (cond) {
...
} elsif (othercond) {
Well, no.
FreeRADIUS config is basically:
block {
item
item = value
sub-block {
subitem
}
sub-block2 {
subitem2
}
}
if, elsif are just blocks. Blocks need to start on their own line.
The name is intended as a hint here - it's NOT a programming language.
It's a syntax for writing authentication policies and rules, that is a
bit like a language.
That seems quite a serious limit in the unlang grammar...
That's quite a statement. Can't you just hit return after }?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
Hi, yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except very, very basic FreeRADIUS usage. Has that changed now? Using sesearch I don't for example see any references to postgresql_t for unix socket connection, and it's not obvious to me that the policy permits ntlm_auth to be exec'd. perhaps I wrote my sentence lazily.the RHEL SElinux policy SHOULD already be fine for this ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
Il 26/01/2012 12:24, Phil Mayers ha scritto: You can re-use bits of unlang as virtual modules. See policy.conf. This is often a bit neater than $INCLUDE. Perfect! Exactly what was needed. FreeRADIUS config is basically: [...] if, elsif are just blocks. Blocks need to start on their own line. The name is intended as a hint here - it's NOT a programming language. It's a syntax for writing authentication policies and rules, that is a bit like a language. Then maybe the second sentence (and following) in the second paragraph in the 'keywords' section of the man page could be more like: unlang is a sequence (ordered list) of action blocks. Each action block, identified by a keyword, starts on its own line and can span multiple lines where a sub-block is allowed. Processing of a block is sequential, from the first line to the last. This gives a pretty (quite regular) EBNF grammar... :) That seems quite a serious limit in the unlang grammar... That's quite a statement. Can't you just hit return after }? Sure. That statement was due to a misunderstanding: that error made me think I couldn't chain more than one elsif ! BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing domain for ntlm_auth
NdK wrote: Been confused by the error: it pointed to the last line of the chain, not to the *first* closing brace followed by a keyword, forming an invalid entry. BTW, it stays unclear why the keyword can't be on the same line with the closing brace. Can't figure out unlang's grammar in EBNF. It doesn't use ABNF. Man page is somewhat contraddictory: first it says The language consists of a series of entries, each one one line. but then allows multi-line entries calling 'em blocks... And you conveniently deleted the NEXT sentence: Each entry begins with a keyword. But, reading again the man page, another doubt arises: in a chain, an else/elsif references to the immediately preceding 'if' entry or to the last evaluated 'if' entry (supposing elsif equivalent to else\nif)? Being it read line-by-line it could easily be the first (static binding), but my test suggests the common behaviour (once one is true, all the following aren't evaluated). But I could be wrong... Then you don't understand how if and else work. It works the same way as Perl, C, and other languages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Hi,
I had implemented the idea given by Phil for authorizing the users of Active
directory to use VPN or Wifi or whatever for which they are for depending
upon the value of Active directory's extensionAttribute10 attribute as:
## /usr/local/etc/raddb/modules/ldap:
filter =
((extensionAttribute10=%{control:Tmp-String-0})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
I have used extensionAttribute10 for storing values as VPN,wifi depending
upon the users.
## /usr/local/etc/raddb/sites-enabled/default
## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.
authorize {
...
if (Called-Station-Id == ...) {
update control {
Tmp-String-0 := VPN
}
}
else {
update control {
Tmp-String-0 := Wifi
}
}
ldap
if (notfound) {
reject
}
...
}
And also, I have implemented the idea of returning filter-id for the users
of Active directory looking at OU of domain as:
ldap
if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/)
update control {
Tmp-String-1 := %{1}
}
And returning the value of Filter-Id through users file as:
DEFAULT
Filter-Id := Enterasys:version=1:policy=%{control:Tmp-String-1}
But now I am facing the problem that I can't use more than one If conditions
inside unlang to test the conditions inside Ldap module. (If I am correct on
my understanding)
And, also using the filter defined as above inside Ldap module some user of
active directory which doesn't have extensionAttribute10 might get rejected.
These users should get default acceptance; but should be granted to access
VPN, or wifi if value is assigned to them on extensionAttribute10. If don't
have attribute defined still get accepted as default user.
If I just use: filter =
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
This allows all the users in Active Directory get accepted (doesn't reject
if there is no extensionAttribute10 also); But how to get the goal of
granting the authorization for VPN, wifi users accordingly if I use this?
Is there any easy way to check condition for the particular attribute of
active directory? And I don't know where to check this, If I am already
using If conditional statement for returning the Filter-Id inside Ldap
module.
In my understanding; people use to check this type of condition for the
users that are defined in users file as;
bob User-Password == testing, Connection-Type := VPN
But I am not sure how to check like this eventhough If I define in
ldap.attrmap as:
checkItem Connection-TypeextensionAttribute10
I don't know; whether I am confused or I am not getting how to achieve this.
Your valuable idea would be really appreciated.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5433010.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems sending session-timeout
Hi guys,
I have a problem with my freeradius service. I would like to get that
freeradius sends to my NAS the session-timeout attribute. Can you tell my
how could I get it?
This is the output result:
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010
at 20:41:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/cui
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 50
reject_delay = 3
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
radiusd: Loading Clients
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Re: mschap/NTLM and different membership-of with variables
sorry, I found my mistake and was on the AP device. the outer.reply work fine. But still want understand how this work so , if somebody can share a link that's explain how variables work in detail, it will be appreciate. Thanks. Gonzalo. -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-NTLM-and-different-membership-of-with-variables-tp5433169p5433223.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and rlm_perl auth
Hello I´m using a perl script to authenticate in a web services. My scrpit works with the web services but I want that with my scrpit authenticate in a freeradius server. I don´t know wich files I must modify and what I must modify to it works. Thaks for your answers. -- Fabricio A. Flores G. Egresado en Ingeniería en Sistemas MSN: fabri_flor...@hotmail.com Google: fabriflor...@gmail.com Twitter: fabricioflores Skype: fabriciofloresgallardo Blog Personal http://fabricioflores.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freradius Segmentation fault
I am testing out authentication with radtest. If I send the wrong group
password I get invalid Message-Authenticator which is what I expect, the
second I put in the correct password I get the Segmentation fault
This is on Ubuntu 10.04.3 LTS.
Is this a knows issue, or am I screwing something up?
Thanks
:/etc/freeradius# /usr/sbin/freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at
02:49:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/freeradius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module
Re: freradius Segmentation fault
Ski Mountain wrote: I am testing out authentication with radtest. If I send the wrong group password I get invalid Message-Authenticator which is what I expect, the second I put in the correct password I get the Segmentation fault Is this a knows issue, or am I screwing something up? Well, it's 2.1.8, which is old. See doc/bugs for instructions on helping us understand SEGVs. This kind of error is usually caused by using the wrong version of shared libraries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
On 01/26/2012 06:33 AM, Alan Buxey wrote: Hi, yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except very, very basic FreeRADIUS usage. Has that changed now? Using sesearch I don't for example see any references to postgresql_t for unix socket connection, and it's not obvious to me that the policy permits ntlm_auth to be exec'd. perhaps I wrote my sentence lazily.the RHEL SElinux policy SHOULD already be fine for this ;-) You say you're running RHEL 5.7 (and not some RHEL clone such as CentOS or Scientific Linux). That means you've paid us for a subscription and part of what you've paid for is a promise things will work. If they are not working please following the support procedures with your RHEL representative to get help and/or file a bug (sorry, I can't tell you how that process works because I sit on the other end inside of engineering). The issue will be assigned to one of us in engineering, because it appears to be an SELinux policy issue it won't likely come to me, rather it will go to an engineer assigned to SELinux policy issues. SELinux policy problems usually get fixed very quickly once they get reported, in the interim the engineer assigned to the bug will likely tell you the optimal temporary workaround. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
On 01/26/2012 02:41 PM, suggestme wrote:
## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.
There are many options. You could match on Client-Shortname with the
following client def:
client VPN-1 {
ipaddr = 192.0.2.1
secret = ...
}
...and then in authorize:
authorize {
...
if (Client-Shortname =~ /^VPN/) {
..
}
}
Or use Huntgroup-Name and huntgroups.
But now I am facing the problem that I can't use more than one If conditions
inside unlang to test the conditions inside Ldap module. (If I am correct on
my understanding)
Sorry, I don't understand what you mean here.
And, also using the filter defined as above inside Ldap module some user of
active directory which doesn't have extensionAttribute10 might get rejected.
These users should get default acceptance; but should be granted to access
VPN, or wifi if value is assigned to them on extensionAttribute10. If don't
have attribute defined still get accepted as default user.
Well, you need to write your LDAP filter correctly. I suggest you read
the LDAP filter syntax.
Another option, which you've almost figured out, is to pull the data
from LDAP then do the decisions in unlang.
Is there any easy way to check condition for the particular attribute of
active directory? And I don't know where to check this, If I am already
using If conditional statement for returning the Filter-Id inside Ldap
module.
In my understanding; people use to check this type of condition for the
users that are defined in users file as;
bob User-Password == testing, Connection-Type := VPN
But I am not sure how to check like this eventhough If I define in
ldap.attrmap as:
checkItem Connection-TypeextensionAttribute10
Ok, several steps:
1. Define your attribute in /etc/raddb/dictionary e.g.
ATTRIBUTE My-Extension10 3010string
2. Define the LDAP - RADIUS mapping in ldap.attrmap
checkItem My-Extension10 extensionAttribute10
3. Run the LDAP module, then compare the attribute. Note - because
you've mapped the item to check/control lists, you can't use a users
file - you must use unlang, like so:
authorize {
...
ldap
if (My-Extension10 == VPN) {
..
}
}
...or more likely:
authorize {
..
ldap
if (Client-Shortname =~ /^VPN/) {
if (My-Extension10 == VPN) {
# permit
}
else {
reject
}
}
...
}
HTH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
On 01/26/2012 04:42 PM, Phil Mayers wrote:
3. Run the LDAP module, then compare the attribute. Note - because
you've mapped the item to check/control lists, you can't use a users
file - you must use unlang, like so:
Damn, sorry, this should be:
authorize {
...
ldap
if (control:My-Extension10 == VPN) {
...
}
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freradius Segmentation fault
It was simply installed from the ubuntu repository with aptitiude. Does this mean that I should just try compiling a new version of freeradius from source, and if the source version does not work, compile it to enable core dumps. Thanks - Original Message - From: Alan DeKok al...@deployingradius.com To: Ski Mountain ski_the_mount...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: Sent: Thursday, January 26, 2012 11:39 AM Subject: Re: freradius Segmentation fault Ski Mountain wrote: I am testing out authentication with radtest. If I send the wrong group password I get invalid Message-Authenticator which is what I expect, the second I put in the correct password I get the Segmentation fault Is this a knows issue, or am I screwing something up? Well, it's 2.1.8, which is old. See doc/bugs for instructions on helping us understand SEGVs. This kind of error is usually caused by using the wrong version of shared libraries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Thanks a lot again for showing me the direction.
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
It didn't work saying Client-Shortname as unknown attribute.
Again I tried using:
* if (%{client: shortname} =~ /^localhost/) {*
It also showed the following test result:
I am testing it with localhost; In the debug mode output it shows:
+++? if (%{client: shortname} =~ /^localhost/)
expand: %{client: shortname} -
? Evaluating (%{client: shortname} =~ /^localhost/) - FALSE
+++? if (%{client: shortname} =~ /^localhost/) - FALSE
Why is the condition checking for localhost is evaluated as FALSE?
In my clients.conf I have just listed the default FreeRadius configuration
for localhost as:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nastype = other
}
Can't it be tested using localhost shortname; should I need to use client in
real environment testing instead of localhost ? OR is there any silly thing
I am missing again..
For just trial purpose I used NAS-IP-Address and supplied my localhost IP
address inside If condition; it is works.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5434013.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems sending session-timeout
On Thu, Jan 26, 2012 at 10:14 PM, tonimanel antoniofernan...@fabergames.com wrote: Hi guys, I have a problem with my freeradius service. I would like to get that freeradius sends to my NAS the session-timeout attribute. Can you tell my how could I get it? Just put it it radreply :) I think you meant this though: http://wiki.freeradius.org/Rlm_sqlcounter Read it, especially the parts that mention check-name and counter-name. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
Hi,
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
thats wrong
It didn't work saying Client-Shortname as unknown attribute.
Again I tried using:
* if (%{client: shortname} =~ /^localhost/) {*
thats wrong too - why have you put a space in it?
%{client:shortname}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service radiusd Start vs radiusd
My RHEL 5.7 is only a 30 days evaluation, there wont be any support. Just trying it and doing some learning at home. At work we use RHEL 5.6, when we do setup the new server and if the same SELinux problem occur, i will try the support procedures. Thanks Eric -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5434222.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Self-signed provides stronger security in most cases. I'm using self-signed here, and distributing a certificate to unmanaged user devices is as easy as placing a p12 file on a USB drive and requiring users to stop by ops before getting on wireless. If you're using a public CA to sign certs, and you're not using TLS authentication (I'm guessing you're not. getting that many certs would be expensive), then anyone can impersonate your network and intercept perceivably protected traffic. this is BAD. Insofar as I know, nearly everyone on this list using certs is using self-signed. On 1/25/2012 16:08, McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Looking forward to your responses, and thanks in advance. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
I've attached android, windows 7, macosx, and ubuntu linux to an eap-tls network using wpa2-eap-tls, which requires client and CA certs. it's no issue once you know what you're doing. the hardest part is the nearly complete lack of documentation for any OS except linux. you're limited to what google provides from various blogs. On 1/26/2012 00:19, Stefan Winter wrote: Hi, that's a discussion / holy war admins are fighting over for *years* in the eduroam roaming consortium. I agree with all what was said in the thread, regarding security vs. convenience. Just to add one thing to the mix: if you allow bring your own device for your network, you'll have much less control over what hardware comes to visit you. For some supplicants it is very hard/impossible to add an own self-signed CA to the trust root. In these cases, being able to verify the issuing CA against the hard-wired trust store is arguably more secure than not being able to validate the cert at all with a self-signed CA. For Android4.0 for example, pushing a new CA into the trust store is hard. Doing it in a non-interactive autoconfig way is to my knowledge impossible. So, BYOD is a factor to consider. Greetings, Stefan Winter McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. Self-signed CA. *Always*. And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes. I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Well, I wrote that README. It's correct. Here's a question for management. Do they want anyone on the planet to be able to set up a copy of their WiFi SSID, and grab user information? If yes, use a public CA. If no, use a self-signed CA. With web surfing, your web browser verifies that the site at facebook.com is holding an SSL certificate which says facebook.com. This prevents anyone else from using a facebook.com certificate, because no one else can control the facebook.com domain. For WiFi, there is no such control. If your company SSID is example.com, *anyone* can duplicate that SSID. The EAP supplicant doesn't check if the SSID matches the certificate. It can't check, for a whole host of reasons. So the situations are different. The result is that the security methods are different, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
