crl handling
As far as I know freeradius uses openssl to handle crls. openssl also has an option -use_deltas to enable support for delta CRLs. Is this option available in freeradius? According to eap.conf it is necessary to restart radiusd if a new version of a crl is published. Are there plans to enable reading of a new crl without restarting the server? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: crl handling
Hi, Are there plans to enable reading of a new crl without restarting the server? without severaly crippling performance, how? the RADIUS server would have to poll the CRL file all the timeand if it read a new file it would have to destroy its current array structure to import the new file details.and if there was a buffer error or the file was half-way through being written etc then nastiness could ensue. I never understand the problem people have with doing a HUP or a service reload in this context. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroup Implementation with MySQL and Radgroupcheck
I'm looking for some help with the implementation of huntgroups.Am using mysql and have followed the following topic through: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.htmlIn sites-available/default I have this, (just after preprocess: update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" }And the debug log show's this query's working: expand: %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} - Location OneIn my radgroupcheck table, I've added Huntgroup-Name == Location OneI've also modified my authorize_group_check_query in dialup.conf as per a recommendationauthorize_group_check_query = "SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id"(Which doesn't make logical sense to me)What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from?For example, a user from IP 1.x.x.x should be allowed access at location 1 only.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: crl handling
On 26 Jul 2012, at 09:20, alan buxey wrote: Hi, Are there plans to enable reading of a new crl without restarting the server? without severaly crippling performance, how? You could add caching to the OSCP module and use that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Implementation with MySQL and Radgroupcheck
I forgot to mention that the look up works if I enter the Huntgroup-Name in radcheck.For some reason, it's just failing in radgroupcheckOn Jul 26, 2012, at 09:51 AM, Jenny Blunt jennyshoeh...@me.com wrote:I'm looking for some help with the implementation of huntgroups.Am using mysql and have followed the following topic through: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.htmlIn sites-available/default I have this, (just after preprocess: update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" }And the debug log show's this query's working: expand: %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} - Location OneIn my radgroupcheck table, I've added Huntgroup-Name == Location OneI've also modified my authorize_group_check_query in dialup.conf as per a recommendationauthorize_group_check_query = "SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id"(Which doesn't make logical sense to me)What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from?For example, a user from IP 1.x.x.x should be allowed access at location 1 only.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Implementation with MySQL and Radgroupcheck
On 07/26/2012 09:51 AM, Jenny Blunt wrote: I'm looking for some help with the implementation of huntgroups. Am using mysql and have followed the following topic through: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html In sites-available/default I have this, (just after preprocess: update request { Huntgroup-Name := %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} } Don't do this. Read the 2nd email in the thread you linked to. Huntgroup-Name is a special attribute; comparisons are executed dynamically. You can't just use it like an ordinary string attribute. Define another attribute in raddb/dictionary: ATTRIBUTE SQL-Location3010string ...and use that. authorize_group_check_query = SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id (Which doesn't make logical sense to me) It doesn't make sense to me either. So why do it? What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from? For example, a user from IP 1.x.x.x should be allowed access at location 1 only. I don't know what this means. Write down the policy you want in plain english. Figure out what sources of data you need to execute that policy. Read those sources of data into attributes. Write a policy to check them. For example: authorize { update request { SQL-Location = %{sql:select location from ...} } if (NAS-IP-Address =~ /^1\./) { if (SQL-Location != Location 1) { reject } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Implementation with MySQL and Radgroupcheck
Hi Phil, thanks for the reply and help. Have been in a pickle with this for an age.Could you confirm that the query at the bottom should go in the sites-available/default file in the auth section?Huntgroups work with radcheck but understand I need a separate attr now (at last)!On Jul 26, 2012, at 10:07 AM, Phil Mayers p.may...@imperial.ac.uk wrote:On 07/26/2012 09:51 AM, Jenny Blunt wrote: I'm looking for some help with the implementation of huntgroups. Am using mysql and have followed the following topic through:http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-td4950385.html In sites-available/default I have this, (just after preprocess: update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" } Don't do this. Read the 2nd email in the thread you linked to. Huntgroup-Name is a special attribute; comparisons are executed dynamically. You can't just use it like an ordinary string attribute. Define another attribute in raddb/dictionary: ATTRIBUTE SQL-Location 3010 string ...and use that. authorize_group_check_query = "SELECT id, groupname, attribute_name, \ Value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id" (Which doesn't make logical sense to me) It doesn't make sense to me either. So why do it?What I'm failing to get my head around is how to reject or allow access based on the location their dialing in from? For example, a user from IP 1.x.x.x should be allowed access at location 1 only. I don't know what this means. Write down the policy you want in plain english. Figure out what sources of data you need to execute that policy. Read those sources of data into attributes. Write a policy to check them. For example: authorize { update request { SQL-Location = "%{sql:select location from ...}" } if (NAS-IP-Address =~ /^1\./) { if (SQL-Location != "Location 1") { reject } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows 7 Certificate
Hi everybody, I just installed and configured FreeRADIUS 2.1.10 successfully. I am using it to authenticate Wifi users. I got trial certificates from GeoTrust, which are supposed to be accepted by windows 7. The thing is, that when I try to connect to to my wifi network a window pops up saying something like (original is german): The server xx.xx.xx presented a valid certificate from GeoTrust Global CA, GeoTrust Global CA is however not configured as a valid anchor for the profile. In addition, the server xx.xx.xx, which is being used to establish the connection, is not configured as a valid NPS server for the profile. (Original message in german) Der Server xx.xx.xx stellte ein gültiges, von GeoTrust Global CA ausgestelltes Zertifikat dar. GeoTrust Global CA ist jedoch nicht als gültiger Vertrauensanker für das Profil konfiguriert. Außerdem ist der Server xx.xx.xx für das Profil nicht als gültiger NPS-Server konfiguriert, mit dem Verbindungen hergestellt werden können. (End of original message I click on connect and it works, but I would like, if possible, to make this pop up disappear. Has anyone had this issue and if so know how to make it disappear? Regards, -- Ismael Yáñez A. Systemadministration Rocket Internet GmbH | Johannisstraße 20 | 10117 Berlin | Deutschland mobile: +49 162 290 4698 | mail: ismael.ya...@rocket-internet.de | skype: ismaelrocket www.rocket-internet.de Geschäftsführer: Dr. Johannes Bruder, Arnt Jeschke, Alexander Kudlich Eingetragen beim Amtsgericht Berlin, HRB 109262 USt-ID DE256469659 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 Certificate
On 26/07/12 11:17, Ismael Yáñez wrote: I click on connect and it works, but I would like, if possible, to make this pop up disappear. Pre-configure the trusted server cert and name under the network profile. You can do this using netsh XML profiles, Group Policy, or a tool such as su1x or others. Has anyone had this issue and if so know how to make it disappear? It's normal. Windows doesn't know which of the known certs it should accept on a given connection until you tell it. To be clear: the cert *is* built into windows. But you still need to tick the box next to it in the connect properties. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Comparing Two Attributes
How do I go about comparing two attributes from an update request?I have the following in my default conf. file:update request { SQL-Location := "%{sql: SELECT xxx}"} update request { SQL-Location-Id := "%{sql: SELECT yyy }"}if (SQL-Location != SQL-Location-Id ) { reject}And my debug log shows:Info: Failed parsing "SQL-Location-Id": Unknown value SQL-Location-Id for attribute SQL-Location - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Comparing Two Attributes
On 26/07/12 12:41, Jenny Blunt wrote: How do I go about comparing two attributes from an update request? I have the following in my default conf. file: update request { SQL-Location := %{sql: SELECT xxx} } update request { SQL-Location-Id := %{sql: SELECT yyy } } if (SQL-Location != SQL-Location-Id ) { reject } if (SQL-Location == %{SQL-Location-Id}) { } Bare words on the right hand side of operators are either interpreted as dictionary values or string constants, not other variables. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Comparing Two Attributes
Mucho graciasOn Jul 26, 2012, at 01:01 PM, Phil Mayers p.may...@imperial.ac.uk wrote:On 26/07/12 12:41, Jenny Blunt wrote: How do I go about comparing two attributes from an update request? I have the following in my default conf. file: update request { SQL-Location := "%{sql: SELECT xxx}" } update request { SQL-Location-Id := "%{sql: SELECT yyy }" } if (SQL-Location != SQL-Location-Id ) { reject } if (SQL-Location == "%{SQL-Location-Id}") { } Bare words on the right hand side of operators are either interpreted as dictionary values or string constants, not other variables. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: crl handling
Wegener, Norbert wrote: Are there plans to enable reading of a new crl without restarting the server? I'd suggest OCSP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libfreeradius vs libradius
Arvind Gupta wrote: I am new for RADIUS server authentication and looking to implement a RADIUS client. I found that there are many RADIUS client library available and most popular are libradius and libfreeradius. figuring out that which one is best and what is pros and cons of each one. Any information related to this will be more helpful to me. The freeradius-client code is BSD licensed, but I don't like the API. The libfreeradius-radius code is LGPL'd. It's much better, but it does have the LGPL. There is a pressing need for a BSD licensed RADIUS library. Too many vendors roll their own. And get pretty much everything wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libfreeradius vs libradius
On 07/26/2012 09:11 AM, Alan DeKok wrote: Arvind Gupta wrote: I am new for RADIUS server authentication and looking to implement a RADIUS client. I found that there are many RADIUS client library available and most popular are libradius and libfreeradius. figuring out that which one is best and what is pros and cons of each one. Any information related to this will be more helpful to me. The freeradius-client code is BSD licensed, but I don't like the API. The libfreeradius-radius code is LGPL'd. It's much better, but it does have the LGPL. There is a pressing need for a BSD licensed RADIUS library. Too many vendors roll their own. And get pretty much everything wrong. What is the (perceived) problem with LGPL? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Printing rlm_counter AVP's
jobhunt...@aol.com wrote: I have added some AVP's for an rlm_counter What does that mean? and want to look at the values. I have tried using radclient but it prints only one of the AVP's I added. Since I added each AVP the same way, can anyone tell me what determines which AVP's radclient prints and what I can do to make sure all the AVP's I added are printed by radclient? Perhaps looking at the debug output? And reading the documentation for how to add multiple attributes? And reading the documentation for how to ask good questions? I tried to do stuff, but it didn't work. Can anyone help me? Uh... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libfreeradius vs libradius
John Dennis wrote: What is the (perceived) problem with LGPL? Religious intolerance. :) I'd rather have a BSD licensed library that's *used* by idiot vendors, than an LGPL'd library they're afraid of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libfreeradius vs libradius
On 07/26/2012 09:55 AM, Alan DeKok wrote: John Dennis wrote: What is the (perceived) problem with LGPL? Religious intolerance. :) I'd rather have a BSD licensed library that's *used* by idiot vendors, than an LGPL'd library they're afraid of. Can't it be dual licensed then? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libfreeradius vs libradius
John Dennis wrote: Can't it be dual licensed then? I'm loath to dual-license libfreeradius-radius. Part of the reason to have a BSD licensed library is to have *less* functionality than the LGPLd one. A BSD licensed one is usually client-side. A client needs less functionality than a server. e.g. static dictionaries, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout
Hi Folks, I'm in the process to setup a WPA(2)-Enterprise (IEEE 802.1X) protected WLAN. I choose FreeRADIUS (2.1.10) with a EAP-TLS to authenticate and control the access to the network. While everything works so far, I just can't get the Session-Timeout to work. If I start 'freeradius -X' I can see that FreeRADIUS sends the Session-Timeout information with the Access-Accept message. Also if I limit the Login-Time (e.g. Login-Time := Wk-1500) and the remaining time is less then the Session-Timeout, the remaining time is send as a Session-Timeout. Nevertheless, after the session times out, no reauthentication takes place and the client stays connected to the network. As this behavior happens with all (two) APs I've got, I'm not sure where to locate the problem.(FreeRADIUS, AP or Client (Debian Squeeze with wpa_supplicant)) Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? Thanks, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. ... Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Then AP probably doesn't understand Session-Timeout attribute... (not implemented for example) It would be helpful to tell us what are you using as AP On 26.7.2012 16:08, Klaus Klein wrote: Hi Folks, I'm in the process to setup a WPA(2)-Enterprise (IEEE 802.1X) protected WLAN. I choose FreeRADIUS (2.1.10) with a EAP-TLS to authenticate and control the access to the network. While everything works so far, I just can't get the Session-Timeout to work. If I start 'freeradius -X' I can see that FreeRADIUS sends the Session-Timeout information with the Access-Accept message. Also if I limit the Login-Time (e.g. Login-Time := Wk-1500) and the remaining time is less then the Session-Timeout, the remaining time is send as a Session-Timeout. Nevertheless, after the session times out, no reauthentication takes place and the client stays connected to the network. As this behavior happens with all (two) APs I've got, I'm not sure where to locate the problem.(FreeRADIUS, AP or Client (Debian Squeeze with wpa_supplicant)) Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? Thanks, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 16:29, schrieb Marinko Tarlać: Then AP probably doesn't understand Session-Timeout attribute... (not implemented for example) It would be helpful to tell us what are you using as AP AP No.1 Netgear WG602v3 with dd-wrt v24_micro_generic.bin AP No.2 Siemens Gigaset SE515dsl Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Am 26.07.2012 16:16, schrieb Matthew Newton: On Thu, Jul 26, 2012 at 04:08:04PM +0200, Klaus Klein wrote: While everything works so far, I just can't get the Session-Timeout to work. If FreeRADIUS is sending the AVP back to the NAS (which you state it is), it's the job of the NAS (the AP) to disconnect the user at the specified time. The user will keep working until the NAS kicks them off. As the user isn't being disconnected, it's the NAS that needs investigating. I was afraid it would go down that road. :-( Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? I'm just tracing the wpa_supplicant and noticed a message Cancelling authentication timeout Unfortunately, it's not clear what or which side (AP or Client) is causing this message. Is there any way a client could cancel a session timeout? Or why would a AP do so? Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libfreeradius vs libradius
Hi Alan Thanks a lot for the valuable information. As you mentioned that BSD one is used by most of the vendors. Which one is very popular among vendors? Arvind On Thu, Jul 26, 2012 at 7:35 PM, Alan DeKok al...@deployingradius.comwrote: John Dennis wrote: Can't it be dual licensed then? I'm loath to dual-license libfreeradius-radius. Part of the reason to have a BSD licensed library is to have *less* functionality than the LGPLd one. A BSD licensed one is usually client-side. A client needs less functionality than a server. e.g. static dictionaries, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arvind Kumar Gupta - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html