Re: confused by logging targets for rlm_perl
Olivier Bilodeau wrote: http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth Those are wrong. See src/include/radiusd.h, L_DBG, etc. I've fixed the Wiki. I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. Yup. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Bug. See the v2.1.x branch in git for patches to src/modules/rlm_perl/example.pl Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius to authenticate DHCP Requests with Option82
Hello all, I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. Please help me to configure RADIUS for DHCP option82. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server Br. Sachin Sharma Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
On Wed, Feb 22, 2012 at 3:16 PM, sachin.sha...@wipro.com wrote: Hello all, I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. Are you trying to configure a RADIUS server, or a DHCP server? Freeradius can function as both, but the configuration is different. Please help me to configure RADIUS for DHCP option82. See my previous question. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server You might have just answered your own question :) Two possibilities: (1) If I understand your question correctly, you DON'T configure a radius server for DHCP option 82. Instead, you configure a DHCP server that can understand and process option 82. FR SHOULD be able to function as DHCP server that handles option 82, BUT there are things that require some kind of advanced knowledge. For example: - you need to enable DHCP functionality expicility during compilation, or use latest master or v2.1.x branch from git (which should enable it by default) - you need to write your own logic on how to handle option 82 (DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id attributes). The git version have an example of sqlippool module that handles static and dynamic IP assignment, but it doesn't process those two attributes. You need to modify it yourself. So in short, it SHOULD be possible with FR, but requires some effort. Depending on your skill and knowledge, you might be better of using another DHCP server (2) If I misunderstood your question, and what you need is simply for a radius server that sends a particular attribute, then you need to know what attribute it is, and what value it should contain. Once you have that, implementing it in FR should be easy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
sachin.sha...@wipro.com wrote: I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. What does that mean? It's like saying configure a web server for pages. Please help me to configure RADIUS for DHCP option82. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server I have no idea what you're doing, so I have no idea how to answer the question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_sqlcounter examples
On 02/21/2012 11:04 PM, Tim White wrote: Following on from my previous email, I've checked an x86 machine as well, and get the same behaviour. I should hope so; SQL is not architecture specific! Your original solution was correct as far as I could see; if there's any chance a column might be absent/null, coalesce or nullif are required. I don't use rlm_sqlcounter so can't say whether absent/null values are expected or a peculiarity of your setup, but a mix of both is possible. Debug logs follow, the first being the initial login for the day, showing sqlcounter not finding an integer and hence returning noop. The second being after an initial login where a correct integer is returned. Can anyone else confirm that the example sqlcounter queries are at fault and that we need ether an IFNULL or COALESCE surrounding the SUM? I'll be updating the Grase Hotspot files, but I'm wondering if a change was made in rlm_sqlcounter in the last few months (year) that has caused it to treat NULL as NULL and not as 0, and hence the SQL queries need to be updated? Try looking through the source code history: https://github.com/alandekok/freeradius-server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius to authenticate DHCP Requests with Option82
Hello Fajar/Alan Thanks for u r quick Responses !! I already configured DHCP Server that handles option 82 of DHCP Requests. But new to RADIUS stuff. For security reasons, We want to introduce radius so DHCP Offer is to be made only to authenticated clients. I just need a idea to have correct direction. After reading your response ( Correct me if my understanding is wrong ) now I have to configure my DHCP Server to speak with FR before giving DHCP OFFER. (1)DHCP Client---(2)Cisco Switch(Adds option 82)---(3)Relay Agent---(4)DHCP Server (Authenticate DHCP Discovery)-(5)FRADIUS (8)DHCP OFFER --- (7)DHCP Server ---(6)(ACCEPT/ACCEPt)-- Br. Sachin Sharma -Original Message- From: freeradius-users-bounces+sachin.sharma=wipro@lists.freeradius.org [mailto:freeradius-users-bounces+sachin.sharma=wipro@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Wednesday, February 22, 2012 2:29 PM To: FreeRadius users mailing list Subject: Re: FreeRadius to authenticate DHCP Requests with Option82 On Wed, Feb 22, 2012 at 3:16 PM, sachin.sha...@wipro.com wrote: Hello all, I am implementing Free Radius to authenticate DHCP Requests with Option82. I have configured DHCP Relay Agent, DHCP Snooping in CISCO Switch and DHCP Server. Now i have to configure RADIUS for option82. Are you trying to configure a RADIUS server, or a DHCP server? Freeradius can function as both, but the configuration is different. Please help me to configure RADIUS for DHCP option82. See my previous question. Also i am not clear who will authenticate to RADIUS, Switch,DHCP Relay Agent or DHCP Server. After reading docs i guess it's DHCP Server You might have just answered your own question :) Two possibilities: (1) If I understand your question correctly, you DON'T configure a radius server for DHCP option 82. Instead, you configure a DHCP server that can understand and process option 82. FR SHOULD be able to function as DHCP server that handles option 82, BUT there are things that require some kind of advanced knowledge. For example: - you need to enable DHCP functionality expicility during compilation, or use latest master or v2.1.x branch from git (which should enable it by default) - you need to write your own logic on how to handle option 82 (DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id attributes). The git version have an example of sqlippool module that handles static and dynamic IP assignment, but it doesn't process those two attributes. You need to modify it yourself. So in short, it SHOULD be possible with FR, but requires some effort. Depending on your skill and knowledge, you might be better of using another DHCP server (2) If I misunderstood your question, and what you need is simply for a radius server that sends a particular attribute, then you need to know what attribute it is, and what value it should contain. Once you have that, implementing it in FR should be easy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
sachin.sha...@wipro.com wrote: I already configured DHCP Server that handles option 82 of DHCP Requests. But new to RADIUS stuff. For security reasons, We want to introduce radius so DHCP Offer is to be made only to authenticated clients. Ah. That isn't a common configuration. But it is useful. I just need a idea to have correct direction. After reading your response ( Correct me if my understanding is wrong ) now I have to configure my DHCP Server to speak with FR before giving DHCP OFFER. Yes. Or, you can use FreeRADIUS as a DHCP server. That makes it easier. (1)DHCP Client---(2)Cisco Switch(Adds option 82)---(3)Relay Agent---(4)DHCP Server (Authenticate DHCP Discovery)-(5)FRADIUS (8)DHCP OFFER --- (7)DHCP Server ---(6)(ACCEPT/ACCEPt)-- Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
On 2012/02/22 01:10 PM, Alan DeKok wrote: Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
On Wed, Feb 22, 2012 at 7:03 PM, Johan Meiring jmeir...@pcservices.co.za wrote: Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. Good documentation. So basically the dhcp server converts Framed-IP-Address radius attribute into a DHCP reply, and the NAS uses other attributes (like rate limit). Neat. In this case FR-side setup is easy. Just create a normal user, but with client's MAC address as User-Name. Not sure about the blank password part, but you should be able to just set Access-Type := Accept. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
Hi Can you tell me something about performances? I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). ISC DHCP works very well for 6000 users and the same number of cable modems but I'm not sure is Mtik capable for something like that... ISC problem is database integration which won't be added in the next 150 years... :) On 22.2.2012 13:03, Johan Meiring wrote: On 2012/02/22 01:10 PM, Alan DeKok wrote: Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
Marinko Tarlać wrote: Can you tell me something about performances? It all depends on the DB, because that's where IPs are stored. For a normal database, 1000 packets/s should be possible. I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). Wow... that's a lot of CPU for a small number of users. ISC DHCP works very well for 6000 users and the same number of cable modems but I'm not sure is Mtik capable for something like that... ISC problem is database integration which won't be added in the next 150 years... :) Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
No No, you didn't understand me... Mtik is installed on the server (HP ML3xx series) and the optimum is 500-600 online PPPoE users... I achieved 1100 online PPPoE users per Mikrotik but the CPU load was always to high and the packet loss was to high (1-2%). The problem is visible because the Mtik creates simple queue rule for every active connection. RADIUS server works perfectly with 5 NAS-es (2000-3000 online users in the same moment)... I just wanted to know is Mikrotik capable (according to users experiences) to act as a DHCP server for a large networks (for example 10k modems and 10k users behind those modems). best regards Marinko On 22.2.2012 13:53, Fajar A. Nugraha wrote: 2012/2/22 Marinko Tarlaćmangi...@gmail.com: Hi Can you tell me something about performances? I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). you mean the server is used by FR? You either: - setup accouting interim interval to a very low value (e.g. 60 seconds), OR - your configuration is REALLY non-optimum If you use files backend, then it's very easy to get several auth/sec. If you use db backend, then your main limiting factor will be accounting, which is limited by how fast your disk IOPS is. So for starters: - what backend did you use for FR? mysql? postgres? others? - what kind of disk you have, and how many? (e.g. 2 x SATA 7200 rpm disks, in hardware raid 1) - what is your accounting interim interval? - did you modify the default db schema/queries (if using db backend)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RadSec FR3.0 to Radiator: Received packet will be too large
Hello again, We're piloting RadSec as a federation server uplink. They use Radiator. When we first attempted to connect we'd get a Received packet will be too large! carp from main/tls.c. They checked on their end and say they have no fragment size option for RadSec TLS connections, only for EAP-TLS connections. So we applied the below as a test and it works, but I was wondering as to the wisdom of it... diff --git a/src/main/tls.c b/src/main/tls.c index 10caec4..947409f 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -2709,7 +2709,7 @@ int proxy_tls_recv(rad_listen_t *listener) size_t length; listen_socket_t *sock = listener-data; char buffer[256]; - uint8_t data[1024]; + uint8_t data[2048]; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication by group and time.
Freeradius Dear users, good afternoon! I have a radius server using a mysql database authentication by performing login and mac address working very well. Now I need to implement a new plan of authentication where some users can only connect at a certain time of day (eg Monday to Friday from 18:00 to 22:00 pm and throughout the weekend). Looking for something in the documentation found on the Login-Time Freeradius but found nothing of how to deploy this in my current configuration structure. Has anyone made this and could give me some idea of how to do? Thank you! Angelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up FreeRADIUS
I seem to be having a hardtime setting up FreeRADIUS to work with my Astaro
firewall.
First, in radiusd.conf I have left most of the configurations the same only
made a few small ones such as the port for:
listen {
type = auth
ipaddr = *
port = 1812 (instead of the default 0)
}
In clients.conf, I have added the following:
client ASG {
ipaddr = 192.168.***.***
secret = my secret
}
In /etc/raddb/users I added user Cleartext-Password password.
In Astaro I created a network definition with host, as the type, ANY
interface, and the IP for my box running FreeRADIUS.
I also created a packet filter rule as follows:
Group: WiFi
Position: 59
Source: srv_freeradius
Service: RADIUS
Destination: firewall
In the wireless security setting of Astaro under Advance/Enterprise
Authentication I added the following information:
RADIUS: srv_freeradius (network defition I created)
RADIUS Port: RADIUS (This was already in place there)
RADIUS Secret: my secret
Repeat Secret: repeated secret
Now whenever I run radtest user password localhost 0 secret I get the
Access-Accept packet but if I modify the command and run radtest user
password ASG_IP 1812 secret I get radclient: no response from server for ID
168 socket 3
I also tried running radtest user password FreeRADIUS_Server_IP 1812 secret
and the output in /usr/sbin/radiusd -X is as follows: Ignoring request to
authentication address * port 1812 from unknown client 192.168.***.*** port
48063
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Setting-up-FreeRADIUS-tp5506078p5506078.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS
Hi,
port = 1812 (instead of the default 0)
doesnt matter - it'll use 1812 and not 0 - read from /etc/services
client ASG {
ipaddr = 192.168.***.***
secret = my secret
if the secret really does have spaces in it, then you need to ensure its
enclosed in quotes my secret
In /etc/raddb/users I added user Cleartext-Password password.
fred Cleartext-Password := password
(note the := )
Now whenever I run radtest user password localhost 0 secret I get the
Access-Accept packet but if I modify the command and run radtest user
password ASG_IP 1812 secret I get radclient: no response from server for ID
168 socket 3
??? hat would be sending a RADIUS request to the ASG_IP server - is this running
as a server that can take and accept a remote proxied request?
I also tried running radtest user password FreeRADIUS_Server_IP 1812 secret
and the output in /usr/sbin/radiusd -X is as follows: Ignoring request to
authentication address * port 1812 from unknown client 192.168.***.*** port
48063
thats because you havent added 192.168.***.*** as a valid client in clients.conf
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadSec FR3.0 to Radiator: Received packet will be too large
Hi, We're piloting RadSec as a federation server uplink. They use Radiator. When we first attempted to connect we'd get a Received packet will be too large! carp from main/tls.c. They checked on their end and say they have no fragment size option for RadSec TLS connections, only for EAP-TLS connections. So we applied the below as a test and it works, but I was wondering as to the wisdom of it... interestinga RADSEC packet can be much bigger than that too - 2048 gives some room for a big certificate - but not if its double-chained with intermediate and its got a nice security size instead of being a little 512bit RSA one. typically EAP-TLS can be fragmented on the server due to it going through to the end-clients ..and being UDP things get a little nasty...whereas with RADSEC theres no reason why a single TCP request couldnt be quite large and needing to be fragmented by the routers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
again .. mac based auth + user/password for pppoe
Hey again,
I've searched the list for my old conversation here but couldn't find
it .. still.. here it goes...
I have rp-pppoe started in kernel mode ( the calling-station-id gets
sent as I can see it )
You'll notice that even though I added in radcheck Calling-Station-Id
to be 11:22:33:44:55:66,
trying with radclient got me accepted ( even though I specified
11:22:33:44:55:77 )
The idea is that I want to also do a mac check ( if the
Calling-Station-Id is present in sql ..)
I don't want to bind the username/password combination to the mac
address for all the users
PPPoE ~ # cat dexter | radclient -x 127.0.0.1 auth r4d1usP4ssw0rd
Sending Access-Request of id 61 to 127.0.0.1 port 1812
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dexter
User-Password = 250896
Calling-Station-Id = 11:22:33:44:55:77
NAS-IP-Address = 127.0.0.1
NAS-Port = 242
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=61, length=50
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 10.10.0.82
mysql select * from radcheck WHERE `username` = 'dexter';
+--+--+++---+
| id | username | attribute | op | value |
+--+--+++---+
| 2298 | dexter | Cleartext-Password | := | 250896 |
| 2299 | dexter | Simultaneous-Use | := | 1 |
| 2300 | dexter | Pool-Name | := | main |
| 2301 | dexter | Calling-Station-Id | := | 11:22:33:44:55:66 |
+--+--+++---+
4 rows in set (0.01 sec)
mysql select * from radreply WHERE `username` = 'dexter';
+--+--+++-+
| id | username | attribute | op | value |
+--+--+++-+
| 4461 | dexter | Framed-MTU | := | 1500 |
| 4459 | dexter | Service-Type | := | Framed-User |
| 4458 | dexter | Framed-Protocol | := | PPP |
| 4460 | dexter | Framed-Compression | := | Van-Jacobsen-TCP-IP |
+--+--+++-+
radiusd -X reports this:
rad_recv: Access-Request packet from host 127.0.0.1 port 52468, id=61, length=89
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dexter
User-Password = 250896
Calling-Station-Id = 11:22:33:44:55:77
NAS-IP-Address = 127.0.0.1
NAS-Port = 242
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/127.0.0.1/auth-detail-20120222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120222
[auth_log] expand: %t - Wed Feb 22 22:36:07 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} - dexter
[sql] sql_set_user escaped user -- 'dexter'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'dexter' ORDER BY
id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'dexter' ORDER BY
id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'dexter' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'dynamic' ORDER BY id
[sql] User found in group dynamic
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group session
Re: Intermediate root CA issue
Hi, We're trying to get a GlobalSign issued wildcard CA to work on our radius server that is authenticating users via PEAP/MSCHAPv2 to Active Directory. We're good on Android devices and iOS devices. With Windows 7 (SP1) we're fine as long as we leave validate server certificate unchecked. As soon as we enable that check, authentication fails and we get the radius log entries listed below. I've pointed a web browser to an Apache server running the same certificate chain (server cert, intermediate GlobalSign cert, GlobalSign Root CA) and have verified that the cert does provide the Server Authentication (1.3.6.1.5.5.7.3.1) Extended Key usage. The cert listed in the certificate_file entry in /etc/freeradius/eap.conf contains, is the catted contents of the wildcart cert, the intermediate cert, and the root CA (which, in theory, since Windows 7 includes this shouldn't be needed?), all in one file. when you do select the validate server certificate, what else are you putting into the boxes - the server name and checking/ticking the root CA entry? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intermediate root CA issue
On Wed, Feb 22, 2012 at 04:11:00PM -0600, John Dunning wrote: devices. With Windows 7 (SP1) we're fine as long as we leave validate server certificate unchecked. As soon as we enable So your general server config is good. (1.3.6.1.5.5.7.3.1) Extended Key usage. The cert listed in the certificate_file entry in /etc/freeradius/eap.conf contains, is the catted contents of the wildcart cert, the intermediate Don't know if Windows will handle a wildcard cert here. cert, and the root CA (which, in theory, since Windows 7 includes this shouldn't be needed?), all in one file. Try putting just the server cert in that file, and importing the intermediate cert into the Windows store. I hit similar the other week (although PEAP/EAP-TLS and not a wildcart cert). Windows wouldn't play ball unless it already had the intermediate, even though FR was sending it over. As I was in the middle of moving from test to production at the time and it wouldn't actually matter to me in the final config, I put it down to 'one of those many stupid things Microsoft doesn't do very well', and moved on. So there may have been a way to fix it and I might have thought bad of Microsoft unnecessarily (doesn't often happen), but I didn't play to find out. But if importing the intermediate makes it work, that might help point you in the right direction. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadSec FR3.0 to Radiator: Received packet will be too large
Hi, We're piloting RadSec as a federation server uplink. They use Radiator. When we first attempted to connect we'd get a Received packet will be too large! carp from main/tls.c. They checked on their end and say they have no fragment size option for RadSec TLS connections, only for EAP-TLS connections. The above doesn't make much sense to me... there are size limits in RADIUS, but not regarding the TLS stream around them. The limits in question are: - EAP-Message total length must be = MTU between NAS and device (EAP cannot be fragmented on layer 2) - RADIUS datagram total length 4096 Bytes (arbitrary RFC limit) The RADIUS/TLS wrapper around those datagrams is not size-limited at all - it carries streams on n RADIUS datagrams. The TCP stack will take care of sending the data in chunks like with any other TCP based protocol. My guess is that main/tls.c thinks it operates within a EAP context and tries to warn of too big data chunks, while there is actually nothing to warn about. Greetings, Stefan Winter So we applied the below as a test and it works, but I was wondering as to the wisdom of it... interestinga RADSEC packet can be much bigger than that too - 2048 gives some room for a big certificate - but not if its double-chained with intermediate and its got a nice security size instead of being a little 512bit RSA one. typically EAP-TLS can be fragmented on the server due to it going through to the end-clients ..and being UDP things get a little nasty...whereas with RADSEC theres no reason why a single TCP request couldnt be quite large and needing to be fragmented by the routers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
