Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
Hi, I am working on RADIUS with LDAP as backend for authenticating users. I configured rlm_ldap on RADIUS server with username and plaintext password and I am able to authenticate RADIUS client using LDAP. But I want to configure RADIUS server with certificates instead of using usernames and passwords. Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server. Waiting for your inputs. Thanks and Regards, Pramod - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS shared secret over internet
Hi, I have read on the archives regarding the above issue and that the RADIUS shared secret is an obfuscation method of securing the communications between the NAS and RADIUS Server. One method i have read is by using IPSec but i am asking around if there are other ideas that i may not have thought of. Regards, Muhammad Nuzaihan Bin Kamal Luddin -- Taqi Systems 269-J Jalan Panji Kampung Chempaka, Kota Bharu, Kelantan 16100 pub 4096R/4C77F88C 2013-04-06 [expires: 2015-04-06] Key fingerprint = 2FE1 87FA E775 2E05 CC0F B3F6 3CB7 C65F 4C77 F88C uid Muhammad Nuzaihan Bin Kamal Luddin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
On Tue, Apr 9, 2013 at 2:52 PM, Muhammad Nuzaihan Kamal Luddin muham...@taqisystems.com wrote: Hi, I have read on the archives regarding the above issue and that the RADIUS shared secret is an obfuscation method of securing the communications between the NAS and RADIUS Server. One method i have read is by using IPSec ... or whatever private tunnel you can create between NAS and radius, e.g. openvpn, PPTP, etc. but i am asking around if there are other ideas that i may not have thought of. Depending on what you use the radius for, you might get away by ONLY allowing (T)TLS/EAP along with strict cert checking. -- FAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
Interesting method by using TLS. This is what i had in mind but couldn't find the answer. The only method i see is through proxying the requests, based on a whitepaper i read - if this is what RFC6614 may contain. What are the roadmap for this? Are there any initial work being done or proof-of-concept work on this? By looking at implementations of TLS (in combination of openssl/gnutls) on other protocols might be similar to this but i may be wrong (i have yet to read on the RFC) as it's another layer taking place. Thanks for the hint. I'll read up on the RFC. Cheers, Muhammad Nuzaihan Bin Kamal Luddin On Tue, 2013-04-09 at 10:13 +0200, Stefan Winter wrote: Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
As I remmember, Alan mentioned that RADSEC will be implemented in freeRadius 3... On 9.4.2013 10:54, Muhammad Nuzaihan bin Kamal Luddin wrote: Interesting method by using TLS. This is what i had in mind but couldn't find the answer. The only method i see is through proxying the requests, based on a whitepaper i read - if this is what RFC6614 may contain. What are the roadmap for this? Are there any initial work being done or proof-of-concept work on this? By looking at implementations of TLS (in combination of openssl/gnutls) on other protocols might be similar to this but i may be wrong (i have yet to read on the RFC) as it's another layer taking place. Thanks for the hint. I'll read up on the RFC. Cheers, Muhammad Nuzaihan Bin Kamal Luddin On Tue, 2013-04-09 at 10:13 +0200, Stefan Winter wrote: Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server dosn't detect any requests except from localhost
Hello, I have a student project that I need a RADIUS server in it. I have access to two servers that I have to remotely connect to them (VPN required, of course two servers are on the same network and can see each other always), one is having windows server on it and another one has CentOS 64bit on it. Both are virtual in a company using VMWare tools I believe. I installed freeRadius on CentOS and I performed first tests from the server itself and it's working allright. I added the clients and users that I needed to the configuration files. Here is the problem: Whenever I send a request from a radius client (I tried some testers, and even radtest) to my freeRadius server I get time out, freeRadius is running in dubuging mode and I can see that it doesn't receive any request whether to accept or reject. I tried the windows server on that LAN and my computer which is connected to VPN and can see the freeRadius server. (successful pinging) I used -netstat to see what IPs and ports are listening, the result was 0.0.0.0:1812(udp) so I assume that it is listening to all IPs on 1812. whenever I try to start the server with -i and -p I get the message that server cannot bind on the address that I want because it is already listening to them on another thing. I can start the server with -i 172.16.150.*** which is its own address and -p 1812. I am stocked on this problem for two days, I read all the config files of freeRadius and I tried to make some changes (I revert them later) but none helped cause I think the problem is not there. I assume that server should see all the requests and then decide what to do with them. Any ideas where the problem is? Thank you Saeed Zanderahimi- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
Hi, As I remmember, Alan mentioned that RADSEC will be implemented in freeRadius 3... correct. you can try/test/run FR3 today from GIT but if you want to keep with FR2.x in the meantime you can always have a local proxy eg RadSecProxy which works fine with FR2.x (and each end can do status-server too) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Hi, Am happy to say that i managed to have this work, tested and double tested and it works fine, However now the challenge i have to ensure that all my users at a domain say @ut3 are resquested to fullfil all the parameters on this 1st line, How do i ensure this one? eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1, Mac-Addr == 00-24-d2-28-4f-39 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M From: Alan DeKok al...@deployingradius.com To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, April 8, 2013 5:21 PM Subject: Re: MAC Address Auth Mulindwa wrote: I have read and read, and i have not seen where thr reply list or check list is $ man unlang Read doc/rlm_sql I have no idea which files you're reading. But it's clear you're *not* reading the documentation that comes with the server. Don't google for random pages on the net. Read the documentation. Read the Wiki. 99% of questions are answered there. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 04/09/2013 03:44 AM, pramod kulkarni wrote: Hi, I am working on RADIUS with LDAP as backend for authenticating users. I configured rlm_ldap on RADIUS server with username and plaintext password and I am able to authenticate RADIUS client using LDAP. There is a difference between using LDAP as a backend datastore (lookup passwords and password hashes after binding as a service) and using LDAP as a authentication oracle (binding as the user to determine if the user is authenticated depending on the bind result). From above it sounds like you've configured LDAP as a backend datastore. But I want to configure RADIUS server with certificates instead of using usernames and passwords. Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server. Waiting for your inputs. Thanks and Regards, You can't with the current rlm_ldap module bind to the LDAP server with anything other than a (username, password) pair, either for lookups or for authentication testing (only ldap_connect and ldap_simple_bind are supported). However, rlm_ldap does support SSL/TLS connections to the LDAP server and you can specify that you want the LDAP server to request a client cert when establishing the connection. But ultimately you're still doing a simple bind albeit in a secure tunnel. If you specify you want the LDAP server to require a client cert then you effectively have two simultaneous authtication mechanisms in play (TLS for the tunnel and simple auth inside the tunnel). Setting up TLS auth is straight forward (see the options in raddb/modules/ldap) *except* for the fact the ldap library routines to set the require cert option are buggy (rlm_ldap uses the wrong entry point which may not be supported and the openldap library also has bugs, I think we've now got all these fixed and patches sent upstream to openldap, but you should be aware there is an reasonable chance it won't work on your distribution unless you've got patched libraries). Even if SASL binds were supported you wouldn't want to use SASL binds for user authentication (if that was what you were asking, it's not clear from your original post). For user authentication based on certificates you would use EAP-TLS. A long time ago I had a patch for using SASL binds, but it was against the old 1.1.7 version of rlm_ldap and it only supported GSSAPI. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server dosn't detect any requests except from localhost
On 04/09/2013 05:21 AM, Saeed Zanderahimi wrote: Hello, I have a student project that I need a RADIUS server in it. I have access to two servers that I have to remotely connect to them (VPN required, of course two servers are on the same network and can see each other always), one is having windows server on it and another one has CentOS 64bit on it. Both are virtual in a company using VMWare tools I believe. I installed freeRadius on CentOS and I performed first tests from the server itself and it's working allright. I added the clients and users that I needed to the configuration files. Here is the problem: Whenever I send a request from a radius client (I tried some testers, and even radtest) to my freeRadius server I get time out, freeRadius is running in dubuging mode and I can see that it doesn't receive any request whether to accept or reject. I tried the windows server on that LAN and my computer which is connected to VPN and can see the freeRadius server. (successful pinging) I used -netstat to see what IPs and ports are listening, the result was 0.0.0.0:1812(udp) so I assume that it is listening to all IPs on 1812. whenever I try to start the server with -i and -p I get the message that server cannot bind on the address that I want because it is already listening to them on another thing. I can start the server with -i 172.16.150.*** which is its own address and -p 1812. I am stocked on this problem for two days, I read all the config files of freeRadius and I tried to make some changes (I revert them later) but none helped cause I think the problem is not there. I assume that server should see all the requests and then decide what to do with them. Any ideas where the problem is? I suspect a firewall is blocking your port. FWIW listening on a port is completely independent of whether the port is blocked, you have to check both. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server dosn't detect any requests except from localhost
Saeed Zanderahimi wrote: Here is the problem: Whenever I send a request from a radius client (I tried some testers, and even radtest) to my freeRadius server I get time out, freeRadius is running in dubuging mode and I can see that it doesn't receive any request whether to accept or reject. I tried the windows server on that LAN and my computer which is connected to VPN and can see the freeRadius server. (successful pinging) So the network is up, but you can't reach the RADIUS port. This usually means a firewall is blocking traffic. Go check that. I used -netstat to see what IPs and ports are listening, the result was 0.0.0.0:1812(udp) so I assume that it is listening to all IPs on 1812. whenever I try to start the server with -i and -p I get the message that server cannot bind on the address that I want because it is already listening to them on another thing. I can start the server with -i 172.16.150.*** which is its own address and -p 1812. When you start the server in debugging mode, you need to shut down any server already running. You haven't done that. That's why it's saying address already in use. 1) check that the firewall allows traffic to port 1812 2) stop all servers currently running 3) then run it in debug mode 4) it should work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS shared secret over internet
Muhammad Nuzaihan wrote: What are the roadmap for this? Are there any initial work being done or proof-of-concept work on this? By looking at implementations of TLS (in combination of openssl/gnutls) on other protocols might be similar to this but i may be wrong (i have yet to read on the RFC) as it's another layer taking place. I've been piloting FR3's RADSEC between our campus and our eduroam federation for close to a year now. There were some initial bugs but it's been stable since those were dealt with. Just be sure to turn off max_requests_per_server by setting it to zero. Sometime soon EDUROAM-US is moving to a redundant setup so we'll be able to test any interactions with home server pooling. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server dosn't detect any requests except from localhost [SOLVED]
Thank you for your answers, I added my client IP address and 1812:1814 ports to the iptables config file and after saving and rebooting it works now :) Regards Saeed From: Alan DeKok al...@deployingradius.com To: Saeed Zanderahimi saeed...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, April 9, 2013 2:21 PM Subject: Re: Server dosn't detect any requests except from localhost Saeed Zanderahimi wrote: Here is the problem: Whenever I send a request from a radius client (I tried some testers, and even radtest) to my freeRadius server I get time out, freeRadius is running in dubuging mode and I can see that it doesn't receive any request whether to accept or reject. I tried the windows server on that LAN and my computer which is connected to VPN and can see the freeRadius server. (successful pinging) So the network is up, but you can't reach the RADIUS port. This usually means a firewall is blocking traffic. Go check that. I used -netstat to see what IPs and ports are listening, the result was 0.0.0.0:1812(udp) so I assume that it is listening to all IPs on 1812. whenever I try to start the server with -i and -p I get the message that server cannot bind on the address that I want because it is already listening to them on another thing. I can start the server with -i 172.16.150.*** which is its own address and -p 1812. When you start the server in debugging mode, you need to shut down any server already running. You haven't done that. That's why it's saying address already in use. 1) check that the firewall allows traffic to port 1812 2) stop all servers currently running 3) then run it in debug mode 4) it should work Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cellular Roaming Accounting
I have recently inherited working on a freeRadius on openSUSE server on a cellular implementation. I'll be upfront that my Linux skills are minimal and I know nothing about freeRadius. I don't know what version of freeRadius we are running I was afraid to run radiusd -v because the man page said it would run and exit. This is a production server and I didn't want to risk killing the process. I'll schedule a maintenance window to run that. My issue is I need to implement total data transferred daily logging for a particular realm to implement roaming. My first thought was to get it from the detail files. I can probably write a script to accomplish this but I can't find the RAT-Type attribute in the log entries. I need to break out 1xRTT and EVDO totals for this realm. The Radio Access Technology type would be perfect for this but as I said can't find it in the detail file. I know a little about mysql but not much. It is implemented on this server. Can I pull this data from the radacct table? I thought I might need to implement the rls_counter module. It is not currently implemented. Sorry I have short windows of time to try things on this server so I'm trying to line up as much as I can ahead of time before getting stuck and wasting a maintenance window. Here is a sample start record in the detail file: User-Name = 5558675...@companyx.com NAS-IP-Address = ###.###.###.### Acct-Status-Type = Start Acct-Session-Id = ecs+xv67 Acct-Delay-Time = 0 Acct-Authentic = RADIUS NAS-Port = 2265 NAS-Port-Type = Virtual Calling-Station-Id = 15558675309 Framed-Protocol = PPP Framed-IP-Address = ###.###.###.### Event-Timestamp = Apr 7 2013 00:00:02 EDT Acct-Input-Octets = 0 Acct-Output-Octets = 0 3GPP2-Correlation-Id = ecs+yshC 3GPP2-User-Id = 0 3GPP2-Forward-FCH-Mux-Option = 2337 3GPP2-Reverse-FCH-Mux-Option = 2337 3GPP2-Service-Option = 33 3GPP2-Forward-Traffic-Type = 0 3GPP2-Reverse-Traffic-Type = 0 3GPP2-FCH-Frame-Size = 2 3GPP2-Forward-FCH-RC = 3 3GPP2-Reverse-FCH-RC = 3 3GPP2-IP-Technology = 1 3GPP2-Compulsory-Tunnel-Indicator = 0 3GPP2-PCF-IP-Address = ###.###.###.### 3GPP2-BSID = 14EE0001 3GPP2-Home-Agent-IP-Address = 0.0.0.0 3GPP2-Bad-PPP-Frame-Count = 0 3GPP2-Number-Active-Transitions = 0 3GPP2-Terminating-SDB-Octet-Count = 0 3GPP2-Originating-SDB-OCtet-Count = 0 3GPP2-Terminating-Number-SDBs = 0 3GPP2-Originating-Number-SDBs = 0 3GPP2-IP-QoS = 0 3GPP2-Session-Continue = 1 3GPP2-Inbound-Mobile-IP-Sig-Octets = 0 3GPP2-Outbound-Mobile-IP-Sig-Octets = 0 3GPP2-Airlink-Priority = 13 3GPP2-Received-HDLC-Octets = 0 3GPP2-Attr-41 = 0x486a95e1 3GPP2-Module-Orig-Term-Indicator = 0x 3GPP2-Forward-DCCH-Mux-Option = 0 3GPP2-Reverse-DCCH-Mux-Option = 0 3GPP2-Forward-DCCH-RC = 0 3GPP2-Reverse-DHHC-RC = 0 3GPP2-Service-Reference-Id = 0x0104000102040001 3GPP2-DCCH-Frame-Size = 0 3GPP2-Begin-Session = 1 3GPP2-Active-Time = 0 Service-Type = Framed-User Acct-Unique-Session-Id = efb3ccab5e594101 Stripped-User-Name = 5558675309 Realm = companyx.com Timestamp = 1365307202 Request-Authenticator = Verified - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cellular Roaming Accounting
Gerry Gasca wrote: I have recently inherited working on a freeRadius on openSUSE server on a cellular implementation. I'll be upfront that my Linux skills are minimal and I know nothing about freeRadius. Posting here is a good start. I don't know what version of freeRadius we are running I was afraid to run radiusd -v because the man page said it would run and exit. This is a production server and I didn't want to risk killing the process. I'll schedule a maintenance window to run that. Don't bother. It's safe. When you run radiusd -v, the *current* program prints the version and exits. It doesn't poke the running daemon. My issue is I need to implement total data transferred daily logging for a particular realm to implement roaming. My first thought was to get it from the detail files. I can probably write a script to accomplish this but I can't find the RAT-Type attribute in the log entries. I need to break out 1xRTT and EVDO totals for this realm. The Radio Access Technology type would be perfect for this but as I said can't find it in the detail file. If it's not there, then the NAS isn't sending it. I know a little about mysql but not much. It is implemented on this server. Can I pull this data from the radacct table? I thought I might need to implement the rls_counter module. It is not currently implemented. You could pull the data from the SQL table. I'd recommend that. The detail file is really just a backup for SQL data. (For various reasons) You should be able to query the SQL table, and key off of the User-Name, where the realm is the one you want. Then, add up the various columns. So this is really an SQL issue. Look at the tables shipped with FreeRADIUS to determine the structure. Then write SQL queries. Sorry I have short windows of time to try things on this server so I'm trying to line up as much as I can ahead of time before getting stuck and wasting a maintenance window. You should be able to query your SQL table live. Just run SELECTs, and nothing else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
Thanks John for the reply. can I use EAP-TLS method of authentication with LDAP as backend datastore to check usernames and passwords. It would be like I bind to RADIUS server with EAP-TLS method using certificate and check usernames and passwords from LDAP server if yes on EAP-TLS can you please tell me how to configure EAP-TLS with LDAP as backend datastore. Basically I want to avoid harcoded usernames and passwords in raddb of RADIUS server for authenticating users which I am doing currently . ldap { server = localhost # identity = cn=admin,o=My Org,c=UA identity = uid=admin,ou=CamUsers,dc=vmbox,dc=int password = admin basedn = ou=CamUsers,dc=vmbox,dc=int filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = yes # tls_cacertfile = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/cacert.pem # tls_cacertdir = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts # tls_certfile = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/admin.pem # tls_keyfile = C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/admin.pem # tls_randfile = /path/to/rnd tls_require_cert = allow Waiting for your inputs Thanks and Regards, Pramod - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + MySQL + Daloradius
I am trying to setup wireless authentication through my mikrotik router using freeradius with mysql and daloradius. I have the server setup and working, I can use NTradtest from my pc and I get Access-Accept messages in return with my cleartext user/password, username userclear password clear. But when I set it all up and try to access the wireless with the same credentials it is an access-reject. See below # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: userclear [mschap] Told to do MS-CHAPv2 for userclear with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. After reading the top of inner-tunnel I used the test they said to use : radtest USER PASSWORD 127.0.0.1:18120 0 testing123 When I use my user it fails, when I use the test user user and pass it succeeds. So do I have my innertunnel setup wrong or something? I have sql uncommented in /etc/raddb/sites-available/inner-tunnel Please let me know what info you need and I can supply it, please help me debug this issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html