Re: [EAP-TLS Windows 7] Problem with chain certificate on the client side
Phil, can you look at the certs I provided? Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675205.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-TLS Windows 7] Problem with chain certificate on the client side
On 04/30/2012 07:29 AM, jinx_20 wrote: Phil, can you look at the certs I provided? They look ok to me. There's no obvious reason they shouldn't verify, and quick tests as the CLI all passed. Are you sure these are functionally *identical* to the real ones you're using? I've checked over the FR verify code; it is a pretty standard verify callback, and doesn't have any logic errors. It's a bit of a shame the FR verify callback doesn't explicitly log the subject/issuer/depth values for failures, and just logs the error; I wonder if that is worth fixing (and if it would tell us anything more in this case). But I'm fairly sure FR is doing nothing wrong. Therefore, either your cert chain is mangled in some way OpenSSL doesn't like, OpenSSL is buggy or the client is buggy. Or something else weird is going on. I don't have any suggestions I'm afraid. If you're familiar with the TLS protocol, you could use wireshark to capture and inspect an EAP-TLS conversation. The dissector will reassemble the TLS exchange, and you can check the correct certs are being sent over the wire in the correct order. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question: which 3rd party CA for EAP
Hi, We are trying to setup eap for different mobile devices. We don't need certificates for each user, we want to authorize againt the radius with username and password only. With self signed certificates its working if the mobile devices installs the root ca certifcate. We tried several 3rd party certificates: StartSSL, united ssl, godaddy, test certificates from thawte. Apple and windows clients are claiming, that the certificate is not trusted. Has anybody a working solution with 3rd party certificates and can tell us which certifcate could be used and what needs to be configured in eap.conf? Kind Regards Uwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maximum limit for clients.
Hi, I have been using Radius server downloaded from freeradius.net website from quite a long time. For creating user id and password required for my clients to authenticate with my radius server, I usually configure user id and password using following command in user.conf file present in radius server. user id Cleartext-Password := password My queries are listed below. 1. I wanted to know whether, there is any limit for such configurations? How many user id's and password can be added to the file? 2. If we want to increase the limit, then what are the available options? 3. What is the normal CPU and memory usage of device where Radius server is installed and running? And what is the usage when maximum clients try to authenticate with the Radius. Thanks in advance. Regards, Sharad Panicker. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Maximum-limit-for-clients-tp5675649.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: which 3rd party CA for EAP
Hi, We are trying to setup eap for different mobile devices. We don't need certificates for each user, we want to authorize againt the radius with username and password only. With self signed certificates its working if the mobile devices installs the root ca certifcate. We tried several 3rd party certificates: StartSSL, united ssl, godaddy, test certificates from thawte. Apple and windows clients are claiming, that the certificate is not trusted. Has anybody a working solution with 3rd party certificates and can tell us which certifcate could be used and what needs to be configured in eap.conf? You should be aware that the trusted status of a CA is completely independent in bowsers vs. for EAP. Browsers have a (large|too large) set of CAs which they consider trusted. EAP supplicants typically trust NO CA unless explicitly configured to. In the Windows case, the supplicant will trust the 3rd party certs just fine as soon as you open the EAP properties and check the box of that CA. So, very often you will require extra manual/scripted configuration whether you use a self-signed CA or not; merely the actual import of the certificate file can be omitted if the CA is shipped. I.e. you don't gain a lot, and spend more money when using a trusted CA, so in the vast majority of cases, it is the wiser way to use a self-signed CA. Greetings, Stefan Winter Kind Regards Uwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum limit for clients.
On 30/04/12 12:08, Sharad P wrote: Hi, I have been using Radius server downloaded from freeradius.net website from quite a long time. For creating user id and password required for my clients to authenticate with my radius server, I usually configure user id and password using following command in user.conf file present in radius server. user id Cleartext-Password := password My queries are listed below. 1. I wanted to know whether, there is any limit for such configurations? How many user id's and password can be added to the file? Lots and lots. The users file is parsed into a tree structure internally; it will be searched very quickly. This has been discussed on the list; search the archives. If I recall, it's many tens of thousands. 2. If we want to increase the limit, then what are the available options? You shouldn't need to. 3. What is the normal CPU and memory usage of device where Radius server is installed and running? And what is the usage when maximum clients try to authenticate with the Radius. There's no way to answer that question. It is too vague. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum limit for clients.
Thanks a lot for the reply. So there is no considerable memory usage when tens of thousands of user tries to authenticate with my Radius server? Also, I do not use any SQL server for any databases. I simply create an user name and password in the user.conf file. The clients willing to authenticate will have to use the specified username and password. Want to know whether this is a correct approach. Thanks in advance. Regards, Sharad Panicker. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Maximum-limit-for-clients-tp5675649p5675797.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-TLS Windows 7] Problem with chain certificate on the client side
I think I found a reason. In the root and sub CA certificates there was *Extended Key Usage* set to OCSP Signing what limited using of any user certificate issued by those CAs to OCSP Signing purpose. / 4.2.1.12. Extended Key Usage This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. [RFC 5280]/ After removing EKU OIDs from CA certificate everything works fine. But I sill cannot understand why FR allowed to connect when I had removed Sub2_CA certificate from cert store. Gabriel -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675822.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum limit for clients.
Sharad P wrote: 1. I wanted to know whether, there is any limit for such configurations? How many user id's and password can be added to the file? In 1.1.7, the users file entries are put into a linked list. It's slow. 2.x is better. 2. If we want to increase the limit, then what are the available options? Upgrade to 2.x. 3. What is the normal CPU and memory usage of device where Radius server is installed and running? And what is the usage when maximum clients try to authenticate with the Radius. RADIUS doesn't really use CPU or memory. When you access a DB or use EAP methods, that uses CPU and memory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum limit for clients.
Thanks for the reply. Here I am not using any SQL server for for DB. I just use my config file for user authentication. So in such a case, the memory usage will be very low, I guess. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Maximum-limit-for-clients-tp5675649p5675840.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restart service of Radius
After the changes are made in config files (user.conf), Radius server needs to be restarted. Is there any way that Radius server will fetch the changed configurations without restarting the Radius server? Thanks, Sharad Panicker. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Restart-service-of-Radius-tp5675936.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restart service of Radius
Sharad P wrote: Is there any way that Radius server will fetch the changed configurations without restarting the Radius server? In 2.x, you can send it a HUP signal. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum limit for clients.
Sharad P wrote: So there is no considerable memory usage when tens of thousands of user tries to authenticate with my Radius server? Uh... data uses memory. The more data you have, the more memory you use. This is 2012. If you care about memory usage, you're either (a) caring about the wrong thing, or (b) in a constrained system. Also, I do not use any SQL server for any databases. I simply create an user name and password in the user.conf file. The clients willing to authenticate will have to use the specified username and password. Want to know whether this is a correct approach. It depends on what you want to do. My guess is that you're optimizing the wrong thing. This is demonstrated by the fact that you're *not* talking about a problem. You're talking about a solution. e.g. rather than saying will 10K users fit into 100Mb of RAM?, you're saying I'm using the users file... is it OK? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restart service of Radius
On 04/30/2012 09:10 AM, Sharad P wrote: After the changes are made in config files (user.conf), Radius server needs to be restarted. Is there any way that Radius server will fetch the changed configurations without restarting the Radius server? The traditional technique is to send the process a HUP signal (most daemon work this way). In fact it's such a common control scenario most initscripts and/or other tools used to control system daemons support a reload command that does this for you (you don't have to know the pid). If your system supports reload it's the preferred method, if not send a HUP. With FreeRADIUS you can also do a reload from the admin console. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log-rotation FeeBSD 8.2
Hi all, something strange: I am trying to setup newsyslog to rotate logs of FreeRADIUS 2.1.11 my setup string is looking like [code] /var/log/radius.log freeradius:freeradius 644 7 5 * Z [/code] but after rotation no logs are writing to /var/log/radius.log until restarting freeradius But if I just run echo /var/log/radius.log all logs are clean and writing well What am I doing wrong? -- Best regards, NewUse. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log-rotation FeeBSD 8.2
new...@qip.ru wrote: Hi all, something strange: I am trying to setup newsyslog to rotate logs of FreeRADIUS 2.1.11 my setup string is looking like [code] /var/log/radius.log freeradius:freeradius 644 7 5 * Z [/code] but after rotation no logs are writing to /var/log/radius.log until restarting freeradius You need to HUP the server to get it to re-open the logs. This is normal daemon behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log-rotation FeeBSD 8.2
Hi, You need to HUP the server to get it to re-open the logs. This is normal daemon behavior. its a behaviour that changed with i think 2.1.10 - before then you could rotate a log and the daemon would start writing to the new logfile. we had to adjust our logrotate script to do a restart of the daemon upon log rotate (as post-rotate function)which means our server is restarted each day now.. unfortunately this means we lose all the state-less stuff - EAP sessions being the big one. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restart service of Radius
Hi, reload command that does this for you (you don't have to know the pid). If your system supports reload it's the preferred method, if not send a HUP. With FreeRADIUS you can also do a reload from the admin console. its also another reason to use SQL for eg user/NAS stuff...as you dont need to reload the server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log-rotation FeeBSD 8.2
alan buxey wrote: unfortunately this means we lose all the state-less stuff - EAP sessions being the big one. Huh? The EAP module isn't re-loaded on HUP. So it's ignored. The sessions still exist after HUP. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE2: Log-rotation FeeBSD 8.2
You need to HUP the server to get it to re-open the logs. This is normal daemon behavior. Alan DeKok. Thanks, but why I can clean logs via echo command without restart? Could the same behavior be implemented to auto-rotation of FR2 logs? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log-rotation FeeBSD 8.2
Hi, On Mon, Apr 30, 2012 at 05:01:19PM +0200, Alan DeKok wrote: alan buxey wrote: unfortunately this means we lose all the state-less stuff - EAP sessions being the big one. Huh? The EAP module isn't re-loaded on HUP. So it's ignored. The sessions still exist after HUP. Alan said restart... as we found out recently, a HUP could cause mschap issues until you wrote your xlat patch a couple of weeks ago. Since that patch, we're doing HUP and it's working just fine - thanks. But using ntlm_auth (with %{mschap:...}) in 2.1.12 can potentially have issues. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE2: Log-rotation FeeBSD 8.2
On Mon, Apr 30, 2012 at 07:07:27PM +0400, new...@qip.ru wrote: You need to HUP the server to get it to re-open the logs. This is normal daemon behavior. Alan DeKok. Thanks, but why I can clean logs via echo command without restart? Truncating a file and changing its name are not the same thing. Read up on unix files and inodes. Could the same behavior be implemented to auto-rotation of FR2 logs? Send a HUP. It's the Right Thing. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html